HackMyVM-Twisted

ARZ101
3 min readJan 12, 2021

--

NMAP

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-12 09:38 PKT
Nmap scan report for 192.168.1.66
Host is up (0.00018s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 67:63:a0:c9:8b:7a:f3:42:ac:49:ab:a6:a7:3f:fc:ee (RSA)
| 256 8c:ce:87:47:f8:b8:1a:1a:78:e5:b7:ce:74:d7:f5:db (ECDSA)
|_ 256 92:94:66:0b:92:d3:cf:7e:ff:e8:bf:3c:7b:41:b7:5a (ED25519)
MAC Address: 08:00:27:72:46:36 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.92 seconds

PORT 80

On the web page we see two images and one hinting being different so this means there is some stegnography involved

I ran stegcracker on both of the image files and got two messages

Then with the message from those files I was able to login in through ssh

In markus directory we see a note which tells about bonita's ssh private key.

But we couldn’t read the file because of some permissions.Going to web directory we find a gogo.wav file so let's download it to our machine and analyze it !

I uploaded this file as it was a morse code so analyzed it through online morese code analyzer and it was a rabbithole

So only option left for me was to run linpeas.

I found that there was a capaiblity set on tail which is like a SUID.So id_rsa that we found for bonita we cannot read it but we can read it through tail command. Tail will print the last ten lines of a file so we need to specify to print last 30 or 40 lines so we can get the whole id_rsa key

Using id_rsa I logged in as bonita

There is a SUID binary but when running it says WRONG CODE so let’s transfer it to our machine and analyze the binary

So using ghidra I saw that it is comparing variable with a hex value 0x16f8

Convert the hex value to decimal value

--

--