# Masashi (Vulnhub) This is an excellent beginner box by Donald. The emphasis is on enumeration and how one can easily fall into a rabbit hole when you over zealously follow the initial enumeration like an automaton. Although it could be argued that following 100% like an automaton could land you on the correct path :-) **/etc/hosts** It is a good habit learned from HackTheBox to always make an entry on the `/etc/hosts` file. This can assist where a vhosts brute force is necessary. Since these notes are made after-the-fact, it is not necessary to go down the brute-force of vhosts route. ![/etc/hosts host entry](/files/-MU4ex-66Cfg9jsNFFfw) **nmap** We run our nmap scan. ``` nmap -sC -sV -p- -v --min-rate=5000 -oA nmap/tcp-masashi.local masashi.local ``` TCP Ports **22** and **80** are open. There is not much one can do with the ssh port (22). There is a man-in-the-middle vulnerability associated with this version and you can read more about it [here](https://www.cybersecurity-help.cz/vdb/openssh/openssh/7.9p1/). That is not the vector pursued on this writeup as I believe it is not the intended route for exploitation. ![TCP port scan](/files/-MU4jFgeJq3HInkQwrER) A UDP scan was abandoned after 1 hour due to apparent rate limiting issues I could not resolve. The scan did find 1 open port however it was abandoned before the full report regarding the identity of the port scanned. ![UDP port scan](/files/-MU4nY06ef2LUdb9UATH) Taking a look at that port 80 we arrive at the default Apache page. There is no menu to click through. ![Default Apache page](/files/-MU4r2QLKtwYRAv-Or15) A common practice for the beginner CTF boxes is trying to browse /robots.txt. It is often a useful shortcut when you are in a hurry. A [gobuster ](https://redteamtutorials.com/2018/11/19/gobuster-cheatsheet/)scan is more effective to enumerate more files. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://masashi.local -x php,txt -t 80 ``` Gobuster reveals two files we can follow ( /robots.txt, /security.txt ) ![gobuster scan](/files/-MU4uhK9qb6k9k6tpm32) We follow /robots.txt and that further reveals 3 files we can browse \ ( */snmpwalk.txt* , *sshfolder.txt* and */security.txt* ). ![robots.txt entries](/files/-MU4vy3bNrvHBSy109kO) We have a look at these files. First, we notice on /snmpwalk.txt what appears to be scan results from SNMP aware devices. The TFTP entry stands out here because on our UDP scan earlier; nmap did indicate at least one UDP port open. This suggests that UDP port 1337 may be open. ![possible port 1337](/files/-MU51geFDR2nj4vhSgfN) When we perform an **nmap** scan on that specific port, we get a confirmation that port is indeed open. ![nmap confirm port 1337 is open](/files/-MU52szOMP1C8DYUzYq1) Let us return to the files listed on /robots.txt earlier. We have not looked at /sshfolder.txt yet but when we do, we find details about a possible username that can be used on SSH. We learn the username is possibly **sv5** and that on the root of the TFTP service we should find the world-readable file called **id\_rsa.pub**. That is a useful file for [passwordless ](https://gist.github.com/RaVbaker/2242349)login to SSH. We will pursue that in a moment. ![entries on /sshfodler.txt](/files/-MU55wjH83zbyQjdbF_P) Let us visit the last entry on /robots.txt. It turns out to be the obligatory taunt which is common among CTF box creators :-). Hats off to you [@lorde\_zw](https://twitter.com/lorde_zw?lang=en) ![](/files/-MU590_jzhCuaOnZbxS4) Now we return to that TFTP service in pursuit of that id\_rsa.pub file for a passwordless login. We find a hit to use a password list generating tool called **cewl** that sources words from a webpage. ![hint towards cewl for password list generation](/files/-MU5AvFuaXzDJ5gvizSJ) So, we do that, we use cewl to create password list from the index page as suggested by the creator. ``` cewl -m 5 -w mycustom.txt http://masashi.local ``` Then, we try hydra with our custom password list and immediately regret this decision because hydra is so slow for this task. ``` hydra -l sv5 -P mycustom.txt masashi.local ssh -t 4 ``` Instead, we try medusa ``` medusa -u sv5 -P mycustom.txt -h masashi.local -M ssh -t 8 ``` ... and after a few seconds, we profit! username is **sv5** and password is **whoistheplug**. ![brute forcing with medusa](/files/-MU5Gssgel0k5Ki5lQpW) We try those details on SSH and we log in successfully. ![initial foothold achieved](/files/-MU5HmQABErl8D4_gdPD) as we cat **user.txt** we are greeted with a lovely message from the creator [@lorde\_zw](https://twitter.com/lorde_zw?lang=en) Donald Munengiwa ![a message from the creator](/files/-MU5In697yZnD_FSlpqJ) Now onto Privilege escalation. A habit I have developed is to run `sudo -l` for any chance that we are part of sudoers. I do this first even before running the awesome Privilege Escalation Awesome Script ( [Thank you, IppSec](https://www.youtube.com/watch?v=6_C9ShH9v2w\&t=940) ). So let us do that. ![checking sudoers](/files/-MU5KSTnSVf8sqBxhgtl) That tells us that we can run VIM ( vi ) with escalated privileges. VIM is one of the "Living-off-the-land" binaries listed on GTFOBINS that could be used to break into a privileged shell under these circumstances. So we try that. It is better shown on the .gif below ![](/files/-MU5UAFtKlhhY93E6m01) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.quincyntuli.co.za/master.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.