driggzzzz

VulnHub – UnknownDevice64


Software used
Linux kali 4.19.0-kali1-amd64 #1 SMP Debian 4.19.13-1kali1 (2019-01-03) x86_64 GNU/Linux

NMap 7.70
FireFox 60.4 Oesr (64 bit)
DIRB V2.22
Steghide 0.5.1


Enumeration
Start with a ping sweep using the command nmap –sn 10.0.2.*


The target machines IP address is 10.0.2.21, next up, a full port scan using nmap -sV 10.0.2.21 -p-


This has revealed SSH running on port 1337 and a simple http server running on port 31337.

In my browser I navigate to http://10.0.2.21:31337, bringing me to this page.


Running dirb http://10.0.2.21:31337 hasn’t brought up any interesting directories to look at and there doesn’t appear to be a robots.txt file.


Checking the source code reveals a comment:


Navigating to 10.0.2.21:31337/key_is_h1dd3n.jpg brings us to an image.


Downloading the image and running it through steghide (a stegonography tool, not included with Kali Linux) with the command steghide –extract –stegofile key_is_h1dd3n.jpg should reveal any files hidden within the image, I was prompted for a password, I remembered h1dd3n being highlighted in red on the webpage, trying this as the password turned out to be correct.

Opening the extracted text file h1dd3n.txt presents us with this:

This is text encoded in a language called brainfuck, a quick google search finds a decoder which provides the following:

ud64: 1M!#64@ud appears to be a username and password, I  successfully attempt to log into SSH using these details with ssh ud64@10.0.2.21 –p 1337 and using the password 1M!#64@ud when prompted.



Privilege Escalation

With access to the ud64 account I start enumerating, however it becomes very quickly apparent that I have very limited access.

I use the command compgen –A function -cabk to find out what I can actually use.

This provides a fairly large list, I eventually use vi followed by :!/bin/bash
This provides me with a few more options, using echo $PATH reveals that path is configured to run commands from /home/ud64/prog and echo $SHELL confirms that rbash is the default shell.


First of all I need to escape this restrictive shell, using the command
export SHELL=/bin/bash and export PATH=/usr/bin should provide an environment that is less restricted, this should allow me to enumerate further.

The command sudo –l will list what I am allowed to run with root privileges. In this case I am presented with sysud64


sysud64 –h | less gives a list of commands that we can use with sysud64, interestingly it is running strace which is a tool used by Linux for debugging.

Exiting our help for sysud64 by pressing q and using sudo sysud64 –o /dev/null /bin/bash grants us root permissions.

From here it is a simple case of cd /root, ls –la, cat flag.txt

This was a fairly challenging machine to crack, particularly the privilege escalation phase, but what I learnt from it was well worth the time.

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close