MinU: v2 Vulnhub Walkthrough

at 8:45 AM Thursday, July 25, 2019

Today we are going to take another CTF challenge Minu:v2. The credit for making this VM machine goes to “8bitsec” and it is a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.
Security Level: Beginner
Penetrating Methodology:
1.      Scanning
·         Netdiscover
·         NMAP
2.      Enumeration
·         Web Directory search 
3.      Exploitation
·         Command Injection
·         SSH
4.      Privilege Escalation
·         Exploiting Suid rights

Walkthrough:

Scanning:
Let’s start of by scanning the network and identifying host IP address. We can identify our host IP as 192.168.1.101  by using Netdiscover.
netdiscover



Then as usual we used our favorite tool Nmap for port enumeration. We found that port 22 and 3306 are open.
And we observed that on port 3306 http service was running.
nmap  -A 192.168.1.101




Enumeration:
We found nothing useful on the index page so we used dirb for brute forcing and found one directory with .html extension.
dirb http://192.168.1.101/3306 -X .html




We tried to access the url and found that it is an upload page and accepts only .svg files as input.




So we took help of the google to find any  script in svg format which we can utilize for command injection.





After doing some research we found on such script in which we are injecting /etc/passwd command. We copied the script and saved it as .svg file.





Exploitation:
We tried to upload the script file and it got successfully uploaded. And after uploading we checked for the page source and got the output of /etc/passwd file.
We came to know that the target has multiple users like employee, chrony, nobody etc.




We thought of exploring other commands using the same script.
Since the target machine is using the /bin/ash shell, we thought of checking the shell history in the /.ash_history directory by editing the script file.



After editing we uploaded the file and got some useful information from the history file, which gave us a username and a password.

So we tried to ssh the target machine with username employee and a password superultrapass3 which we got above and were successfully able to login.
After logging in we checked for the suid permissions for privilege escalation and got one file with name micro which came out to be an editor tool.

ssh employee@192.168.1.101
find / -perm -u=s -type f 2>/dev/null
/usr/bin/micro



Privilege Escalation:
We tried to pipe the contents of /etc/passwd file into macro editor where we can edit or add new users with root privileges
Cat /etc/passwd | /usr/bin/micro



We created the password for the new user using openssl tool.
Openssl passwd -1 -salt user3 pass123


After that we added the new user test and hashed password with root privileges into the /etc/passwd file and saved it.



Once we had a user with root privileges we switched to that user and successfully got the shell with root shell and eventually got the flag.


su test
Id
cd /root
cat flag.txt


Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)