CTF WriteupsVulnhub Writeups

Unknowndevice64:1 vulnhub walkthrough

Vulnhub machines writeups

Unknowndevice64:1 vulnhub walkthrough

 

Hello friends. Today I will share with you another writeup for Vulnhub vulnerable machines. The selected target will be unknowndevice64. You can download it from the following link : https://download.vulnhub.com/unknowndevice64/unknowndevice64-V1.0.ova

In this article you will learn the following:

  • Using nmap to find opened ports & running services.
  • How to extract hidden saved files from images using steghide tool.
  • How to convert Brainfuck code to readable text.
  • How to bypass restricted shell using vi editor.
  • Privilege escalation using strace command.

After downloading and importing the OVA file to my virtualization software I powered on the VM and start hacking it. The first thing to do is to get the IP address for the target machine. So, I performed a ping scan on the whole subnet using nmap and I found that the Ip address is : 10.0.2.17

 

After that, I performed full port/service scanning on my target using nmap and I found that there are only two open ports (SSH on port 1337 & HTTP on port 31337).

So, I start enumerating the HTTP port by browsing it using firefox. I found that it contains an html page.

Viewing the html source code for this page I found an interesting thing, which is an image with name (key_is_h1dd3n.jpg) inside a comment.

Downloading the image and using steghide tool with a phrase h1dd3n I found a hidden file inside it. The content of this extracted file is a code written using Brainfuck, which is the most famous esoteric programming language.

There are many websites we can use to convert the Brainfuck codes to a readable text. After using one of them I got a pair of username & passwords as follows:

So, I used them to login to the server using ssh on port 1337. After login to the server, I found that I’m restricted from running some commands in the system. So, I know that I’m on a restricted shell. So, I have to bypass it to get full commands.

One way is using the vi editor as follows:

What I did, is writing “:!/bin/bash” in the vi editor and hit the enter key to get full access to the shell and bypass the jail (restricted shell).

After that, I tried running some commands (ls, uname, … etc) but I get an error message tells me that “command not found”. So, I checked the PATH variable which is used to specify a set of directories where executable programs are located. I found that the directories where the Linux commands binaries located in (/bin and /usr/bin) not found on it. So, I added them to the PATH variable.

Then, I tried to check the commands that this used (ud64) can run as root without using the root password. I found that this user can run sysud64 command. So, what actually this command??

By running this command, I found that it is a compiled version for strace command.

So, since this command is running as root user and it is a compiled version of strace command. We can use it to get root shell by simply providing the /bin/bash command as input to the tool.

At last I can read the flag.txt file which is located in /root directory.

Actually, this VM is a CTF style and not a real world scenario. But I hope that you will learn something new from it.

I hope you enjoyed and learn new thing in pen-testing field. If you have an question or comments, please write them down in the comments and wait for the next writeup 😀

Tags

Mohammed Khreesha

I'm a Computer Engineer with 13 years of experience in Computer and Information Technology fields, specially in Info-sec field. Also, I have 13 years of experience as a freelance instructor in Ethical Hacking, Secure Web Development, Penetration Testing and Security Awareness. I have the following certificates : CEH, CHFI, ECSA, LPT Master, & ISO 27001 LI. #Co-Founder of Technawi[dot]net blog March 2014. #Founder of Jordan Info-sec Days periodic events August 2015, February 2016. #Founder of Jordan Info-sec CTF hacking competition April 2017, March 2018, & November 2018.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close