A piece of cake machine. You will learn a little about enumeration/local enumeration , steganography. This machine tested on Virtualbox , so i’m not sure about it with Vmware. If you need any help you can find me on twitter @mhz_cyber , and i will be happy to read your write-ups guy send it on twitter too cya with another machine #mhz_cyber This works better with VirtualBox rather than VMware
URL: mhz_cxf: c1f
Author: mhz_cyber & Zamba
Set up the Machine with a host-only adapter and run a net discover command to find the associated IP. My interface eth1 is Host-Only on my main OS (Kali Linux).
netdiscover -i eth1
We can identify the machine with the IP 192.168.56.111, so we will scan it for open ports with nmap to a file named “nmap” with the following command:
nmap -sS -p- -A -o "nmap" 192.168.56.111
To start, port 80 is open so we will investigate this port with a browser.
There is not much to see, this is the default Apache web page meaning there is probably another web page we are not seeing.
Let’s run a dirb scan to discover more paths we can further enumerate with the following command:
One of the results that have been returned is /notes.txt so let’s see what is on there:
This has given us 2 more potential paths to further discover: remb.txt and remb2.txt.
This is the web directory for remb.txt:
This could be a username:password combination that we could try somewhere. As there is not much else to see on port 80, the only other place that could provide a login is ssh.
Remb2.txt is a dead end.
Let’s try connect via ssh to the host with the following command:
There is a successful connection, running id shows we are logged in as “first_stage”.
There is a user flag in the home directory as shown below:
Before we start trying to escalate privileges, let’s run bash to get an upgraded shell. To find any more potential users to use, let’s see if there are any other home directories in /home.
bash ls /home
We can actually change directory to mhz despite who we are logged into. This is their home directory:
There is a directory named Paintings/ that we can explore. The description of this box mentioned some steganography so let’s copy the files over using “scp”. The command “scp” essentially provides secure copying between different hosts across a network. Read more about this here.
Copy all images over for investigation:
scp [email protected]:/home/mhz_c1f/Paintings/* .
The above command is copying files (path specified after the colon : ) from [email protected] to my current local directory.
The above screenshot demonstrates the files that have been copied from left to right through the secure copying that uses ssh.
Here is a screenshot of the images on my local machine:
Now that these are on a local machine, we may use all the resources available to investigate these files.
Steganography has been made extremely easy with some useful tools that are already pre-installed on Kali Linux. Read this article about some different tools.
Let’s run steghide on some of the images to see what is returned.
steghide info 'spinning the wool.jpeg'
The command “steghide info” returns some information about the image and checks if there are any embedded files. After 2 attempts, steghide tells us that there is some more information in spinning the wool.jpeg.
In order to extract this embedded file, use the following command:
steghide extract -sf 'spinning the wool.jpeg'
The parameter -sf indicates a steg file.
This has given us a file called remb2.txt. Cat (display the contents) of this file.
We now have another username and password combination. Let’s use this to log into mhz_c1f on our ssh session. Change user with the following command:
A successful login. Now let’s check sudo rights to see what we can do to gain root access.
sudo -l sudo /bin/bash
We can run all commands with sudo rights. If we run /bin/bash as sudo we will be changed to root as shown above.
And we have our root flag in /root: