In this article we are going to solve another boot2root challenge sahu available on vulnhub. This is a beginner level box and requires good enumeration skills!
we can download this machine from vulnhub.
First step is to find the IP address of the target machine using command : netdiscover -i wlan0
next step is to check for the ports using the command : nmap -A 192.168.43.95
as we can see that anonymous login is allowed in FTP server so without wasting our time we login anonymously by using credentials
username : anonymous
we found a zip and we downloaded it in our local machine using get command , but when we try to open this zip file it prompt us for the password , means to find the password we need to explore other ports also ,so we decided to browse HTTP service.
we found an image in the main page , this image may have some hidden content so we downloaded this image in our local machine and try to extract the hidden content using steghide .
Again we need the password . Okay now we have a zip file and an image to crack. So we decided to run the dirb for directory bruteforce.
we decided to open this directory but we are stucked with a message here. Now if we look carefully on the image we have downloaded then there is a word written "HARYANA" , so here we make a guess that may be a directory must be there like /H/A/R/Y/A/N/A .
Now if we check the source code of this page then we found a comment that says : #try to extract with hurrry
So we used this password to unzip the zip file but failed , now we used this password to extract the hidden file in the image by using steghide.
we found a file that says the password of that zip file is 5AHU** , but here we don't know the last two characters of the password so we use the crunch tool here and make a list of different password combination and we found the right combination by using the command : crunch 6 6 -t 5AHU^% -o /root/sahupass
(use fcrackzip to crack the password for the zip file by using the wordlist /root/sahupass)
Now we use the password 5AHU#5 to extract the content from ftp.zip and we find a new file with name ftp.txt that gives us the credentials of user sahu.
Now we tried these credentials to connect to SSH but we failed . if we go back then port 139 and 445 are also open so we decided to mount the samba in our local system in directory /tmp but before that we run the command smbmap -H 192.168.43.95 to check for the smb shares.
Now we can mount easily by using the command : mount -t cifs //192.168.43.95/sambashare /tmp -o username=sahu,password=sahu14216
Now we have the username and password that can be used to connect to SSH as user haryana.
Now after doing basic privilege escalation check we failed in finding any useful thing, so after spending sometime with the box we found that /etc/passwd is writable so we decided to make a user and a password for the /etc/passwd as root using the command : openssl passwd -1 -salt haclabs haclabs123
here password is haclabs123 and username is haclabs , Now we edit the /etc/password file as :
now we switch user using the command su and used the password haclabs123 and finally we are root now and can read the root flag , cat root.txt .
we are root now and our challenge is completed !!
NOTE : we have released the next part of Deception machine , please visit https://www.haclabs.org/VulnerableLabs/Deception-1.1 to download the machine!!