ayusshh.medium.com

KB-VULN: 1 Writeup (Vulnhub)

Ayush Shah
3–4 minutes

Ayush Shah

Press enter or click to view image in full size

KB-VULN: 1 is super easy machine.

It’s the most simple and easy box I had ever done. I would recommend to every beginner. I like the privesc, it’s fantastic.

I began with Enumeration.

I fired up Nmap to check for all open ports.

nmap -p- -v -oN nmap/all_ports -T4 192.168.42.84

Press enter or click to view image in full size

Looking at the results we have 3 ports open 21,22,80.

Now I again fired up Nmap for scanning services.

nmap -sC -sV -p 21,22,80 -oN nmap/initial -T4 192.168.42.84

Press enter or click to view image in full size

According to Nmap results, ftp has anonymous login allowed. I tried logging in to see if there is something interesting.

Press enter or click to view image in full size

There was only one file .bash_history. I downloaded that file for further needs.

Press enter or click to view image in full size

Before trying gobuster, ffuf or anything I analyzed the source code and found one Username.

Press enter or click to view image in full size

I checked if I can login in FTP with username, but I couldn’t really login with this. So I began with brute-forcing SSH first with Hydra.

hydra -l sysadmin -P /usr/share/wordlists/rockyou.txt ssh://192.168.42.84 -t 64

Press enter or click to view image in full size

The password is same for both FTP and SSH service for sysadmin user.

Boom, flag is in sysadmin’s home directory.

It’s perfect time to become root.

Get Ayush Shah’s stories in your inbox

Join Medium for free to get updates from this writer.

I’ll show you 2 methods of getting root.

1st Method to become root

Let’s run linpeas.

Press enter or click to view image in full size

At the very beginning linpeas highlighed LXD.
After doing some research on LXD and it’s exploitation I found one exploit-db page.

Read those 4 Steps and build alpine in your attacker machine. After building alpine, download that bash script and transfer both to the target machine.

It’s pefect time to escalate our privileges. Run that bash script and provide file name in parameter.

bash root.sh -f alpine-v3.17-x86_64–20221129_1829.tar.gz

Press enter or click to view image in full size

Hurray! We become root.

One important thing to mention, when you do root priv esc with lxd containers double check that your main file system is in /mnt/root.

2nd Method to become root

Let’s begin with the second method to become root. When I cat /etc/passwd, I noticed there was one more user Eftipi on the box, but Eftipi user doesn’t have home directory.
I again started bruteforcing against that user and successfully got the password for Eftipi.

Press enter or click to view image in full size

Let’s get into the box again as eftipi user. I ran linpeas again to automate my searching.

Press enter or click to view image in full size

This /etc/update-motd.d/00-header looks interesting and I googled about its privesc. I used the following command.

cd /etc/update-motd.d/
echo “cp /bin/bash /tmp/bash && chmod u+s /tmp/bash” >> 00-header

All you have to do is just login into the box again with SSH.

Damn, I really enjoyed this box.

Thank you for reading.

Happy Hacking!