Walkthrough HackMyVm - Quick3

# Walkthrough HackMyVm - Quick3 ![1](https://hackmd.io/_uploads/S11XWr7nT.png) Here I will make a writeup of the Quick3 machine on the HackMyVm platform and this is an easy rated VM, if you are interested you can click the link [**here**](https://hackmyvm.eu/machines/machine.php?vm=Quick3). Let's start. ### Reconnaissance As always the first thing i do is port scanning. At this point, `rustscan` find two open ports that is SSH (22) and HTTP (80). ```python $ rustscan -a 192.168.1.45 -- -A -sC -sV .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan [~] The config file is expected to be at "/home/kali/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 192.168.1.45:22 Open 192.168.1.45:80 [~] Starting Script(s) [>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}") PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 2e7a1f1757446f7ff9ceaba14fcdc719 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPw/57IwrzzYv7y9g3oCqiCqUmaOBmmLJyZE1iWqMH79gcziH5n9oWXErHh4nMVOw/99WYvN+v8vhFWfUK9pAsI= | 256 937ed6c9035ba1ee1d54d0f0270f13eb (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILHIfODTU2kHh2eDs9+Y+WWGaX2WZC5Vx/V4NY0LTBAs 80/tcp open http syn-ack Apache httpd 2.4.52 ((Ubuntu)) | http-methods: |_ Supported Methods: HEAD GET POST OPTIONS |_http-server-header: Apache/2.4.52 (Ubuntu) |_http-title: Quick Automative - Home Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ### Website ![2_comp](https://hackmd.io/_uploads/r183MBQ3a.png) The website display provided is only the default display, but if we look at the *Make Appointment* section we will redirect to the http://192.168.1.45/customer/ location. ### Web Exploitation ![3](https://hackmd.io/_uploads/HJMK7rmha.png) Next, in the `/customer/` path, there are login and register features. we can try to register first. While testing, there was a Stored XSS Cross-site scripting (XSS) vulnerability in the *Name* form. ![4](https://hackmd.io/_uploads/Hyut4HQh6.png) ![5](https://hackmd.io/_uploads/SJw3Er736.png) This indicates that the web service is vulnerable to Stored Cross-site scripting (XSS) vulnerabilities. ![6](https://hackmd.io/_uploads/rkEgIHX36.png) Back to the first step, after registering and logging the web service has several features such as user profile, dashboard, car information, and contact. ![7](https://hackmd.io/_uploads/SJZGwH7ha.png) In the car information section, there are 3 features in it such as view cars, input forms to add cars, and delete cars. in the `Add` car section there is an XSS vulnerability as well. ![8](https://hackmd.io/_uploads/r16HvSmhT.png) In the `Contact` section, there are no features that can be used, only a collection of users from the Quick Automative company equipped with personal information with role data, name, email, and phone number. ![9](https://hackmd.io/_uploads/SyAnKSQn6.png) Then in the user profile features section, there are features such as invoice (disable), personal information, and change password. If we pay attention to the URL, there is a parameter ***id*** with the value of the user number. Then we try changing the ID value to 1, then we will be able to see information from other users. This indicates that the web service is vulnerable to IDOR. If you don't know what IDOR is, you can read it [**here**](https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html) ![10](https://hackmd.io/_uploads/H1JL9SmnT.png) Next, in the change password section, we can see the users password by looking at the page source in the password form section. This indicates that the web service has an insecure source vulnerability in the password change section. At this point I tried other vulnerabilities, but only found 3, namely: 1. Stored XSS on name forms and cars features. 2. IDOR on id parameter. 3. Insecure code on change password. Back to the IDOR stage, we can enumerate and collect usernames and passwords for each user that we will use to bruteforce the ssh service. ![11](https://hackmd.io/_uploads/HyEtTBXnp.png) Here I use the intruder feature in burpsuite to bruteforce in the value section of the id parameter with a range of numbers 0-50. ![12](https://hackmd.io/_uploads/Bya_0Sm2a.png) After the user and password were collected, I divided them into two parts, namely the `user.txt` and `pass.txt` files. Then, I used the hydra tool to bruteforce the ssh service from sitarget. ```python $ hydra -L user.txt -P pass.txt 192.168.1.45 ssh Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-21 03:57:04 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 2880 login tries (l:90/p:32), ~180 tries per task [DATA] attacking ssh://192.168.1.45:22/ [STATUS] 270.00 tries/min, 270 tries in 00:01h, 2612 to do in 00:10h, 14 active [22][ssh] host: 192.168.1.45 login: mike password: 6G3UCx6aH6UYvJ6m [STATUS] 278.67 tries/min, 836 tries in 00:03h, 2046 to do in 00:08h, 14 active [STATUS] 272.57 tries/min, 1908 tries in 00:07h, 974 to do in 00:04h, 14 active 1 of 1 target successfully completed, 1 valid password found ``` After waiting a few moments, valid credentials were found for access to SSH. ### Privilege Escalation ![image](https://hackmd.io/_uploads/H1tqb8Qhp.png) And I can grab `user.txt` ![image](https://hackmd.io/_uploads/Bk92l873a.png) For the next stage, user `Mike` cannot perform the sudo command because he does not have permission to execute the sudo command, then here we try to just do the low hanging fruit to get to the privilege escalation as root. ![image](https://hackmd.io/_uploads/rkofG8Q2p.png) I found the credential to log in to the mysql service in the config.php file, but when I tried to log in to the root user, it turned out that it could be used with the same credentials. This indicates that there is a password reuse vulnerability. ![image](https://hackmd.io/_uploads/By_nGUX3p.png) #### Rooted! ![giphy (1)](https://hackmd.io/_uploads/BJwl_vE2a.gif)