VulnHub’s Unknowndevice64:A Walkthrough
Unknown64 is a Linux machine, created by unknowndevice64, hosted on VulnHub
Let’s start exploring this box
netdiscover the IP
Nmap Scan on the target gives us:-
Only Elite service is open
Elite-A term given by hackers
Heading to http://192.168.43.149:1337,we found that it hosts a website
We downloaded the key gif file. Running exiftool did not help
Running dirb on http:31337 did not give any results
Well, we are not able to see the red text
We saw a file named key_is_h1dd3n.jpg.I assumed that it was the image we downloaded earlier.
Let us try it as a directory path. We get an image:-
There is no page source for this
Downloaded the image and ran an exiftool scan.No dice.
Tool to be used-steghide. Steghide tries to find hidden data inside text documents and images
Command-steghide extract -sf <Filename>key_is_h1dd3n.jpg
It asks for a passphrase-We enter ‘h1dd3n’
It extracts a file named h1dd3n.txt-Catting the file gave:-
This pattern is a brainfuck encoded string
We want to convert it to cleartext. We use this site-splitbrain.org/services/ook
Upon converting the sequence to cleartext, we get
It seems to be the credentials for ssh
Gaining and maintaining access
We login via ssh, with port 1337(-p 1337)
We tried sudo su, retrieving the bash history of users. These did not yield anything.
Step-Go to vi editor.Exit it by
This was a restrictive shell, not allowing us to execute normal commands.
We get bash shell bash4.4
We need to export “/bin/bash” as SHELL environment and /usr/bin as a path variable
Upon typing command-sudo -l, we get that user64 can run usr/bin/sysud64.
Upon running it, we get:-
Tip-Gain more information about this file/process
Command-sudo sysud64 -h |less
It seems to be a version for starce command
Strace command-Useful for troubleshooting problems,in CLI,in Linux.It captures all system calls made by processes and signals recieved by processes
Since sysud64 can be run as a root user and is running the strace command, we can spawn a root shell, using sysud64
Command-sudo sysud64 -o /dev/null /bin/sh
We go to the root folder and gain the flags
Well, you have it now!
What I learned:-
- Brainfuck obfuscation
- Usage of Steghide tool
- This is a machine of medium difficulty
Thanks for reading this blog entry and making it till here. Until then, there must be some vulnerable boxes, for me to pwn out there……