Vulnhub - Silky CTF 0x01


Today, we are going to pwn Silky CTF: 0x01 from Vulnhub.

Methodology

  • Host Discovery
  • Nmap Scan of the machine
  • Checking for disallowed entry in robots.txt
  • Password recovery
  • SSH bruteforce of user silky
  • Privilege Escalation

Host Discovery

Running nmap -sn 192.168.43.0/24 will quickly gives the list of alive host from where we can see our silky machine ip.

Nmap

Starting with nmap, we do nmap -sV -sC -A 192.168.43.232. Although this command is very useful as it provides us a good amount of information on our host.

HTTP Enumeration

So, from above nmap result we can see there’s a note.txt is on the server. Accessing that webpage gives german text which translates to:

I absolutely have to remove the password from the page, after all, the last 2 characters are missing. But still.

Hmm, I didn’t see any password. So I run dirb but no luck. So I went to examine the index page and from the source we can see that there is a javascript file, so I checked it and found first five characters of password. Now we need to guess 2 mre characters.

Password Recovery and SSH bruteforce

Generating Custom Passwords

So, one of the useful tool here is crunch available on kali linux, so I used it to make a password file.


crunch 7 7 s1lKy^% > pass.txt

Command Explaination

7 7 - Since we know that password is 7 character long we use it define that we need minimum of 7 and maximum of 7 characters/
^% - This is used to specified that last 2nd character is a symbol and last one is a digit.

SSH Bruteforce

So, whenever it comes to bruteforce hydra to the rescue.


hydra -l silky -P pass.txt 192.168.43.232 ssh

Privilege Escalation

So, trying our find / -perm -u=s -type f 2>/dev/null gives a interesting binary executable file named sky.

So, using strings /usr/bin/sky reveals some information on how the binary works.

Spawning root shell by xploiting PATH variable

So, as we know it is using whoami so I did the following:


cd /tmp
echo "/bin/sh" > whoami
chmod 777 whoami
sky

Kaboom, we’re root now.

This was an easy Vulnhub machine and a great way to learn about generating custom passwords using crunch.


Author: D4mianwayne
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint polocy. If reproduced, please indicate source D4mianwayne !
  TOC