Vulnhub - Unknowndevice64 writeup
Not a lot of ports open. There’s a web server running on port 31337 and good old SSH but instead of being on port 22 it’s on port 1337.
Let’s see what we find on the we can find on the website via cmd.
➜ http http://192.168.43.19:31337
If we visit the website via browser we can see a line saying
key is h1dd3n
Now let’s get the
key_is_h1dd3n.jpg file and see what we find.
Simple strings doesn’t bears anything out so I used
steghide with key as
h1dd3n and we got a file.
h1dd3n.txt file had some
brainfuck code in it and decoding it we get some credentials.
We can use those credentials to login via SSH.
Low Privilege shell
When we login as
ud64 we cannot execute normal commands like
cd because doing so we get
I’ve bypassed rbash shells before, mostly in Jeopardy style CTFs so I tried few things that I knew.
None of these seemed to work, so I decided to refer to the guide I always for bypassing
rbash, linux-restricted-shell-bypass-guide. This is pretty good guide and it’s got almost all the trick that bypass
rbash shell(most of the time).
I tried the SSH
-t "bash --noprofile" trick and it worked.
As I always do, I started with Enumeration script but I didn’t saw anything interesting so I tried some manual things from this guide and when I tried
sudo -l I got something interesting:
Okay so that means we can run
sudo. Let’s see what does
sysud64 do. When I ran
sysud64 I got a message saying I should run
sysud64 -h and doing that I got something that just made me smile
strace just with a different name. Now as I said above I’ve done some jeopardy type CTFs and there I have done some
jail type challenges. In short I already knew how to use strace to escalate the privilege :)
If we run
sudo strace -o /dev/null /bin/bash it will actually spawn the root shell.
But When I did that I was prompted for password which was weird.
I tried this few times but then I realized I was so dumb. The name of
strace is actually changed to
sysud64 so I got a root shell.
Then just cat the
It was really easy machine really enjoyed it :)
I am happy that I was able to pwn this machine within 30 minutes.