Hi all, Let’s pwn it!
You can find the machine there > Super Mario Host
Enumeration/Reconnaissance
Let’s start always with nmap.
1 |
|
When we visit the site, we get the default nginx page :
Let’s run gobuster
on it.
1 |
|
/vhosts
has a virtual host file :
1 |
|
ServerName mario.supermariohost.local
is the domain, let’s add it at /etc/hosts
1 |
|
Perfect, now if we browser the website with the domain name we can see a different page :
Let’s run gobuster
on it.
1 |
|
I did some enumeration on them & the only things i found useful are the usernames mario
& luigi
we can do SSH brute force with them.
We should craft first a wordlist using john
, i’ll use the Wordlist
rule on the 2 usernames.
SSH brute force - Shell as luigi - Bypassing limited shell
1 |
|
` Let’s login in!
1 |
|
We’re in a limited shell :
1 |
|
Let’s check what command we can run :
1 |
|
We can exploit awk
and open a normal bash/sh
shell.
1 |
|
Kernel privilege escalation
After lot of enumeration, i found nothing. I usually avoid to exploit old kernel versions, but on this box it’s the only way to gain a root shell. So let’s check kernel version :
1 |
|
Because it’s an old box, we can see uses a really old kernel. Let’s search for possible exploits with searchsploit.
1 |
|
This seems perfect, let’s download it on target box & compile it.
1 |
|
Cracking .zip & grab the flag
Now the challenge isnt over, we can see under /root
directory a .zip
:
1 |
|
Probably we have to crack it & grab the flag, let’s move it to /var/www/html
so we can download it.
1 |
|
In our box now :
1 |
|
We have to crack it, i’ll use fcrackzip
:
1 |
|
awesome box! brings back lot of memories.