Vulnhub - Unknowndevice64 writeup



Not a lot of ports open. There’s a web server running on port 31337 and good old SSH but instead of being on port 22 it’s on port 1337.

Let’s see what we find on the we can find on the website via cmd.

➜ http

If we visit the website via browser we can see a line saying key is h1dd3n

Now let’s get the key_is_h1dd3n.jpg file and see what we find.

Simple strings doesn’t bears anything out so I used steghide with key as h1dd3n and we got a file.

h1dd3n.txt file had some brainfuck code in it and decoding it we get some credentials.

Username: ud64 Password: 1M!#64@ud

We can use those credentials to login via SSH.

Low Privilege shell

When we login as ud64 we cannot execute normal commands like ls or cd because doing so we get rbash error.

I’ve bypassed rbash shells before, mostly in Jeopardy style CTFs so I tried few things that I knew.

None of these seemed to work, so I decided to refer to the guide I always for bypassing rbash, linux-restricted-shell-bypass-guide. This is pretty good guide and it’s got almost all the trick that bypass rbash shell(most of the time).

I tried the SSH -t "bash --noprofile" trick and it worked.

Privilege Escalation

As I always do, I started with Enumeration script but I didn’t saw anything interesting so I tried some manual things from this guide and when I tried sudo -l I got something interesting:

Okay so that means we can run sysud64 with sudo. Let’s see what does sysud64 do. When I ran sysud64 I got a message saying I should run sysud64 -h and doing that I got something that just made me smile

It’s strace just with a different name. Now as I said above I’ve done some jeopardy type CTFs and there I have done some jail type challenges. In short I already knew how to use strace to escalate the privilege :)

If we run sudo strace -o /dev/null /bin/bash it will actually spawn the root shell.

But When I did that I was prompted for password which was weird.

I tried this few times but then I realized I was so dumb. The name of strace is actually changed to sysud64 so I got a root shell.

Then just cat the flag.txt in /root

It was really easy machine really enjoyed it :) ud64:1M!#64@ud

I am happy that I was able to pwn this machine within 30 minutes.