Try   HackMD

Walkthrough HackMyVm - Quick3

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Here I will make a writeup of the Quick3 machine on the HackMyVm platform and this is an easy rated VM, if you are interested you can click the link here. Let's start.

Reconnaissance

As always the first thing i do is port scanning. At this point, rustscan find two open ports that is SSH (22) and HTTP (80).

$ rustscan -a 192.168.1.45 -- -A -sC -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.1.45:22
Open 192.168.1.45:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 2e7a1f1757446f7ff9ceaba14fcdc719 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPw/57IwrzzYv7y9g3oCqiCqUmaOBmmLJyZE1iWqMH79gcziH5n9oWXErHh4nMVOw/99WYvN+v8vhFWfUK9pAsI=
|   256 937ed6c9035ba1ee1d54d0f0270f13eb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILHIfODTU2kHh2eDs9+Y+WWGaX2WZC5Vx/V4NY0LTBAs
80/tcp open  http    syn-ack Apache httpd 2.4.52 ((Ubuntu))
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Quick Automative - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Website

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

The website display provided is only the default display, but if we look at the Make Appointment section we will redirect to the http://192.168.1.45/customer/ location.

Web Exploitation

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Next, in the /customer/ path, there are login and register features. we can try to register first. While testing, there was a Stored XSS Cross-site scripting (XSS) vulnerability in the Name form.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

This indicates that the web service is vulnerable to Stored Cross-site scripting (XSS) vulnerabilities.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Back to the first step, after registering and logging the web service has several features such as user profile, dashboard, car information, and contact.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

In the car information section, there are 3 features in it such as view cars, input forms to add cars, and delete cars. in the Add car section there is an XSS vulnerability as well.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

In the Contact section, there are no features that can be used, only a collection of users from the Quick Automative company equipped with personal information with role data, name, email, and phone number.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Then in the user profile features section, there are features such as invoice (disable), personal information, and change password. If we pay attention to the URL, there is a parameter id with the value of the user number. Then we try changing the ID value to 1, then we will be able to see information from other users. This indicates that the web service is vulnerable to IDOR.

If you don't know what IDOR is, you can read it here

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Next, in the change password section, we can see the users password by looking at the page source in the password form section. This indicates that the web service has an insecure source vulnerability in the password change section.

At this point I tried other vulnerabilities, but only found 3, namely:

  1. Stored XSS on name forms and cars features.
  2. IDOR on id parameter.
  3. Insecure code on change password.

Back to the IDOR stage, we can enumerate and collect usernames and passwords for each user that we will use to bruteforce the ssh service.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Here I use the intruder feature in burpsuite to bruteforce in the value section of the id parameter with a range of numbers 0-50.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

After the user and password were collected, I divided them into two parts, namely the user.txt and pass.txt files. Then, I used the hydra tool to bruteforce the ssh service from sitarget.

$ hydra -L user.txt -P pass.txt 192.168.1.45 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-21 03:57:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 2880 login tries (l:90/p:32), ~180 tries per task
[DATA] attacking ssh://192.168.1.45:22/
[STATUS] 270.00 tries/min, 270 tries in 00:01h, 2612 to do in 00:10h, 14 active
[22][ssh] host: 192.168.1.45   login: mike   password: 6G3UCx6aH6UYvJ6m
[STATUS] 278.67 tries/min, 836 tries in 00:03h, 2046 to do in 00:08h, 14 active
[STATUS] 272.57 tries/min, 1908 tries in 00:07h, 974 to do in 00:04h, 14 active
1 of 1 target successfully completed, 1 valid password found

After waiting a few moments, valid credentials were found for access to SSH.

Privilege Escalation

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

And I can grab user.txt

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

For the next stage, user Mike cannot perform the sudo command because he does not have permission to execute the sudo command, then here we try to just do the low hanging fruit to get to the privilege escalation as root.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

I found the credential to log in to the mysql service in the config.php file, but when I tried to log in to the root user, it turned out that it could be used with the same credentials. This indicates that there is a password reuse vulnerability.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Rooted!

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Last changed by 
 
gwthr
Security Guy
0
1
150

Read more

Walkthrough HackMyVm - Quick4

Here I will make a writeup of the Quick4 machine on the HackMyVm platform and this is an easy rated VM, if you are interested you can click the link here. Let's start.

Mar 13, 2024
Walkthrough HackMyVmβ€Š - Vulny

Here I will make a writeup of the Helium machine on the HackMyVm platform and this is an easy rated VM, if you are interested you can click the link here. Let’s start.

Nov 16, 2023
Walkthrough HackMyVm - Helium

Here I will make a writeup of the Helium machine on the HackMyVm platform and this is an easy rated VM, if you are interested you can click the link here. Let’s start.

Nov 9, 2023
Read more from gwthr
Published on HackMD