CK: 00 Vulnhub Walkthrough

CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

In this article, we will see a walkthrough of an interesting Vulnhub machine called CK: 00. This VM machine is made by Vishal Biswas hosted on Vulnhub You can download here

Description

Goal: Your goal will be to get the highest privileged user and collect the flag

Network Scanning

First, we run netdiscover find our target IP

CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

In my case, my target Ip is 192.168.1.14 our next step is performing Nmap Aggressive scan

CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

I open the target IP browser and we see an error so I copy the VM IP and create a virtual host CK /etc/hosts file

CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

Again refresh the page and we see the WordPress default templet

CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

try common password login WordPress And I successfully login with administrator account using this username admin and password admin

We have WordPress login username and password without wasting our time I ran msfconsole and load an exploit wp_admin_shell_upload

CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

I ran the shell command for shell command environment and we see a blank shell let’s importing python3 spawn shell using this command

We found our flag user CK home directory

CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

I move on apache server public directory here we see WordPress wp-config.php I read the file and we see target database username and password

CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

Privilege Escalation

I try MySQL database password for every user we successful login with bla user using a database password

CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup
Privilege Escalation scp

We have a user bla password so I ran the sudo -l command and we see our current user run SCP command without user bla1 password

I already generate an ssh key our local machine using this command ssh-keygen I upload our ssh public authorized_keys id_rsa.pub user bla1 /home/.ssh/authorized_keys directory using this command

We see the terminal our key is upload successfully I exit our shell and connect to ssh user bla1 without password

Privilege Escalation rbash

again run the sudo -l command and we see the user CK-00 is run /bin/rbash command without asking password CK-00

CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

After executing the rabash command our many commands are restricted many ways to escape restricted shells, I ran the sh command and bash command I bypass the restricted shell

Privilege Escalation dd

again run the sudo -l command and finally, we see our user CK-oo is run the dd command without asking root password

I generate an md5 salted password our new user Rahul

using the cat command to we see /etc/passwd file and copy file text and create a new passwd file CK /home directory using cat >> append method to paste our passwd

I already create a passwd file using CK user home directory and over next step is overwrite the /etc/passwd file with our new passwd file using this command

our new user Rahul and password is pasted successfully/etc/passwd file we confirm the username password entry passwd file using tail command

Root Flag
Vulnuni 1-0-1 Vulnhub Walkthrough link