Seppuku Vulnhub Walkthrough

Seppuku Vulnhub Walkthrough | Seppuku Vulnhub Writeup | Seppuku: 1 Vulnhub Walkthrough

Today we are solving another Vulnhub interested CTF Seppuku: 1 is make by SunCSR Team and in this CTF our goal is reading root flag in the /root directory.

Goal

Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).

Network Scanning

Always we start with network scanning first we scan our local network using nmap ping scan.

we discover our target IP address our next step is scanning all ports and service our target machine using nmap -sV ( service and version ) parameter and -p all ports scan.

nmap output is show target machine many ports and services running let’s enumerate theses services.

Enumeration

let’s open the target IP address in browser.

Seppuku Vulnhub Walkthrough | Seppuku Vulnhub Writeup | Seppuku: 1 Vulnhub Walkthrough

After navigating the target IP we see authentication popup window currently we haven’t any credentials we move the next step and run the gobuster different HTTP port 7601

Seppuku Vulnhub Walkthrough | Seppuku Vulnhub Writeup | Seppuku: 1 Vulnhub Walkthrough

our gobuster scanning is done and we discover two useful directory /keys and /secret let’s open the url in the browser

Seppuku Vulnhub Walkthrough | Seppuku Vulnhub Writeup | Seppuku: 1 Vulnhub Walkthrough

previous /keys directory we found an ssh private key without encrypted let’s open the second /secret directory

Seppuku Vulnhub Walkthrough | Seppuku Vulnhub Writeup | Seppuku: 1 Vulnhub Walkthrough

In this directory, we found another two useful files host-name and the second is password word-list let’s download the wordlist file our local machine.

now we have a password word-list and target machine host-name we try this word-list for brute-forcing the ssh password.

After a minute we discovered ssh credentials and we successfully login with seppuku user.

Seppuku Vulnhub Walkthrough | Seppuku Vulnhub Writeup | Seppuku: 1 Vulnhub Walkthrough

now we log in with seppuku user for enumeration we run the ls -lsa command listing every files and directory included hidden files and directory and we found a .passwd let’s open the file

For more enumeration we move back the directory but we fail here we see an error -rbash cd restricted command we can difference way to break the rbash shell but we are using python system command

since we found a .passwd file our seppuku user home directory we try to change our current user to samurai user using the .passwd file text as a samurai password.

Seppuku Vulnhub Walkthrough | Seppuku Vulnhub Writeup | Seppuku: 1 Vulnhub Walkthrough

again we see rbash restrict error again we bypass the rbash shell our previous python command for checking privilege escalation we run the sudo -l command and here we found script entry without the password .

Seppuku Vulnhub Walkthrough | Seppuku Vulnhub Writeup | Seppuku: 1 Vulnhub Walkthrough

but we haven’t write permission of the /tanto user home directory since we found an ssh private key let’s download the key our current user home directory and change the permission 600 only user can read-write the file. then we can try to log in with the tanto user.

Seppuku Vulnhub Walkthrough | Seppuku Vulnhub Writeup | Seppuku: 1 Vulnhub Walkthrough

Privilege Escalation

now we have read-write permission tanto user home directory first we create an .cgi_bin directory the we move the cgi directory using the cat command we create a simple bash file and adding full permission everyone read write execute the file.

we go back the previous user samurai the we run the privilege escalation command and we got root shell target machine.

Finally we complete the challenge by finding our root flag.

Seppuku Vulnhub Walkthrough | Seppuku Vulnhub Writeup | Seppuku: 1 Vulnhub Walkthrough
CengBox: 1 Vulnhub Walkthrough link