Unknowndevice64 is a relatively easy VulnHub box. It requires some obscure decoding but other than that it’s fairly simple to work through.
We start off as usual with an nmap scan. Nmap -sC -sV -v 192.168.109.130 -oN map1
We only find one port here and it’s a web page. Let’s see what it is.
So kind of a cool flashlight effect. Here I found something that looks like a possible password. I’ll note that for later. For now let’s look at the source.
Now we see there’s a file and another reference to a key. Let’s look at the picture file.
Ok. We have a picture file called key_is_h1dd3n.jpg and the picture itself is called HIDDEN SECRETS. We also have a potential password of h1dd3n which is also in the file name. This smells like steganography to me. Let’s download the picture and see what we can find.
To look for a hidden message, we’re going to use a program called steghide. After looking at the help file, cause I don’t do this a lot, I figured out this command to extract the text: steghide extract -p h1dd3n -sf key_is_h1dd3n.jpg
This provided me with some wonderfully obscure text: ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.—————–.<—————-.–.++++++.———.>———————–.<<+++.++.>+++++.–.++++++++++++.>++++++++++++++++++++++++++++++++++++++++.—————–.
Ok so what the heck is this? It kind of looks like garbage, but I know it’s right because of all the hints and the fact that the password works. So maybe it’s encoded in some way? Google can help with that. I put decode and the crazy string into Google search and the top result was quite interesting.
Yep I’m not making this up folks. This apparently is a thing. Classy …
After putting the string into the interpreter, the result comes out ud64:1M!#64@ud
That’s great, we have creds …. But we don’t have anywhere to use them. Let’s do another nmap scan on all the ports.
Nmap -p- -sC -sV -v 192.168.109.130 -oN map2
Now we have a new port and it’s SSH. Let’s try to log in. Since it’s not on a standard ssh port, we’ll have to use the -p flag
Great! We’re in!! Let’s look around.
Only we can’t because we’re in a restricted bash shell. ☹
Luckily, we got in with SSH. That means we can bypass this restriction as we log in.
For this we use the -t option. According to the man page, it forces a pseudo-terminal allocation. In this case, it also bypasses the rbash restriction and runs bash normally.
Now that we have a prompt, one of the first things to check is sudo permissions. Sudo -l
Well I have no idea what this is, so I looked at the help file.
It really doesn’t explain what it does, but the fact that it will run a command as a user I can choose was very interesting. Let’s try to cat the shadow file with it.
sudo /usr/bin/sysud64 -u root cat /etc/shadow
Well the output was strange, but we did get the shadow file. Now you could try to crack the root password, but it’s a lot easier just to get a root shell. Let’s run bash this time!
Ok this is truly strange output. While it’s hard to show here, commands do still work. Let’s run bash again from here and see what happens.
As we type bash, the letters show up one character at a time. Once the command processes, we get a normal shell and we are root!
Now let’s go for the root flag.
Awesome! And that finishes off unknowndevice64. I hope you enjoyed the walkthrough. If you want to see a video walkthrough, you can find it here.