HackMyVM Number Walkthrough
- by Vince
-
in Blog
-
Hits: 1120
Another cyber range appeared recently and it's similar to Vulnhub where people upload VM's, you download them, and get flags. There's a points system like TryHackMe and HackTheBox which is a great way to gamify the environment. I was curious to play and I download Number.
The box does not have a description other than it states that it's a Medium level system.
We kick off with Nmap:
We find a web port. Enumerating with Nikto:
Then with GoBuster:
We find a login:
But after a few seconds of looking around, I feel like there's something missing. We check out /pin:
We capture a request in Burp and we send it to Intruder:
Using Sniper, we'll attempt to brute force the pin:
Using seq -w 0000 4444, I create a list of numbers for our brute force:
Adding in the error message:
After a few seconds (Burp Pro), we learn the pin is 4444:
We go back to the pin page and enter our pin:
That doesn't help us:
We move back to Sniper thinking that 4444 is our password:
I'm just using a subset of RockYou as my wordlist, I think it's 100k lines:
Entering the error message:
After a bit, we uncover the username: melon
Back to the login:
We are then presented with yet another form:
We enter an IP address but it only accepts numbers:
Just a quick sanity check:
It likes numbers, not decimal points. We can convert an IP to decimal:
I enter the decimal equivalent of my attacking machine:
Since it's spawning a reverse shell, I setup tcpdump because I need to know which port:
When we hit submit, we see an inbound connection on the familiar 4444. We setup a handler:
After we submit again, we catch a shell. When we clean is up, we enter into the melon home directory and we find:
When cat look at flag.sh, we find:
This won't work for us since we're not the user melon. Since we're unable to SSH, I assume the password has to be simple.
You can read the flag at this point without the use of the script. Checking sudo privileges:
We elevate using hping3 and we only have one last thing to do: