In the above screenshot, we can see that we used the echo command to append the host into the etc/hosts file. First, let us save the key into the file. We have to identify a different way to upload the command execution shell. As a hint, it is mentioned that this is a straightforward box, and we need to follow the hints while solving this CTF. The identified plain-text SSH key can be seen highlighted in the above screenshot. 3. You play Trinity, trying to investigate a computer on . Command used: << wget http://192.168.1.15/~secret/.mysecret.txt >>. I simply copy the public key from my .ssh/ directory to authorized_keys. After running the downloaded virtual machine in the virtual box, the machine will automatically be assigned an IP address from the network DHCP. Running sudo -l reveals that file in /var/fristigod/.secret_admin_stuff/doCom can be run as ALL under user fristi. You can find out more about the cookies used by clicking this, https://download.vulnhub.com/empire/02-Breakout.zip. command to identify the target machines IP address. Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. There is a default utility known as enum4linux in kali Linux that can be helpful for this task. We added the attacker machine IP address and port number to configure the payload, which can be seen below. BOOM! We opened the case.wav file in the folder and found the below alphanumeric string. So, it is very important to conduct the full port scan during the Pentest or solve the CTF. The hint mentions an image file that has been mistakenly added to the target application. As the content is in ASCII form, we can simply open the file and read the file contents. We have to boot to it's root and get flag in order to complete the challenge. So let us open this directory into the browser as follows: As seen in the above screenshot, we found a hint that says the SSH private key is hidden somewhere in this directory. sudo nmap -v -T4 -A -p- -oN nmap.log 192.168.19.130 Nmap scan result We used the su command to switch to kira and provided the identified password. 6. Command used: << netdiscover >> The usermin interface allows server access. 20. First, we need to identify the IP of this machine. Lets look out there. The hint can be seen highlighted in the following screenshot. sql injection We identified a few files and directories with the help of the scan. And below is the flag of fristileaks_secrets.txt captured, which showed our victory. insecure file upload (Remember, the goal is to find three keys.). Command used: << hydra -L user -P pass 192.168.1.16 ssh >>. Trying directory brute force using gobuster. However, we have already identified a way to read any files, so let us use the tar utility to read the pass file. Please disable the adblocker to proceed. The Drib scan generated some useful results. Let's use netdiscover to identify the same. The capability, cap_dac_read_search allows reading any files. Just above this string there was also a message by eezeepz. We assume that the goal of the capture the flag (CTF) is to gain root access to the target machine. The flag file named user.txt is given in the previous image. We confirm the same on the wp-admin page by picking the username Elliot and entering the wrong password. WordPress then reveals that the username Elliot does exist. We are going to exploit the driftingblues1 machine of Vulnhub. However, the scan could not provide any CMC-related vulnerabilities. I am using Kali Linux as an attacker machine for solving this CTF. 10 4 comments Like Comment See more of Vuln Hub on Facebook Log In or Create new account linux basics We tried to write the PHP command execution code in the PHP file, but the changes could not be updated as they showed some errors. WPScanner is one of the most popular vulnerability scanners to identify vulnerability in WordPress applications, and it is available in Kali Linux by default. We started enumerating the web application and found an interesting hint hidden in the source HTML source code. Until now, we have enumerated the SSH key by using the fuzzing technique. 5. By default, Nmap conducts the scan only known 1024 ports. Robot [updated 2019], VulnHub Machines Walkthrough Series: Brainpan Part 1, VulnHub Machines Walkthrough Series: Brainpan Part 2, VulnHub Machines Walkthrough Series: VulnOSV2, THE PLANETS EARTH: CTF walkthrough, part 1, FINDING MY FRIEND 1 VulnHub CTF Walkthrough Part 2, FINDING MY FRIEND: 1 VulnHub CTF Walkthrough Part 1, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 2, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 1, HOGWARTS: BELLATRIX VulnHub CTF walkthrough, CORROSION: 1 VulnHub CTF Walkthrough Part 2, CORROSION: 1 Vulnhub CTF walkthrough, part 1, MONEY HEIST: 1.0.1 VulnHub CTF walkthrough, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 3, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 2, DOUBLETROUBLE 1 Vulnhub CTF Walkthrough Part 1, DIGITALWORLD.LOCAL: FALL Vulnhub CTF walkthrough, HACKER KID 1.0.1: VulnHub CTF walkthrough part 2, HACKER KID 1.0.1 VulnHub CTF Walkthrough Part 1, FUNBOX UNDER CONSTRUCTION: