Skip to main content

Easy Boot2root vulnhub machine: Sputnix walkthrough ಠ_ಠ (day 100)

Hi guys in this post, I will show you the walkthrough of the vulnhub machine called Sputnix. The difference between my post and the others is that I will show you how i approach this challenge and the thought process behind it. I personally recommend this machine to a beginner who are in the middle of OSCP training since it will give you sense of "how to" spot a rabbit hole that could waste a lot of time in your exam.

You Complete Me meme

Setup the machine:

I will use virtualbox as my preference of virtual machine but its up to you if you have vmware in your computer you can use that as well.

You can download the image from the official website: https://www.vulnhub.com/entry/sputnik-1,301/

The setup is pretty straightforward all you have to do is just import .ova file and you good to go.

Reconnaissance:

Like every hacker before commencing a cyber attack, we will start by identifying and gathering enough information of the machine.

The tools that I used in here is only: NMAP

First, we need to identify what is the machine's ip address. We can use "-sn" flag in the nmap to do a ping sweep to find out what machine in our network that is online.


Notice that my machine has ip address of 192.168.1.8 and the sputnik machine has ip address of 192.168.1.7

Let's continue to identify how many and what service that is hosted by the machine, again I will use nmap to do the task.

 
 
Because we are not worried about getting caught, we can just let loose and do aggressive scanning to all of the port of the machine. 
 
Using "-A" for aggressive scanning that will include "OS detection, version detection, script scanning, and traceroute", "-T5" for setup the speed of the scanning to the highest since we don't want to waste our time and finally "-p-" for instructing nmap to scan all the port from 1-65535.
 
 
The result shows that the machine open 4 ports(8089, 8191, 55555 and 61337), however for the detail, a new comer might feel a bit overwhelmed with the content.
 

Port 8089:

lets start by going to the first open port(8089), notice that the nmap point out that it detects a SSL cert which means that this port enforce https. Thus, we need to put "https://" prefix when visiting the port. If you try to visit the service using your browser you will encounter this warning, but you don't need to worry all you have to do is just choose "advanced" > "accept risk and continue"


After you done with the cert warning like the above figure. You will see a website like below figure. I provide with the response that each of the page return if you visit it.



Unfortunately all of this pages don't have something interesting, the RPC page always return "invalid request", services/NS page is protected with basic HTTP authentication I try to use common credential in splunk such as admin:admin and admin:changeme but it didn't work whereas static page always lead me to 404.

I try to do one last check if there is a hidden page inside port 8089 using dirsearch but it doesn't show me anything useful. Thus, we can conclude that this is a rabbit hole you don't have to spend anymore time in this port and.


Port 8191:

 
 
Same as the previous port, port 8191 don't give us a really much of lead to obtain access to the machine. Splunk uses MongoDB to facilitate certain internal functionality like the kvstore but in order to access the DB you need credentials, since we don't have it, we can pretty sure conclude that we hit rabbit hole again.

Port 55555:

Now this is where is things got really interesting. Notice in the nmap result that the port host a flappy bird game but it also contain an exposed .git repo inside it. Exposing .git to outsider is pretty dangerous since anyone with the access to the website can obtain the original source code of the website.


There are a lots of documents contain in the .git but here some interesting file that you should pay attention to:
  • https://example.com/.git/config => configuration of the git repo
  • https://example.com/.git/HEAD => The HEAD in Git is the pointer to the current branch reference
  • https://example.com/.git/logs/HEAD
  • https://example.com/.git/index => The index is a binary file (generally kept in . git/index ) containing a sorted list of path names, each with permissions and the SHA1 of a blob object
from all of the four mentioned files the "logs/HEAD" contain interesting content to us.


it shows us another github account, lets download it


the github repo contain the exact same source code of the website in port 55555. To get the most of the github lets check the log file, to see if there is something useful for us or not.
 
 
 
you can try to analyze each of the commit using "ls-tree" options from git utility but the one that actually really useful is the one commit that has the hash of 07fda135aae22fa7869b3de9e450ff7cacfbc717

 
 
cool! we just found ourselves a credential for us to try. I try to input the credential to the last two port that we have encounter, the port 8089 accept the credential but it no where lead me to get a shell to the machine.

Port 61337:

This port also contain splunk service just like port 8089


Use the same credential we go into the admin page. With a little bit of research(https://www.exploit-db.com/exploits/46238), we know in order to obtain access to machine we can upload a backdoor to the splunk enterprise.

We are going to use the script from https://www.exploit-db.com/exploits/46238 operating the program is pretty easy but before you can use it you have to download geckodriver into your machine and put the location of it into the script, like figure below.




I extract the binary file from .tgz file and then put it in the same directory of the script.

now lets run the script like the figure below and before you can do that you need to open a port using netcat in your machine:
 


wait a little bit and you should have a shell by now 

Privilege Escalation:

It's even easier to do privilege escalation in this machine. First, type "sudo -l" that will show you the current privilege of our user.


notice that our user able to run root privilege by executing command on behalf of user "ed". Type "sudo ed" followed by "!/bin/sh" that will drop you to a shell.

 
 
That's all and you can get the flag
 
I hope you enjoy this post and see you later next time.

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct
Post a Comment
Read More »

WriteUp PWN tarzan ROP UNICTF ಠ_ಠ (day 61)

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi
Post a Comment
Read More »