HackMyVM Number Walkthrough

    Another cyber range appeared recently and it's similar to Vulnhub where people upload VM's, you download them, and get flags.  There's a points system like TryHackMe and HackTheBox which is a great way to gamify the environment.  I was curious to play and I download Number. 

    The box does not have a description other than it states that it's a Medium level system.

    We kick off with Nmap:

    We find a web port.  Enumerating with Nikto:

    Then with GoBuster:

    We find a login:

    But after a few seconds of looking around, I feel like there's something missing.  We check out /pin:

    We capture a request in Burp and we send it to Intruder:

    Using Sniper, we'll attempt to brute force the pin:

    Using seq -w 0000 4444, I create a list of numbers for our brute force:

    Adding in the error message:

    After a few seconds (Burp Pro), we learn the pin is 4444:

    We go back to the pin page and enter our pin:

    That doesn't help us:

    We move back to Sniper thinking that 4444 is our password:

    I'm just using a subset of RockYou as my wordlist, I think it's 100k lines:

    Entering the error message:

    After a bit, we uncover the username:  melon

    Back to the login:

    We are then presented with yet another form:

    We enter an IP address but it only accepts numbers:

    Just a quick sanity check:

    It likes numbers, not decimal points.  We can convert an IP to decimal:

    I enter the decimal equivalent of my attacking machine:

    Since it's spawning a reverse shell, I setup tcpdump because I need to know which port:

    When we hit submit, we see an inbound connection on the familiar 4444.  We setup a handler:

    After we submit again, we catch a shell.  When we clean is up, we enter into the melon home directory and we find:

    When cat look at flag.sh, we find:

    This won't work for us since we're not the user melon.  Since we're unable to SSH, I assume the password has to be simple. 

    You can read the flag at this point without the use of the script.  Checking sudo privileges:

    We elevate using hping3 and we only have one last thing to do:

    Cybersecurity solutions for small businesses.


    © 2021 Seven Layer Networks, Inc. | All rights reserved.