HackMyVM Number Walkthrough

by Vince
in Blog
Hits: 924

Another cyber range appeared recently and it's similar to Vulnhub where people upload VM's, you download them, and get flags.  There's a points system like TryHackMe and HackTheBox which is a great way to gamify the environment.  I was curious to play and I download Number. 

The box does not have a description other than it states that it's a Medium level system.

We kick off with Nmap:

We find a web port.  Enumerating with Nikto:

Then with GoBuster:

We find a login:

But after a few seconds of looking around, I feel like there's something missing.  We check out /pin:

We capture a request in Burp and we send it to Intruder:

Using Sniper, we'll attempt to brute force the pin:

Using seq -w 0000 4444, I create a list of numbers for our brute force:

Adding in the error message:

After a few seconds (Burp Pro), we learn the pin is 4444:

We go back to the pin page and enter our pin:

That doesn't help us:

We move back to Sniper thinking that 4444 is our password:

I'm just using a subset of RockYou as my wordlist, I think it's 100k lines:

Entering the error message:

After a bit, we uncover the username:  melon

Back to the login:

We are then presented with yet another form:

We enter an IP address but it only accepts numbers:

Just a quick sanity check:

It likes numbers, not decimal points.  We can convert an IP to decimal:

I enter the decimal equivalent of my attacking machine:

Since it's spawning a reverse shell, I setup tcpdump because I need to know which port:

When we hit submit, we see an inbound connection on the familiar 4444.  We setup a handler:

After we submit again, we catch a shell.  When we clean is up, we enter into the melon home directory and we find:

When cat look at flag.sh, we find:

This won't work for us since we're not the user melon.  Since we're unable to SSH, I assume the password has to be simple. 

You can read the flag at this point without the use of the script.  Checking sudo privileges:

We elevate using hping3 and we only have one last thing to do: