unknowndevice64 - Vulnhub VM Challenge

47Suriya
2021-08-10
Pentest / Vulnhub

tl;dr

  • Steghide
  • Restricted Shell

Solved by: 47Suriya

The IP of the target machine is found by using Netdiscover tool.

Netdiscover

IP of the Machine is 192.168.29.203

Initial Analysis

First, Nmap scanner is used to find all the open ports and services.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~]
└─$ nmap -sV -p- -T4 -A 192.168.29.203  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-11 02:02 EDT
Nmap scan report for 192.168.29.203
Host is up (0.0013s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
1337/tcp  open  ssh     OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b9:af:04:6d:f1:8c:59:3a:d6:e1:96:b7:f7:fc:57:83 (RSA)
|   256 12:68:4c:6b:96:1e:51:59:32:8a:3d:41:0d:55:6b:d2 (ECDSA)
|_  256 da:3e:28:52:30:72:7a:dd:c3:fb:89:7e:54:f4:bb:fb (ED25519)
31337/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.14
|_http-title:    Website By Unknowndevice64   

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.66 seconds

This scan reveals that ports 1337 and 31337 are open. And there is an ssh service running on port 1337 and a http server running on port 31337.
So now let’s take a look at the http page hosted on port 31337:

http

In this page the h1dd3n word is highlighted. So it might be indicating something. Let’s try inspecting the page source and take a closer look:

pagesource

And there is something interesting in this source. Key_is_h1dd3n.jpg might be an image on this server. So let’s try to find it by adding this image to the ip:

hidden

And it reveals an image saying hidden secrets. This hints that this image might contain something. So let’s download it and extract the information.

For extracting the contents, Steghide is used to extract the hidden content of the image. But while extracting, it asked for a password. The key h1dd3n is used which was found earlier in the page source.

steghide

steg2

After extracting it, there was some kind of encryption. After searching about it, the encryption was found to be brainf*ck. So time to decode it by an online decoder:

brain

This reveals a data which might be a username and a password.

Username:ud64
Password:1M!64@ud

As there was an SSH service running on port 1337, let’s try to login using these credentials.

ssh

Yes! It worked. After logging in, this was found to be a restricted bash shell.

To see what commands can be used in this shell, tab is pressed twice.

commands

And there was vi(vim editor) which can be used to invoke a normal bash shell. So let’s try that:

vim

After escaping it, /bin/bash and /usr/bin are exported to setup the environment variables and execute linux commands properly.

export

A normal shell is spawned.

Privilege Escalation

Now, the priviliges for the current user is checked using sudo -l.

privs

So sysud64 can be run as root. This should be used to get a root shell. When running it as root, it returned an error.

error

As said in the error, when adding -h:

strace

It revealed that sysud64 is actually a strace command. So after searching about strace, a command was found that might be very useful.

stracecom

1
strace -o /dev/null /bin/sh

So instead of strace, sysud64 is used with sudo to spawn a root shell.

root

Finally! Root access is granted and time to see what’s in the flag. The flag should be located in the /root directory.

flag

The challenge is now complete!!

 Previous

WriteUp Vulnhub Billu Box 1