Zeus:1 Vulnhub Walkthrough


Today we are going to take another CTF challenge Zeus:1 . The credit for making this VM machine goes to “Vesile Revnic” and it is a boot2root challenge where we have to root the server and capture the flags to complete the challenge. You can download this VM here

Security Level: Intermediate
Penetrating Methodology:
1.      Scanning
·         NMAP
2.      Enumeration
·         Dirb
3.      Exploitation
·         Hydra
·         SSH
·         Jailkit
4.      Privilege Escalation
·         Exploiting Suid rights

Walkthrough:

Scanning:
Let’s start off with the scanning process. This target VM has a static IP address set as 192.168.131.170. So we created a vm network same as this and put our kali machine in the same network.
Then as usual we used nmap for port and service enumeration.
And we have ports 21, 22 and 80 open on the target machine.
nmap -A 192.168.131.170



Enumeration:

As we can see port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage.



We took the help of dirb to directory bruteforce the webpage and got one directory named /telecom/ 




So we tried to access the url in the browser but didn’t find anything.



We looked for the page source and got a name called gogu which we can try as a username.


Exploitation:
We have hopefully got a username so we tried to bruteforce the ssh port and successfully got a password universal for the user gogu.





So we logged in the target machine using ssh with the above found credentials and got our first user.txt flag.

What we found that user gogu was able to run only limited commands because the creator of the machine has implemented jailkit on this user.
Note: Jailkit is implemented to limit the bash shell of any particular user.
id
cat user.txt
ls -la  



We looked for any hidden files and got one file named sysdate which had suid bit set on it.
Sysdate command gave us the current date and time. We tried to use path variable method to leverage the suid of sysdate but we were still not getting out of the restricted shell maybe because of the jailkit implementation.

ls -lRah
echo “/bin/sh/ “ > date
chmod 777 date
export PATH=/home/gogu:$PATH
/home/gogu/…/sysdate/




We looked on the google to find anyway around to bypass the jailkit and got one c-script. We save the file as bypass.c  in our kali. Then tried to compile it. It was asking for some libraries so we installed the dependencies and were able to compile it after that.

apt install gcc-multilib -y^C
gcc bypass.c -o bypass -m32



Privilege Escalation:
After compiling the file what we did is we tarnsfered the bypass script  file into the target machine and the executed with root privileges using the path variable methodology.
After execution we successfully came out of the restricted shell and also got the root shell and eventually the root flag.
ssh gogu@192.168.131.170 “cat> bypass”
ls
chmod bypass
echo :/home/gogu/bypass” >date
chmod date
export PATH=/home/gogu/…/sysdate:$PATH
/home/gogu/…/sysdate
Id
cd root
cat flag.txt

0 comments:

Post a Comment