mhz_cxf: c1f Walkthrough

|

mhz_cxf: c1f VM is made by mhz_cyber & Zamba. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of easy level and is very handy in order to brush up your skills as a penetration tester. you can download here the VM link

mhz_cxf: c1f Description

A piece of cake machine You will learn a little about enumeration/local enumeration , stenography

Network Scanning

The first step to attack is to identify the target. we scan our local network using the nmap arp scan.

nmap -sn 172.20.10.1-255
mhz_cxf: c1f Walkthrough Vulnhub | mhz_cxf: c1f Writeup

Now we will run the nmap aggressive port scan using the -sn perameter to gain the information about the open ports and the services running on the target machine.

nmap -A 172.20.10.2
mhz_cxf: c1f Walkthrough Vulnhub | mhz_cxf: c1f Writeup

Nmap scanning gave out we have two ports are open port 80 open which is apache HTTP service, and the port 22 open. This tells us that we also have the OpenSSH service running on the target machine.

Enumeration

First, we open the target IP address our browser and we see an apache2 Ubuntu configuration overview page. this page is giving out information target use apache2 server.

http://172.20.10.2

now we decided to run dirb scan to find some files and directories first scan output isn’t useful then we run the advanced scanning filtering the extension -X .txt.,html,.php and changing our default dirb wordlists common.txt to big.txt

dirb http://172.20.10.2 /usr/share/wordlists/dirb/big.txt -X .txt,.html,.php
mhz_cxf: c1f Walkthrough Vulnhub | mhz_cxf: c1f Writeup

we found two files one is for index.html that is not going to be useful for us and another one is notes.txt . lets checkout the notes.txt file.

http://172.20.10.2/notest.txt

and we see a message this file shows a new hint remb.txt,remb2.txt now open the files our browser and our first file is showing the message it looks like a username and password and second file doesn’t exits the server

mhz_cxf: c1f Walkthrough Vulnhub | mhz_cxf: c1f Writeup

we scan all apache2 server files and directories try different tools and wordlists but we didn’t find any login URL show and the nmap scan shows only tow ports are open one of the apache HTTP service and second is SSH service.

we try this credential for login SSH service as a user first_stage and password is flagitifyoucan1234 and we successfully login with first_stage user.

ssh [email protected]

we have sh shell of user first_stage run the bash command for the bash shell. and we found our first flag user.txt our current user home directory

bash
ls
cat user.txt
mhz_cxf: c1f Walkthrough Vulnhub | mhz_cxf: c1f Writeup

let’s enumerate more and more information to get root account access. we go back one directory to /home and there we found another user mhz_c1f. Let’s check out the directory and files home directory of this user.

cd ..
ls
cd mhz_1f/
cd Paintings/

and we found a Paintings directory here we see four images files we can download the images file our localhost using the SSH SCP service

scp [email protected]:/home/mhz_c1f/Paintings/* .
ls

Stenography

now we extract all images secret files using the steghide tool and we find a useful file cat remb2.txt let’s open the file using cat command here we see another message and user credential mhz_c1f:[email protected]

steghide extract -sf spinning\ the\ wool.jpeg
cat remb2.txt
mhz_cxf: c1f Walkthrough Vulnhub | mhz_cxf: c1f Writeup

we can easily to change our current user and upgrade our current shell using the su ( switch user ) command and our shell is changed to mhz_c1f user and this user run any command without asking password root user

Let’s jump the super user shell using the sudo ( superuser do ) command

su mhz_1f
id
sudo su

we have a shell root account we go to root user home directory /root and we found our last root flag .root.txt and our challenge completed by reading the root flag.

cd /root
ls
ls -lsa
cat .root.txt
mhz_cxf: c1f Walkthrough Vulnhub | mhz_cxf: c1f Writeup
Typo: 1 read here link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →

Leave a Reply

Your email address will not be published. Required fields are marked *