Chili: 1 Vulnhub Walkthrough

at 1:59 AM Saturday, September 19, 2020

 Today we are going to solve another boot2root challenge called "Chili: 1".  It's available at VulnHub for penetration testing and you can download it from here.

The merit of making this lab is due to SunCSR Team. Let's start and learn how to break it down successfully.

Level: Easy

Penetration Testing Methodology

Reconnaissance

§  Netdiscover

§  Nmap

Enumeration

§  Bruteforce FTP with Hydra

Exploiting

  • Weak password abuse FTP

Privilege Escalation

§  Abuse of permissions in /etc/passwd

§  Capture the flag

Walkthrough

Reconnaissance

We are looking for the machine with netdiscover

$ netdiscover -i ethX




So, let's start by running map to all ports with OS detection, software versions, scripts and traceroute.

$ nmap -A –p- 192.168.10.182

 



Enumeration

 

We access the port 80 web service and find a single page with an image of a chili. After checking the image with several stego tools, we did not find anything that could be useful. In the code either.

 



Let's remember the clue given to us in the description by the creators of the box:




This time the fuzzing will not help us, so surely the method of exploitation is through FTP.

We brute-force the FTP service with the "Kaonashi" dictionary and use "chili" as our username.

We observe that it uses an unsecure password.



We connect to the FTP and can see that we have access to the user's folder. Since the machine does not have SSH service, we will not be able to upload our SSH Keys.

 


Exploiting

After reviewing all the files, we notice that we can list files recursively. We will go to the service and upload our webshell (I used Pentestmonkey) to access the machine.

Once uploaded, we will give it the necessary permissions to work properly.

 


Now we will put a netcat to the listening, we will execute our shell from the browser and we will obtain the access to the machine.

 


Privilege Escalation (root)

We do our classic recognition, we will not take long to list that we have write permissions in the file /etc/passwd.



Given this, the climb will be very simple:

1.       We will create a user and a password.

2.       We will insert a new line with the new user, adding the structure of the root user.

3.       We will authenticate ourselves as the new user.

4.       We will have permissions as root and we will have achieved the privilege scale in the system.



Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)