Open in app

Sign in

Write

Sign in

Vulnhub-Walkthrough: Shenron-1

Nitunga Baptiste Billy
6 min readOct 29, 2024

--

Author: Nitunga Baptiste Billy

Designer: Shubham mandloi

Series: shenron

Difficulty: Medium(ish…;)

Step0: Introduction

Hey everyone! Today, we’re kicking off a new series with a machine called Shenron. I have to admit, I was a little unsure at first about whether I’d be able to crack this one since it was rated “medium.” But in the end, I pulled it off! Let’s jump in, and I’ll walk you through how I did it.

Step1: Enumeration

. First, we look for the target machine on our local network using netdiscover.

netdiscover -r 192.168.4.0/24

. Now that we have our ip(192.168.4.35), we can go further with the enumeration

. Port scanning using nmap

nmap -sC -sV 192.168.4.35

.Let’s check out the webpage on port 80

I inspected it using (CTRL + U) but found nothing. Let’s see if we get more chance with directory enumeration.

. Directory enumeration using gobuster

gobuster dir -u http://192.168.4.35 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,php

I see two interesting directories here. joomla and test.

/test

In the test directory, there is an interesting file called password.

Nothing at first but upon inspection(CTRL+I), we can see some credentials

Probably the credentials to the joomla page. Let’s go try it out.

. I decided to use joomscan to enumerate joomla using the command:

joomscan -u 192.168.4.35/joomla

Let’s visit the /administrator page and enter the credentials we got earlier

After hitting the Log in button, we get access to the administrator panel

Step 3: Foothold

Having access to the control panel, we are going to look for a way to get a shell to our attacker machine. We will do that by checking the templates and see if we can alter their content to put our reverse shell code instead.

  • Click on Extensions at the top > Templates > Templates
  • We can use either of the two. I chose to use Beez3.
  • After that, on our attacker machine we set our netcat.
nc -lvnp 9001

Note: The ip address in the reverse shell is our attacker machine and the port numbers must be the same.

. To launch the reverse shell, we click on the Template review button at the top. netcat must be fired before clicking on that button.

Step 4: Gaining Access

. We get a low privilege user shell

. To get a more interactive shell, follow these:

python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo; fg
export TERM=xterm-256color
stty rows 84 columns 320

One after the other.

. I looked for binaries with a SUID bit set, capabilities, file permissions, or kernel exploits but in vain.

Step 5: Privilege Escalation 1

. To get more privilege i decided to head over to /etc/www/html/joomla to see if there was anything interesting there.

There was a file named configuration.php. I read it and got some credentials(jenny:Mypa$$wordi$notharD@123).

I switch to user jenny.

su jenny

I head to /home/jenny to see if there is any flags there but there are none.

I try sudo -l to see if jenny is allowed to run any sudo commands

Jenny is allowed to run the cp command as user shenron.

Step 6: Privilege Escalation 2

. We have to find a way to use the cp binary to log in as user shenron.

. Since we can copy stuff as user shenron, we can use that to copy our own ssh public key to /home/shenron/.ssh directory. To do that i will use ssh-keygen to generate my ssh keys.

ssh-keygen -t rsa -f authorized_keys

I copy the content of the authorized_key.pub file. In the /tmp directory of the target machine, I create a file called authorized_key and paste in the content.

I then copy the key to /home/shenron/.ssh as the user shenron

sudo -u shenron /usr/bin/cp authorized_keys /home/shenron/.ssh/auth

Back on our attacker machine, we ssh into shenron using our private key.

ssh -i authorized_key shenron@192.168.4.35

After listing the directory, we get our first flag.

Let’s try and see sudo commands that the user shenron can run by typing sudo -l. We get prompted to enter shenron’s password but we don’t have it yet.

I import linpeas.sh from my attacker machine to help with the recon.

After running linpeas.sh, we get an interesting hint. In the Interesting files writable by everyone

At the bottom. /var/opt/password.txt

Now that we have shenron’s password. Let’s see what they can do with sudo using sudo -l

Step 7: Privilege Escalation 3

According to gtfobins, I can use apt to escalate the privilegies to root.

Conclusion

This machine was a real challenge, but I eventually managed to get root access. I tried using SSH key manipulation for the first time to gain shell access, and it turned out to be a great learning experience. Adding this new technique to my approach really broadened my skill set, and I’m excited to keep building on what I’ve learned here. Thanks for reading my walkthrough, see you on the next machine….Ciaao!!

Vulnhub Walkthrough
Vulnhub Writeup
Vulnhub
Vulnerability Assessment

--

--

Nitunga Baptiste Billy
Nitunga Baptiste Billy

Written by Nitunga Baptiste Billy

0 Followers
1 Following

#Newbie#ScriptKiddie

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams