VulnHub’s Unknowndevice64:A Walkthrough

Unknown64 is a Linux machine, created by unknowndevice64, hosted on VulnHub

Let’s start exploring this box

Reconnaissance

netdiscover the IP
IP-192.168.43.149
Nmap Scan on the target gives us:-

Only Elite service is open
Elite-A term given by hackers

Heading to http://192.168.43.149:1337,we found that it hosts a website

We downloaded the key gif file. Running exiftool did not help

Running dirb on http:31337 did not give any results
Well, we are not able to see the red text

We saw a file named key_is_h1dd3n.jpg.I assumed that it was the image we downloaded earlier.

Let us try it as a directory path. We get an image:-

There is no page source for this
Downloaded the image and ran an exiftool scan.No dice.

Enumeration

Tool to be used-steghide. Steghide tries to find hidden data inside text documents and images

Command-steghide extract -sf <Filename>key_is_h1dd3n.jpg
It asks for a passphrase-We enter ‘h1dd3n’

It extracts a file named h1dd3n.txt-Catting the file gave:-

This pattern is a brainfuck encoded string
We want to convert it to cleartext. We use this site-splitbrain.org/services/ook

Upon converting the sequence to cleartext, we get

It seems to be the credentials for ssh

Gaining and maintaining access

We login via ssh, with port 1337(-p 1337)
Password-1M!#64@ud

We tried sudo su, retrieving the bash history of users. These did not yield anything.

Step-Go to vi editor.Exit it by
Command-:!/bin/bash.

This was a restrictive shell, not allowing us to execute normal commands.
We get bash shell bash4.4

We need to export “/bin/bash” as SHELL environment and /usr/bin as a path variable

Commands-export SHELL=/usr/bin:$SHELL
export PATH=/bin/bash:$PATH

Upon typing command-sudo -l, we get that user64 can run usr/bin/sysud64.
Upon running it, we get:-

Tip-Gain more information about this file/process
Command-sudo sysud64 -h |less

It seems to be a version for starce command

Knowledge Nugget
Strace command-Useful for troubleshooting problems,in CLI,in Linux.It captures all system calls made by processes and signals recieved by processes

Privilege Escalation

Since sysud64 can be run as a root user and is running the strace command, we can spawn a root shell, using sysud64

Command-sudo sysud64 -o /dev/null /bin/sh

We go to the root folder and gain the flags

Reporting

Well, you have it now!

What I learned:-

• Brainfuck obfuscation
• Usage of Steghide tool

Conclusion:-

• This is a machine of medium difficulty

Thanks for reading this blog entry and making it till here. Until then, there must be some vulnerable boxes, for me to pwn out there……

References:-
https://hackingresources.com/unknowndevice64-vulnhub-walkthrough/