Unknowndevice64:1 vulnhub walkthrough
Hello friends. Today I will share with you another writeup for Vulnhub vulnerable machines. The selected target will be unknowndevice64. You can download it from the following link : https://download.vulnhub.com/unknowndevice64/unknowndevice64-V1.0.ova
In this article you will learn the following:
- Using nmap to find opened ports & running services.
- How to extract hidden saved files from images using steghide tool.
- How to convert Brainfuck code to readable text.
- How to bypass restricted shell using vi editor.
- Privilege escalation using strace command.
After downloading and importing the OVA file to my virtualization software I powered on the VM and start hacking it. The first thing to do is to get the IP address for the target machine. So, I performed a ping scan on the whole subnet using nmap and I found that the Ip address is : 10.0.2.17
After that, I performed full port/service scanning on my target using nmap and I found that there are only two open ports (SSH on port 1337 & HTTP on port 31337).
So, I start enumerating the HTTP port by browsing it using firefox. I found that it contains an html page.
Viewing the html source code for this page I found an interesting thing, which is an image with name (key_is_h1dd3n.jpg) inside a comment.
Downloading the image and using steghide tool with a phrase h1dd3n I found a hidden file inside it. The content of this extracted file is a code written using Brainfuck, which is the most famous esoteric programming language.
There are many websites we can use to convert the Brainfuck codes to a readable text. After using one of them I got a pair of username & passwords as follows:
So, I used them to login to the server using ssh on port 1337. After login to the server, I found that I’m restricted from running some commands in the system. So, I know that I’m on a restricted shell. So, I have to bypass it to get full commands.
One way is using the vi editor as follows:
What I did, is writing “:!/bin/bash” in the vi editor and hit the enter key to get full access to the shell and bypass the jail (restricted shell).
After that, I tried running some commands (ls, uname, … etc) but I get an error message tells me that “command not found”. So, I checked the PATH variable which is used to specify a set of directories where executable programs are located. I found that the directories where the Linux commands binaries located in (/bin and /usr/bin) not found on it. So, I added them to the PATH variable.
Then, I tried to check the commands that this used (ud64) can run as root without using the root password. I found that this user can run sysud64 command. So, what actually this command??
By running this command, I found that it is a compiled version for strace command.
So, since this command is running as root user and it is a compiled version of strace command. We can use it to get root shell by simply providing the /bin/bash command as input to the tool.
At last I can read the flag.txt file which is located in /root directory.
Actually, this VM is a CTF style and not a real world scenario. But I hope that you will learn something new from it.
I hope you enjoyed and learn new thing in pen-testing field. If you have an question or comments, please write them down in the comments and wait for the next writeup 😀