Broken: Gallery Vulnhub Walkthrough
We have another CTF challenges for CTF players that named
as “Broken” and it can be download from vulnhub from here.
The credit goes “Avraham Cohen” for designing this VM machine for beginners.
This is Linux based CTF challenge where you can use your basic pentest skill
for Compromising this VM to escalate the root privilege shell.
Penetration Testing Methodologies
·
Netdiscover
·
Nmap
Enumeration
Exploiting
·
Brute Force
·
Post enumeration
Privilgege escalation
·
Abusing sudo rights
Walkthrough
Network
Scanning
Let’s begin with network scan
using netdisover to identify the host machine IP.
netdiscover
And this gave 192.168.1.107
as Host IP, now we will move toward ports and service scan further.
For deep network scan we always prefer to use nmap
aggressive scan and this time also we will go with the same approach, thus will
run the below command to enumerate running services and open port.
nmap -A 192.168.1.107
From its scan result we found port 22 and 80 is open for
SSH and HTTP service respectively.
Enumeration
For more detail we need to start enumeration against the
host machine therefore we navigate to web browser for exploring HTTP service.
We obtained some
files as shown in the given below image. Thus, we downloaded and explored each
file but didn’t found any remarkable clue for further move.
Considering above file name could be helpful in generating a
wordlist for brute force attack, I saved above file names and all relevant hint
in two text files and named them “user” & “pwd” as shown
below.
Exploiting
Now it was time to use hydra for making brute force attack
on port 22 for SSH login thus we run below command in our local machine.
hydra -L user -P pwd 192.168.1.107 ssh
Great!! It works and we have broken:broken as SSH login
credential.
With the help of above credential, we logged in and access
the low privilege through user broken and notice that he has sudo rights for timedatectl
and reboot to be execute with root privilege.
Privilege Escalation
To escalate the root privilege, we went for post enumerating
and looked for .bash_history file.
In this file we noticed some interesting action has been
performed by author which was pointing towards a file name “password-policy.sh”
that exist inside /etc/init.d moreover a command to set time-date using
“timedatectl” command and much more.
Very fast we open the password-policy.sh that
exist inside /etc/init.d and found the a command for change the root
password into “TodayIsAgoodDay” when met to the specific condition that
i.e time-date.
So we run timedatectl command along sudo permissions and to
set date and time and then reboot the machine as followed in the below commands
sudo timedatectl set-time '2015-11-20 16:14:50'
sudo /sbin/reboot
Now we again connect to host machine via ssh as done
previously and then try to access root shell by switching the user account. As
we were hoping the password should changed into “TodayIsAgoodDay” therefore
we use it as for login as root.
Yes, it works, and we have successfully obtain the root
shell and with this the task finished here.
0 comments:
Post a Comment