Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

FourAndSix: 2 Vulnhub Walkthrough

$
0
0

FourAndSix: 2 is the sequel for previously solved vulnerable machine FourAndSix by Fred uploaded on vulnhub. It is not mandatory but is advised to read the prequel of this labhere. You can download the FourAndSix:2 vulnerable lab from here . The challenge is to become root and read flag.txt in the same directory.

Table of contents:

Discovery of IP address. Scanning for open ports and services. Discovering universally accessible directory in victim’s machine. Cracking the password of archive found in storage partition. Reading the pub file and logging in using ssh. Discovering utilities with sticky bit on them. Using doas to get root. Snagging the flag! Let’s get started then.

First step is, as usual, to find the IP of the target machine. In this case it is 192.168.1.103


FourAndSix: 2 Vulnhub Walkthrough

Next we discover open ports and services using nmap. The ports open were 22, 111, 2049.


FourAndSix: 2 Vulnhub Walkthrough

There was only one way to proceed and that is port 2049. So, we used showmount command to check for nfs shared partitions.

Later, we mounted it under the folder name “raj” using the mount command. And we found a 7z compressed file.

showmount -e 192.168.1.103 mount -t nfs 192.168.1.103:/home/user/storage raj
FourAndSix: 2 Vulnhub Walkthrough

But the file “backup.7z” was unfortunately password protected.


FourAndSix: 2 Vulnhub Walkthrough

So, after trying out a number of options like John The Ripper and etc. and getting zero success, we found a site online to break it’s password.

The password was found to be: chocolate


FourAndSix: 2 Vulnhub Walkthrough

We extracted its contents in the same folder and found a few images along with RSA keys. As port 22 is running SSH service on the target machine, we can use RSA private key to login. We open RSA public key to take a look at the username.

cat id_rsa.pub
FourAndSix: 2 Vulnhub Walkthrough

We tried logging in to ssh but it was asking for a passphrase. So, we created the following script to find the correct password.

cat /usr/share/wordlists/metasploit/adobe_top100_pass.txt | while read pass; do if ssh-keygen c C “user@forandsix” P $pass f id_rsa &>/dev/null; then echo $pass; break; fi; done
FourAndSix: 2 Vulnhub Walkthrough

From the id_rsa.pub file we found the user for the secure shell of victim and logged in to it. The password was: “12345678”.

ssh -i id_rsa user@192.168.1.103

We used the find utility to discover files or packages with suid bit set on them.

find / -perm u=s type f 2>/dev/null

We found an interesting utility with suid bit: /usr/bin/doas which is an alternate to sudo.

After reading the “doas.conf” file, we find that “less” can be run as root.


FourAndSix: 2 Vulnhub Walkthrough

Let’s pick the configuration file and try to understand it word by word. Doas utility executes commands as other users according to the rules in doas.conf configuration file.

Permit/Deny:allows the rule.

Nopass:user is not required to enter any password.

Persist:After the user successfully authenticates, do not ask for a password again for some time.

Keepenv:The user’s environment is maintained.

Cmd:command is allowed to run.

Since, doas configuration file says that less can be run with no password at all as root with no password, it can be used for shell escaping.

doas /usr/bin/less /var/log/authlog
FourAndSix: 2 Vulnhub Walkthrough

Enter v to escape to vi and then “!sh” to escape to our brand new shell.


FourAndSix: 2 Vulnhub Walkthrough

The final step was to snag the flag! It was in root directory as told by the creator of the VM.

Id shows that the shell is root shell and finally we read the congratulatory flag using cat!


FourAndSix: 2 Vulnhub Walkthrough

So this was how we root the FourAndSix:2. Hope you liked it.

Author: Harshit Rajpalis an InfoSec researcher and a left and right brain thinker. contact here


Viewing all articles
Browse latest Browse all 12749

Trending Articles