Post

Vulhub - CyberSploit2

Posted Updated
By Dinh Hoang 1 min read

CyberSploit2 writeup

Link

https://www.vulnhub.com/entry/cybersploit-2,511/

Description

image

Solve

Import the ova file to Virtual Box and firstly, we use arp-scan to determine the target’s ip address

1

sudo arp-scan -I eth1 --localnet

image

and then use nmap to scan open ports on the target

image

The target has apache web server running on port 80. When access the server we have a table that seems to be credentials. I noted the table and then do some fuzzing on web server. I got no sensitive asset from webserver by using popular wordlist like seclist or rockyou, maybe we can find some interesting informations or hints from web source? Open the get request in BurpSuite and grep html comment, i saw a hint like bellow

image

We got ROT47 cipher, what does this mean? Maybe we have some ROT47 encoded data somewhere? Get back to the table, i found the ROT47

image

Decode 2 strings we got the ssh credential.

  • D92:=6?5C2 -> shailendra
  • 4J36CDA=@:E` -> cybersploit1

Use the above credential to login shailendra

image

PRIVELEGE ESCALATION

We see that shailendra is not in sudo group. Firstly, we will find out that what kind of files we have write permission. The command i used to use is find / -type f -writable 2>/dev/null. No writable file can used to get root here, but i got another interesting file in the result.

image

That’s hint file in the home folder

image

shailendra user is really in docker group, easily mount /etc folder to one container and then edit shadow file to change root’s password. An example for mouting /etc folder to volume of a container is as the following

1

docker run -v /etc:/mnt -it alpine

image

Vulhub
vulhub
This post is licensed under CC BY 4.0 by the author.