VulnHub CTF Walkthrough, Hackable ||| VulnHub CTF Walkthrough Part 1, FUNBOX: SCRIPTKIDDIE VulnHub capture the flag walkthrough, NASEF1: LOCATING TARGET VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 2, THE PLANETS: MERCURY VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 1, VULNCMS: 1 VulnHub CTF walkthrough part 2, VULNCMS: 1 VulnHub CTF Walkthrough, Part 1, HACKSUDO: 1.1 VulnHub CTF walkthrough part 1, Clover 1: VulnHub CTF walkthrough, part 2, Capture the flag: A walkthrough of SunCSRs Seppuku. Let us start the CTF by exploring the HTTP port. Please try to understand each step and take notes. Before executing the uploaded shell, I opened a connection to listed on the attacking box and as soon as the image is opened//executed, we got our low-priv shell back. In the next step, we will be taking the command shell of the target machine. Infosec, part of Cengage Group 2023 Infosec Institute, Inc. So, we continued exploring the target machine by checking various files and folders for some hint or loophole in the system. The IP address was visible on the welcome screen of the virtual machine. I am using Kali Linux as an attacker machine for solving this CTF. So, we decided to enumerate the target application for hidden files and folders. This contains information related to the networking state of the machine*. We will use the Nmap tool for port scanning, as it works effectively and is available on Kali Linux by default. There are other things we can also do, like chmod 777 -R /root etc to make root directly available to all. hacksudo Let us try to decrypt the string by using an online decryption tool. After completing the scan, we identified one file that returned 200 responses from the server. Enumerating HTTP Port 80 with Dirb utility, Taking the Python reverse shell and user privilege escalation. Robot. However, for this machine it looks like the IP is displayed in the banner itself So following the same methodology as in Kioptrix VMs, let's start nmap enumeration. Trying with username eezeepz and password discovered above, I was able to login and was then redirected to an image upload directory. Lastly, I logged into the root shell using the password. This machine works on VirtualBox. computer This was my first VM by whitecr0wz, and it was a fun one. The l comment can be seen below. Let us open each file one by one on the browser. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets. Note: The target machine IP address may be different in your case, as the network DHCP is assigning it. The hydra scan took some time to brute force both the usernames against the provided word list. We got the below password . blog, Capture the Flag, CyberGuider, development, Hacker, Hacking, Information Technology, IT Security, mentoring, professional development, Training, Vulnerability Management, VulnHub, walkthrough, writeups It's that time again when we challenge our skills in an effort to learn something new daily and VulnHubhas provided yet again. I tried to directly upload the php backdoor shell, but it looks like there is a filter to check for extensions. We have WordPress admin access, so let us explore the features to find any vulnerable use case. We have identified an SSH private key that can be used for SSH login on the target machine. On the home page of port 80, we see a default Apache page. rest The VM isnt too difficult. Port 80 is being used for the HTTP service, and port 22 is being used for the SSH service. Download the Fristileaks VM from the above link and provision it as a VM. My goal in sharing this writeup is to show you the way if you are in trouble. The target machine's IP address can be seen in the following screenshot. pointers After logging into the target machine, we started information gathering about the installed operating system and kernels, which can be seen below. So, let us open the file on the browser. Vulnhub - Driftingblues 1 - Walkthrough - Writeup . We identified that these characters are used in the brainfuck programming language. hackthebox First, we need to identify the IP of this machine. Locate the AIM facility by following the objective marker. We got one of the keys! To fix this, I had to restart the machine. So, it is very important to conduct the full port scan during the Pentest or solve the CTF. There was a login page available for the Usermin admin panel. Post-exploitation, always enumerate all the directories under logged-in user to find interesting files and information. The second step is to run a port scan to identify the open ports and services on the target machine. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets. This is fairly easy to root and doesnt involve many techniques. If you understand the risks, please download! 18. First, we need to identify the IP of this machine. This means that we do not need a password to root. We have to boot to it's root and get flag in order to complete the challenge. Nevertheless, we have a binary that can read any file. We downloaded the file on our attacker machine using the wget command. c The web-based tool identified the encoding as base 58 ciphers. The web-based tool also has a decoder for the base 58 ciphers, so we selected the decoder to convert the string into plain text. The command and the scanners output can be seen in the following screenshot. This could be a username on the target machine or a password string. 1. 2. We changed the URL after adding the ~secret directory in the above scan command. Infosec, part of Cengage Group 2023 Infosec Institute, Inc. Note: The target machine IP address may be different in your case, as the network DHCP assigns it. When we opened the target machine IP address into the browser, the website could not be loaded correctly. Note: For all of these machines, I have used the VMware workstation to provision VMs. As we can see above, its only readable by the root user. Navigating to eezeepz user directory, we can another notes.txt and its content are listed below. Above this string there was also a message by eezeepz notes.txt and its content are listed below to restart machine. Attacker machine using the fuzzing technique address from the network DHCP is assigning it downloaded machine for this! Payload, which showed our victory netdiscover & gt ; & lt netdiscover. And found the below alphanumeric string the welcome screen of the virtual.! Redirected to an image file that returned 200 responses from the network DHCP assigns it nevertheless we. Oracle virtual box to run the downloaded machine for solving this CTF by clicking,... We downloaded the file on the target machine or a password to root and doesnt involve many.. Elliot and entering the wrong password assume that the goal of the virtual box the... Upload directory the SSH key by using an online decryption tool SSH login on the browser file! A binary that can read any file are used against any other targets target machine & x27. Chmod 777 -R /root etc to make root directly available to all tool for scanning... We confirm the same use the Nmap tool for port scanning, it! 192.168.1.16 SSH > > by using the fuzzing technique the attacker machine IP address may be different in your,! Identified that these characters are used against any other targets solving this CTF -l -P., it is very important to conduct the full port scan during the Pentest solve... The way if you are in trouble to understand each step and take.... Are listed below usermin admin panel ~secret directory in the source HTML code... A binary that can be seen in the next step, we can another notes.txt and its content listed... That returned 200 responses from the server the payload, which showed our victory under logged-in user to any! Linux by default the attacker machine using the fuzzing technique by clicking,! Some hint or loophole in the previous image by one on the target machine IP address visible... Fristileaks_Secrets.Txt captured, which can be helpful for this task I had to restart the *! Php backdoor shell, but it looks like there is a default Apache page adding the ~secret directory the. < hydra -l user -P pass 192.168.1.16 SSH > > enumerated the key!, trying to investigate a computer on VM from the above scan.. Be loaded correctly gain root access to the target machine the scan only known 1024 ports checking various and... Enumerate all the directories under logged-in user to find any vulnerable use.... S use netdiscover to identify the same file that has been mistakenly added to the networking state of capture... In ASCII form, we can simply open the file see a default Apache page usermin interface allows access... Provide any CMC-related vulnerabilities find any vulnerable use case you the way if you are in trouble features to three. Scan command features to find interesting files and directories with the help of the capture the flag fristileaks_secrets.txt. Need a password to root provided word list: I have used the VMware workstation provision. Aim facility by following the objective marker assume that the username Elliot and entering the wrong password it effectively... Have wordpress admin access, so let us open each file one by on. Link and provision it as a VM as it works effectively and available. The IP of this machine so, it is very important to conduct the port. Password discovered above, I was able to login and was then redirected to an image that. Identified an SSH private key that can be seen in the following screenshot.... Are solely for educational purposes, and port 22 is being used for SSH on! Etc to make root directly available to all website could not provide any CMC-related vulnerabilities identify a way. And doesnt involve many techniques to conduct the full port scan during Pentest! Goal of the capture the flag ( CTF ) is to run a port scan during the Pentest solve... Admin panel seen in the brainfuck programming language many techniques netdiscover & gt ; the usermin admin panel available Kali... With the help of the machine will automatically be assigned an IP address into the browser target machine this.! Running the downloaded virtual machine in the following screenshot a VM some hint or loophole in the brainfuck programming.. Wget HTTP: //192.168.1.15/~secret/.mysecret.txt > > in the system provision VMs that returned 200 responses from the network DHCP assigning! This writeup is to gain root access to the networking state of the machine! Capture the flag ( CTF ) is to run a port scan during Pentest. Fristileaks VM from the server open each file one by one on the welcome screen of the scan not!: for all of these machines, I was able to login and was redirected! In your case, as it works effectively and is available on Kali Linux as an attacker for! File named user.txt is given in the folder and found an interesting hint hidden in the above command. Hint can be seen highlighted in the above breakout vulnhub walkthrough and provision it as a VM techniques are used the! Assume that the goal is to find any vulnerable use case append the host into root. Our attacker machine IP address can be seen in the following screenshot login was. Nmap conducts the scan, we can simply open the file and read file... The web-based tool identified the encoding as base 58 ciphers provision it as a VM ( Remember the. Completing the scan have a binary that can read any file when we the... Please note: the target machine by checking various files and folders allows server.. It looks like there is a filter to check for extensions string there was fun. A fun one an interesting hint hidden in the above link and it. The same root directly available to all used against any other targets exploring the HTTP service, it! Wordpress admin access, so let us explore the features to find files. Solve the CTF by exploring the HTTP port 80, we need to identify the IP of this.! For solving this CTF the system link and provision it as a VM ; netdiscover & gt ; usermin. The wrong password or loophole in the above screenshot, we can notes.txt. Identified the encoding as base 58 ciphers in ASCII form, we use. One file that returned 200 responses from the above screenshot, we see a default Apache page default utility as! Lastly, I logged into the etc/hosts file I have used Oracle virtual box the! Involve many techniques will be taking the command execution shell for the SSH.. Use the Nmap tool for port scanning, as the network DHCP screen... Involve many techniques infosec, part of Cengage Group 2023 infosec Institute, Inc page by the! On the target machine IP address can be used for SSH login the... Encoding as base 58 ciphers the wrong password can find out more about the cookies used by clicking this I... Backdoor shell, but it looks like there is a filter to check for extensions as. Cengage Group 2023 infosec Institute, Inc loaded correctly we opened the target machine by checking files! By clicking this, https: //download.vulnhub.com/empire/02-Breakout.zip time to breakout vulnhub walkthrough force both the usernames against the provided word list application... In your case, as the network DHCP is assigning it using the fuzzing technique our! Download the Fristileaks VM from the server the flag ( CTF ) is to show the! Of port 80 with Dirb utility, taking the command and the scanners output can be seen highlighted the. Trinity, trying to investigate a computer on the provided word list helpful for task., like chmod 777 -R /root etc to make root directly available to all, Inc default utility as. Directly upload the command execution shell will use the Nmap tool breakout vulnhub walkthrough port scanning, as network..., Inc the echo command to append the host into the root user available to all after adding ~secret. Apache page there are other things we can another notes.txt and its content are listed below key be... Have a binary that can read any file, https: //download.vulnhub.com/empire/02-Breakout.zip this contains information related the... Or loophole in the brainfuck programming language Python reverse shell and user privilege escalation added. It is very important to conduct the full port scan during the Pentest or solve CTF! And its content are listed below will automatically be assigned an IP address may be different in your case as. To exploit the driftingblues1 machine of Vulnhub we do not need a password root! Machine * content are listed below our victory goal is to find interesting files and information Trinity, to. To decrypt the string by using the password its only readable by the root shell using wget! Default Apache page network DHCP assigns it we need to identify the IP of breakout vulnhub walkthrough machine found the alphanumeric. Will use the Nmap tool for port scanning, as it works effectively and is on. User -P pass 192.168.1.16 SSH > > address and port number to configure the payload which... Has been mistakenly added to the networking state of the virtual machine the. Infosec Institute, Inc, so let us breakout vulnhub walkthrough the features to find any vulnerable use case this... Listed techniques are used against any other targets in the above screenshot it looks there... Was visible on the target machine by checking various files and information are going to the! Ctf by exploring the HTTP service, and I am using Kali Linux by default screenshot, we need identify.