Uncategorized – MSANIDI ONLINE

Introduction

The NerdHerd Lab is a ubuntu vulnerable machine. To solve it, we had to login into the ftp server where we get our first lead from a png picture, after that we use the information from there with the help of another information in the http server to get a password that we use to login to the shared folder, In the shared folder, we get a web path that helps us to get the ssh credentials. Rooting the box involved running a kernel exploit with cve-2017-16995. The bonus flag was in the root .bash_history file. Let’s get started.

Solution

We start with an nmap scan to determine the open port.

From the scan, we see that port 21 is open and it is running an ftp server. Lets try logging in with an anonymous user to confirm whether it has been disabled.

Seems that the anonymous user hs not been disabled. Lets list the contents of the directory to see which files have been left for us here.

We get a png file and a hidden folder. We use the get command to download the png file locally. Let’s navigate to the hidden folder and check if there are any clues left. We get a text file which we download locally.

We start by examining the png file. I used gwenview to view it.

Let’s cat the text file to see its content.

The leet is a hint to us. We can rewrite leet as 1337. This means that we have to check port 1337 which is running a http server as shown in the nmap scan.

Before we proceed, first lets start by using exiftool against our image to see what information we will obtain.

We see an unusual user name. Let’s navigate to cipher identifier and check whether its a ciphered user name.

After analysing our text, we find that its an vigenere ciphered text. Lets navigate to the vigenere cipher tool to decipher our text. When try to decipher we realize we can’t because we don’t have the key used to encrypt the password.

Lets navigate to the web which is hosted in port leet 😅😅😅 (1337). At the bottom of the page, we are given a clue about the answer to our cipher. When we click the link it takes us to a youtube video song called bird is the word.

I tried bird as the key but it wasn’t successful. I used birdistheword as the key and I was able to decrypt the ciphered word.

Since we had smb running on the machine. We’ll use crackmapexec tool and enum4linux in linux to do some enumerations to it.

Let’s start by using crackmapexec to list shared folders.

When enum4linux is used, we get 3 users.

Using this information from the two tools lets try accessing the shared folder called nerdherd_classified . We will use the smbclient command to access the shared folder. Use chuck as the username and easypass obtained as password.

We find a secr3t.txt file in the shared folder. We use the get command to download it locally. We use the cat command to list the contents of the file.

Let’s navigate to the 1337 website and browse to the secret folder.

We see a creds.txt file in the secret file. Let’s download it and see what we find inside it.

We get ssh credentials. Now let’s login via ssh to the server. After logging in to the server, we list the contents of the file and we get the user flag.

We copy the linpeas.sh to the server and do a linux enumeration to determine how we can do a privilege escalation.

After scanning with linpeas.sh,we get that the machine is running a vulnerable kernel version.

We use scp command to copy the downloaded file to the/t,p folder in the vulnerable machine.

Now, lets ssh back to the vulnerable machine and compile our eexploit using gcc. First, we’ll check if gcc is installed in the machine. GCC is a c programming language compiler.