Seppuku:1 Vulnhub Walkthrough
Today we are going to crack this machine called “Seppuku:1”. It is available on Vulnhub for the purpose of Penetration Testing practices. It was an intermediate box which made me learn many new things. This credit of making this lab goes to SunCSR Team. Let’s start and learn how to successfully breach it.
Level: Intermediate to Hard
Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this here
Penetration Testing Methodology
- Abusing HTTP Services
- Brute forcing using hydra
- Connecting using SSH
- Bypassing Restricted shell
- Abusing Sudo
- Capture the flag
As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.1.104 as our host IP.
Then we used nmap for port enumeration. We found that port 21 for ftp, port 22 for ssh, port 80 for http, 139 and 445 for NetBIOS-ssn, port 7080 for SSL/http, port 7601 for http, port 8088 for http.
nmap -p- -A 192.168.1.104
For more detail, we will be needing to start enumeration against the host machine. Since port 7601 is open I look toward browser and explore target ip 192.168.1.104 but unfortunately found nothing useful.
Further, we use dirb for directory brute-forcing and found secret & key with status code 200 OK on executing following command.
When we navigate URL enumerated above, i.e. keys we found some files, here private was useful for us.
This link leads us to a page called private. This is a private key for some user which we have not found yet.
Further, we will explore our next directory called secret which we found in our dirb scan.
AS result it gives some very important files such as password.lst and hostname.
Here found a file named hostname which gave us a username i.e. seppuku.
We have got username seppuku , now our next job is to find the password for the user seppuku with the help of hydra for SSH login brute force. Here the best way to guess password is to use the password file which we found in the secret directory during dirb scan.
hydra -l seppuku -P /root/Desktop/password.lst 192.168.1.104 ssh
From its result, we found the password eeyoree for seppuku.
We have a username and password, so we tried to access the SSH on the target system and we were successfully able to log in.
After getting logged in let’s go for further investigation to find some hidden files. As a result, we found a hidden file called .passwd which gave us a password for what we don’t know right now.
After that, we tried to go inside the home directory, but we were not able to do so because of restricted rbash shell. 🤔
ls -la cat .passwd cd /home
Since we know the ssh credentials of the user who is part of rbash shell, then you can use the following command along ssh to break the jail and bypass the rbash by accessing proper bash shell.
ssh email@example.com -t "bash --noprofile"
Now we will again try to access the home directory this time we were successful in doing so. Now we will again check the hidden files where we found 2 new users named samurai and tanto.
So let’s dive in by getting logged in as samurai with the password we found in .passwd hidden file.
cd /home su samurai
Let us use the sudo -l command to enumerate if this user can run some application with root privileges.
We found seppuku user can run .cgi_bin/bin command as the samurai user which suppose have the root access.
If you remembered we have enumerated private key when while performing directory brute force, here I copied the content of private file found in key during dirb scan and saved it into an empty file named sshkey with chmod 600 permissions.
chmod 600 sshkey
Since we port 22 open on the target machine, we will try to connect the target machine using this key for user TANTO and execute the following command.
ssh -i sshkey firstname.lastname@example.org -t "bash –noprofile" ls -la
After login as tanto, we looked for .cgi_bin directory that will be executed through sudo user but unfortunately, I was unable to find this directory, therefore, I made a directory as .cgi_bin and save the bash script in a file named as “bin” to get bash shell through it.
mkdir .cgi_bin cd .cgi_bin/ echo "/bin/bash" > bin chmod 777 bin ls -la
Now it was time to exploit .cgi_bin program, thus again we logged as Samurai and run the following command and obtain the root shell and finished the challenge by capturing the root flag 🚩.
sudo ../../../../../../../home/tanto/.cgi_bin/bin /tmp/* cd /root ls cat root.txt
Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact here