In this article, we will share another Vulnhub Machine Walkthrough is named Vegeta. This is a beginner, level machine. Our goal is to read the root flag it’s present in /root directory. You can download here this machine.
Network Scanning
Let’s start with finding our target IP address by using the netdiscover command.
Now we have our target IP address and our next step is scanning all ports and running services with the Nmap tool.
|
1 |
nmap -sV -O -p- 192.168.1.7 |
Enumeration
Since we see the Nmap scanning output our target machine port 80/HTTP is openly and running an apache HTTP server. Let’s open the target ip in the browser.
|
1 |
http://192.168.1.7 |
After reading the page source code and try the image file some steganography tools but we couldn’t found anything useful. Then we run the gobuster in dir ( directory brute force ) mode.
|
1 |
gobuster dir -w /usr/share/wordlists/dirb/big.txt --url http://192.168.1.7/ |
And gobuster discover useful URLs Let’s open the /robots.txt
|
1 |
http://192.168.1.7/robots.txt |
after we open the /find_me directory here we saw another .html URL let’s click the find_me.html
|
1 |
http://192.168.1.7/find_me/find_me.html |
Let’s check the source code of the page and we found base64 encode string we copy the string and double-time decode the string.
And again we saw the decoded output it looks like an image file let’s save the output as a jpeg file. And this image file is a barcode image file we decode the barcode jpeg file online barcode, reader.
and we got a topshellv hint it’s mean that password for b374k backdoor.
|
1 |
http://192.168.1.7/b374k.php |
After navigating the b374k.php URL we got a blank page let’s check the source code and here we found /bulma directory comment.
|
1 |
http://192.168.1.7/bulma/ |
We open the /bulma directory and we found an audio wave file. We decode the audio file morse code decoders.
Finally, we got an SSH login username and password
|
1 2 |
ssh trunks@192.168.1.7 id |
Privilege Escalation
Now we have trunks user shell we run the ls – ls /etc/passwd for checking the passwd file permission and our user trunks have read-write permission of the file
Using the OpenSSL we generate a new password and using the cat command we add our new root user in the passwd file
|
1 2 3 |
ls -ls /etc/passwd openssl passwd -1 -salt rahul mynewpassword cat >> /etc/passwd |
|
1 |
su rahul |
Now this time is escalate the privilege let’s run the su ( switch user ) command.
finally, we have the root shell target machine let’s move the /root directory and read the root flag.
|
1 2 3 |
cd /root ls cat root.txt |
Funbox Easy Vulnhub Walkthrough link
