Nezuko: 1 Vulnhub Walkthrough

Today we are going to solve another CTF challenge called “Nezuko: 1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to yunaranyancat. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Browsing HTTP Service
  • Browsing Webmin Service
  • Enumerating Webmin Service

Exploiting

  • Exploiting Remote Code Execution Vulnerability
  • Get Shell
  • Enumerate for Flag

Privilege Escalation

  • Readable /etc/passwd file
  • Cracking hash using John The Ripper
  • Creating reverse bash script using msfvenom
  • Editing script scheduled to autorun
  • Get Escalated Shell
  • Enumerate for flag

Capture the flag

Walkthrough

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box.  After running the lab, we used the netdiscover command to check the IP Address of the lab.

This was found out to be 192.168.1.105.

Now we will run an aggressive scan using nmap for proceed further.

From its result, we found ports 22(SSH), 80(HTTP), 13337(MiniServ) were open.

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service.

 We obtained an image of Nezuko anime character as shown in the given below image.

This webpage turned out to be a waste of time as we were not being able to extract anything from here. It’s time to explore other ports. Next one in our port scan was 13337. So we browsed to that port and it gave us the login panel of Webmin as shown in the image.

Exploiting

As we were not able to get out hands on credentials in our initial enumeration. We will have to figure out a different way to get through this Authorization Login Panel of Webmin. In our initial port scan, we figured out that our target machine is running the Webmin Version 1.920. So we used the searchsploit to search for any available exploits.

This gave us the Remote Code Execution(RCE) Exploit. Now let’s download this exploit script using the -m parameter of the searchsploit command.

Now let’s read the contents of the exploit as well understand the usage of the exploit.

We saw that the exploit checks the Vulnerability through the RCE and returns the arguments “Vulnerable “or “Target is not Vulnerable”. But we want to gain a remote shell on target system. So we modified the exploit script to generate a netcat session from the target machine as shown in the image. We renamed the file to “shell.sh” as it is easier to remember than “47293”.

Here, we have the IP Address of our Attacker Machine (Kali Linux) is 192.168.1.106

Now, let’s execute the shell script with the target IP address and Port as parameters. But before executing this shell script, we will initiate a netcat listener to receive the reverse shell.

We started this netcat listener as discussed earlier. And as the shell script was executed we got an improper shell of the target machine. We used the python one-line to convert it into a proper shell.

We can see that we have got the shell as the user Nezuko. We enumerated further using the ls command. This gave us that we have a directory named “from_zenitsu” as well as a text file named nezuko.txt. When we further investigated we saw that a message is received every 5 minutes. As the directory is named “from_zenitsu”, we assumed that there must be a user by that name.

But let’s also open the nezukto.txt file. It is our first flag. Now we will have to escalate privilege on this machine.

Privilege Escalation

We were looking for a user named zenitsu, so we thought to check if the /etc/passwd file is readable or not. It was readable. And we found a user named zenitsu as shown in the given image.

We used John The Ripper to crack the password hash of the user zenitsu. As shown in the image, it is “meowmeow”.

Now, as we have the credentials of the user zenitsu, let’s traverse to that user.

We entered the password “meowmeow” as shown in the image.

Now it’s time to enumerate this user as well. Here, on close inspection, we found a directory named “to_nezuko”. In this directory, we found the script that sends those messages to nezuko. We checked the permission of the script and found out that it runs with elevated privileges.

Now we created a reverse bash shell using the msfvenom, as shown in the given image to get a root shell on the target machine. We choose the format of payload to be Raw. We did this so that we can have the script available to us as shown in the given image.

We used the echo command as the zenitsu user, to edit the send_message_to_nezuko.sh file. We altered our shell code in the script. Now as we observed earlier, this script gets executed every 5 minutes. So we will wait for it to execute.

In order to receive the shell, we started a netcat listener on the port that we mentioned while creating the payload. And after waiting for 5 minutes, we have the shell, here we found the root.txt. This was our final flag.

This was a good lab that made us understand some important aspects of scheduled tasks between users on the same machine. As well as to exploit a Webmin Panel.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

2 Comments Nezuko: 1 Vulnhub Walkthrough

  1. kali

    **update**
    I figured out why the .sh doesnt work, its to do with the formatting of the code, so what I done was use gedit, copy / paste it into a new document and save with new.sh name
    However, after running it, now I get a different message saying its not Vunerable

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *