CTF Challenges

Seppuku:1 Vulnhub Walkthrough

Today we are going to crack this machine called “Seppuku:1”. It is available on Vulnhub for the purpose of Penetration Testing practices. It was an intermediate box which made me learn many new things. This credit of making this lab goes to SunCSR Team. Let’s start and learn how to successfully breach it.

Level:  Intermediate to Hard

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this here

Penetration Testing Methodology

Reconnaissance

  • Netdiscover
  • Nmap

Enumeration

  • Abusing HTTP Services
  • Dirb

Exploiting

  • Brute forcing using hydra
  • Connecting using SSH
  • Bypassing Restricted shell

Privilege Escalation

  • Abusing Sudo
  • Capture the flag

Walkthrough

Reconnaissance

As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.1.104 as our host IP.

Then we used nmap for port enumeration. We found that port 21 for ftp, port 22 for ssh, port 80 for http, 139 and 445 for NetBIOS-ssn, port 7080 for SSL/http, port 7601 for http, port 8088 for http.

nmap -p- -A 192.168.1.104

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Since port 7601 is open I look toward browser and explore target ip 192.168.1.104  but unfortunately found nothing useful.

http://192.168.1.104:7601

Further, we use dirb for directory brute-forcing and found secret & key with status code 200 OK on executing following command.

dirb http://192.168.1.104:7601

When we navigate URL enumerated above, i.e. keys we found some files, here private was useful for us.

http://192.168.1.104:7601/keys

This link leads us to a page called private. This is a private key for some user which we have not found yet.

Further, we will explore our next directory called secret which we found in our dirb scan.

http://192.168.1.104:7601/secret

AS result it gives some very important files such as password.lst and hostname.

Here found a file named hostname which gave us a username i.e. seppuku.

Exploiting

We have got username seppuku , now our next job is to find the password for the user seppuku with the help of hydra for SSH login brute force. Here the best way to guess password is to use the password file which we found in the secret directory during dirb scan.

hydra -l seppuku -P /root/Desktop/password.lst 192.168.1.104 ssh

From its result, we found the password eeyoree for seppuku.

We have a username and password, so we tried to access the SSH on the target system and we were successfully able to log in.

ssh seppuku@192.168.1.104

 After getting logged in let’s go for further investigation to find some hidden files. As a result, we found a hidden file called .passwd which gave us a password for what we don’t know right now.

After that, we tried to go inside the home directory, but we were not able to do so because of restricted rbash shell. 🤔

ls -la
cat .passwd
cd /home

Since we know the ssh credentials of the user who is part of rbash shell, then you can use the following command along ssh to break the jail and bypass the rbash by accessing proper bash shell.

ssh seppuku@192.168.1.104 -t "bash --noprofile"

Now we will again try to access the home directory this time we were successful in doing so. Now we will again check the hidden files where we found 2 new users named samurai and tanto.

So let’s dive in by getting logged in as samurai with the password we found in .passwd hidden file.

cd /home
su samurai

Let us use the sudo -l command to enumerate if this user can run some application with root privileges.

sudo -l

 We found seppuku user can run .cgi_bin/bin command as the samurai user which suppose have the root access.

Privilege Escalation

If you remembered we have enumerated private key when while performing directory brute force, here I copied the content of private file found in key during dirb scan and saved it into an empty file named sshkey with chmod 600 permissions.

chmod 600 sshkey

Since we port 22 open on the target machine, we will try to connect the target machine using this key for user TANTO and execute the following command.

ssh -i sshkey tanto@192.168.1.104 -t "bash –noprofile"
ls -la

After login as tanto, we looked for .cgi_bin directory that will be executed through sudo user but unfortunately, I was unable to find this directory, therefore, I made a directory as .cgi_bin and save the bash script in a file named as “bin” to get bash shell through it.

mkdir .cgi_bin
cd .cgi_bin/
echo "/bin/bash" > bin
chmod 777 bin
ls -la

Now it was time to exploit .cgi_bin program, thus again we logged as Samurai and run the following command and obtain the root shell and finished the challenge by capturing the root flag 🚩. 

sudo ../../../../../../../home/tanto/.cgi_bin/bin /tmp/*
cd /root
ls
cat root.txt

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact  here