VulnHub Unknowndevice64 Walkthrough

Unknowndevice64 is a relatively easy VulnHub box. It requires some obscure decoding but other than that it’s fairly simple to work through.

ukd1

We start off as usual with an nmap scan. Nmap -sC -sV -v 192.168.109.130 -oN map1

ukd2

We only find one port here and it’s a web page. Let’s see what it is.

ukd3

So kind of a cool flashlight effect. Here I found something that looks like a possible password. I’ll note that for later. For now let’s look at the source.

 

ukd4

 

Now we see there’s a file and another reference to a key. Let’s look at the picture file.

ukd5

Ok. We have a picture file called key_is_h1dd3n.jpg and the picture itself is called HIDDEN SECRETS. We also have a potential password of h1dd3n which is also in the file name. This smells like steganography to me. Let’s download the picture and see what we can find.

To look for a hidden message, we’re going to use a program called steghide. After looking at the help file, cause I don’t do this a lot, I figured out this command to extract the text: steghide extract -p h1dd3n -sf key_is_h1dd3n.jpg

This provided me with some wonderfully obscure text: ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.—————–.<—————-.–.++++++.———.>———————–.<<+++.++.>+++++.–.++++++++++++.>++++++++++++++++++++++++++++++++++++++++.—————–.

 

ukd6

Ok so what the heck is this? It kind of looks like garbage, but I know it’s right because of all the hints and the fact that the password works. So maybe it’s encoded in some way? Google can help with that. I put decode and the crazy string into Google search and the top result was quite interesting.

ukd7

 

Yep I’m not making this up folks. This apparently is a thing. Classy …

 

ukd8

 

After putting the string into the interpreter, the result comes out ud64:1M!#64@ud

That’s great, we have creds …. But we don’t have anywhere to use them. Let’s do another nmap scan on all the ports.

Nmap -p- -sC -sV -v 192.168.109.130 -oN map2

ukd9

Now we have a new port and it’s SSH. Let’s try to log in. Since it’s not on a standard ssh port, we’ll have to use the -p flag

ukd10

Great! We’re in!! Let’s look around.

ukd11

Only we can’t because we’re in a restricted bash shell. ☹

Luckily, we got in with SSH. That means we can bypass this restriction as we log in.

For this we use the -t option. According to the man page, it forces a pseudo-terminal allocation. In this case, it also bypasses the rbash restriction and runs bash normally.

ukd12

Now that we have a prompt, one of the first things to check is sudo permissions. Sudo -l

ukd13

Well I have no idea what this is, so I looked at the help file.

ukd14

It really doesn’t explain what it does, but the fact that it will run a command as a user I can choose was very interesting. Let’s try to cat the shadow file with it.

sudo /usr/bin/sysud64 -u root cat /etc/shadow

ukd15

Well the output was strange, but we did get the shadow file. Now you could try to crack the root password, but it’s a lot easier just to get a root shell. Let’s run bash this time!

ukd20

Ok this is truly strange output. While it’s hard to show here, commands do still work. Let’s run bash again from here and see what happens.

ukd16

As we type bash, the letters show up one character at a time. Once the command processes, we get a normal shell and we are root!

ukd17

Now let’s go for the root flag.

ukd18

ukd19

Awesome! And that finishes off unknowndevice64. I hope you enjoyed the walkthrough. If you want to see a video walkthrough, you can find it here.

 

Happy Hacking,

-R3a50n

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s