Try   HackMD

Walkthrough HackMyVm - Helium

helium2.PNG

Here I will make a writeup of the Helium machine on the HackMyVm platform and this is an easy rated VM, if you are interested you can click the link here. Let's start.

Reconnaissance

As always the first thing i do is port scanning. and at this point rustscan finds two open TCP ports, SSH (22) and HTTP (80):

$ rustscan -a 192.168.1.61 -- -A -sC -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.1.61:22
Open 192.168.1.61:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 12f6555fc6fafb1415ae4a2b38d84a30 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDShbr+Tk6ugvRpNAjWbMqxR1X555LbWq5IVZwq3wXDk+GwY+wauGLd/ntKyNRJF0aid5QaRZXFfhOvYFHbtpr2i2yW5CUIW/2aaVwiHXDKL1DXBXcawr0g1+iVWUEg49W5lBdSEIgqRtmJhBjcXLbEq1V5Fvy3BAP/leOy0ADwwpesjLht50MxE5D7jmZxDEiYavhyOxAcxko4Yp4xXtZ5CkcG741SOYCG6Y77UoFFP50h0oHtJ627+iNvqqWPEQaPNe+0rbJU4C1hkz8Y7OvOeeVaR9JhMg6KTBZTJRB9gC4dlXd9BSP5oOmtpYLitZA5EwYMWaqcwF7v+7S2MNan
|   256 b7ac876dc4f9e39ad46ee04fdaaa2220 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBCOR5F804dZn6AQsF4+t5s0JH2QPd12FYdNIAa9axn2k62dIRIvu/okOvmA0rg2HezQEf8boO6/f3Wf13V9ZDo=
|   256 fee805af234d3a822a649bf735e4444a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFVSupFLBXoYJXyGalYCoVSM7g60dhRbsmKL+eg+k7Z
80/tcp open  http    syn-ack nginx 1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: RELAX
|_http-server-header: nginx/1.14.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.22 seconds

As we can see there is no indication of vulnerability on port 22, so we can focus on port 80.

Website

website (1).png

Next I tried to search for hidden files and directories using feroxbuster and dirsearch but got no results. But when we look at the source page of the website, there is something interesting that we need to note, namely;

  1. There is a note containing a user named paul and the /upload_sound directory
  2. source bootstrap.min.css
  3. And the last relax.wav file

2.PNG

If we access the /upload_sound directory there is a note "Upload disabled (or not).". I think this is just a rabbit hole because there are no signs of an upload form there.

3.PNG

Next, if we access the bootstrap.min.css endpoint, this is not a CSS file but we will find the note "/yay/mysecretsound.wav" in it.

4.PNG

When we access http://192.168.1.61/yay/mysecretsound.wav we will automatically download the file from mysecretsound.wav. and because this is a wav file and according to the filename, we can assume that this is probably a steganography file so we need to analyze the file.

5.PNG

When we tried to open the wav file using Audacity, the sound that came out was quite strange, then we tried using the spectrogram in Audacity and found a word that was manipulated using sound.

dancingpassyo

6.PNG

Initial Access

Then we try to do initial access using the ssh service by combining the user and password that we found earlier.

$ ssh paul@192.168.1.61
paul@192.168.1.61's password: 
Linux helium 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Nov 22 14:31:51 2020 from 192.168.1.58
paul@helium:~$ ls
user.txt

We have successfully login as paul, next we need to increase access rights to super user. usually the first thing we need to do is check whether the user can exercise sudo access rights or not and to display a list of permitted commands with the command sudo -l

7.PNG

Found binary /usr/bin/ln. We can use this resource to find a list of binaries to exploit with the aim of gaining root access or higher access.

8.PNG

Next, we just run the command.

10.PNG

And root was successfully obtained. Helium pwned!

tags: boot2root
Last changed by 
gwthr
Security Guy
0
1
318

Read more

Walkthrough HackMyVm - Quick4

Here I will make a writeup of the Quick4 machine on the HackMyVm platform and this is an easy rated VM, if you are interested you can click the link here. Let's start.

Mar 13, 2024
Walkthrough HackMyVm - Quick3

vulny.PNG

Feb 22, 2024
Walkthrough HackMyVm  - Vulny

Here I will make a writeup of the Helium machine on the HackMyVm platform and this is an easy rated VM, if you are interested you can click the link here. Let’s start.

Nov 16, 2023
Read more from gwthr
Published on HackMD