Hermoso

hermoso is a medium boot2root machine created by one of the crew, Choo during MCC2022 event

Check him out !

Saturday, 3 December, 2022 7:43 PM

https://tryhackme.com/room/hermoso

First , we do Nmap scan for opening ports and we found: port 21(ftp) port 22(ssh) port 53(dns) port 80(http) port 139(smb) port 445(smb)

smbclient ­L //hermoso.local/ Found secret share

smbclient //hermoso.local/secret

Port 80 web login , notice software application version is also there

Google search the exploit and found one , insert accordingly

revshells.com

Successful executing the exploit created a php web shell with a parameter "cmd"

We insert a reverse shell bash one liner with url encoding and open a listener to get reverse shell

Nagivate around and we found a user name "chris" and a password in the "wp-config.php.bak" file.

ssh into the user chris with the provided password , we get the user flag.

Listing what Chris can do as sudo shows that he/she can run a script called "CopySSHKey" as sudo.

addkey()

1. The variable tmp will create tmp file at /ssh­* randomly

2. touch $tmp creates and executes the tmp file

3. Then the predefined ssh will be echoed into the tmp file

4. checkfile() check for file error

5. Finally it is echoed into root's authorized_keys

This means that if we echo our public key into it , we can use our private key to login

We generate our own ssh key and copy the public key

So we echo our key into any ssh­* random file name that is created through the script

Script is available at my github : https://github.com/J4CKMEISTER/Tools/blob/main/hermoso2root.sh

Then , we run it before running the sudo script at background

Then we run the sudo script

And we check our ssh access

Note : First time might not work because our script is slower than the ./script.sh so we try run the script again

Unintended way : Kernal exploit does not work