Press enter or click to view image in full size
Hello Guys! This is Russell Murad working as a Junior Security Engineer at Enterprise Infosec Consultants (EIC).
In this writeup, we’ll break a machine named “Billu: Box 2”.
You can download it from here.
I’ve configured both Vulnhub machine and my kali machine on the Virtualbox bridge connection.
Vulnhub said that “This virtual machine is having intermediate to medium difficulty level.”
But I personally find it easy.
- First, we are going to check my victim machine’s IP using arp-scan.
Press enter or click to view image in full size
2. Then let’s try to find out some open ports using Nmap.
Press enter or click to view image in full size
3. We have 80 port open. Let’s enumerate it using firefox.
Press enter or click to view image in full size
Wappalyzer said it’s built with Drupal 8. There’s a popular exploit in Github named “DrupalGiddeon2” which can be downloaded from here.
Press enter or click to view image in full size
4. It’s developed with Ruby. We’ll run it using our victim IP.
Press enter or click to view image in full size
It’s working !!!
5. Now, for getting reverse shell while we’ll use “nc”, it’ll give “netcat-openbsd package”. But using “ncat” we can get the job done.
Get Russell Murad’s stories in your inbox
Join Medium for free to get updates from this writer.
Our kali machine will get a connection from the server.
Press enter or click to view image in full size
Press enter or click to view image in full size
6. After that we’ll try to manually enumeration and stuff.
But when we check on “/etc/passwd” then we’ll find something useful!
Press enter or click to view image in full size
There is a password hash stored in the “/etc/passwd” file.
In the modern-day, In Linux system, password hashes are stored in the “/etc/shadow” file. Besides, the “/etc/passwd” file has 777 permission.
That means any user can modify or delete it.
Press enter or click to view image in full size
7. So, now we’ll make a copy of the “passwd” file into our kali machine.
In which we’ll replace “indishell” hash with our generated hash.
For generating a hash we’ll use OpenSSL.
Press enter or click to view image in full size
Where salt and password is abc and pass123.
8. Let’s replace the indishell hash with the new one.
Keep in mind we have to add extra “:0:0” after the hash in that line.
Press enter or click to view image in full size
9. Now, let’s use apache or python SimpleHTTPServer for transferring that passwd file into our victim machine. Delete or replace genuine passwd file from /etc with our new passwd file.
10. Let’s login with user “indishell”, give the password — pass123.
And it works !!! We’ve gained root privilege !!!
Press enter or click to view image in full size
So, guys, that’s it for today.
Thank you for reading this write-up. Cheers!