StarWars Vulnhub Walkthrough

StarWars is a beginner level virtual machine created by Sir Logic. this is another boot to root challenge. It’s available at VulnHub for penetration testing and you can download it from here

Network Scanning

Let’s start with arp scanning discovering our target IP address using the netdiscover command. there have many arp scanning tools but I use always Nmap and netdiscover.

StarWars Vulnhub Walkthrough

Now we have our target IP Address, the next step is to scan the target machine by using the Nmap tool. This is to find the open ports and services on the target machine

As we can see from this output we have two ports open. we saw the port 22 and 80 are open. We have the 21/SSH Service as well as an 80/HTTP Service on the server.

Enumeration

we navigate to a web browser and explored the host IP address and we see two same images and an comment ( Password you shall find ).

StarWars Vulnhub Walkthrough

After reading the page source code and we found a base64 string. but not useful. then I download the image of our local system and starting the stenography image file I use different types of tools but they didn’t give me the right output.

I’m stuck here then I Found a ruby tool zsteg ( detect stegano-hidden data in PNG & BMP ) using the command you can download the tool.

StarWars Vulnhub Walkthrough

After extract the image hidden data we found a password but we need a username. for more details again i started enumeration on port 80 and by checking robots.txt file we found an directory /r2d2

StarWars Vulnhub Walkthrough

but there is nothing useful using the cewl tool I create a word-list by using the command.

StarWars Vulnhub Walkthrough

I try the wordlist for ssh username. after spending one hour we couldn’t found any possible username then I search google for ( StarWars wordlist ) and I found a word-list you can download here the wordlists link and again try a new user list.

After 217 tries hydra discover a possible username and password then now try to log in ssh server.

now I’m starting enumerating the user directory and i found a secrets notes file After i read the note.txt i see a hind Anakin is a cewl kid.

and I found a group name anakin and there are two users Darth,skywalker

again I run the cewl tool for creating a new word-list and cread a usernames file using these command and again starting SSH brute-forcing.

as we see again we found a valid username an password. i change our current user by using su ( switch user ) command and again we found a secrets note.txt file

StarWars Vulnhub Walkthrough

after reading the note.txt file we move the Darth home directory and there I found a python file after reading the file we see a message this file is automatically run every minute and the Anakin group have read-write permission this file

so I edit and creating a netcat reverse shell by using these commands but first we open a new console window and starting netcat listener any port.

StarWars Vulnhub Walkthrough

After a minute we got reverse connection target machine and our user is changed to skywalker to Darth

Privilege Escaltion

Let run the sudo -l command to enumerate if this user can run some application with root privileges and without a password.  and We found Darth user can run the Nmap command. I already read Nmap privilege escalation without wasting our time I run the privilege escalation command one by one.

Now we have root shell target machine let’s move the root directory and read the our final flag.

StarWars Vulnhub Walkthrough

Tre: 1 vulnhub walkthrough link