[VulnHub] OnSystem: ShellDredd #1 Hannah Walkthrough

Difficulty level: Easy
Aim: Capture the user.txt and root.txt flags
Author: d4t4s3c

Download: https://www.vulnhub.com/entry/onsystem-shelldredd-1-hannah,545/

Information Gathering

No information has been provided relating to the IP address of the target machine, but this can easily be found using arp-scan:

sudo arp-scan --interface=eth1 192.168.56.100/24

Target: 192.168.56.104

Scanning

Now that we have the IP address, nmap can be used to scan the target to discover open ports and services. Here, I am running a scan with default scripts (-sC) and version detection (-sV) against all ports from 1 through 65535 (-p-):

nmap -sC -sV -vv -p- 192.168.56.104

The output from nmap shows the following open ports and services:

  • port 21/tcp - FTP - vsftpd 3.0.3 (anonymous login allowed)
  • port 61000/tcp - SSH - OpenSSH 7.9p1

Gaining Access

Not many options available to us at the moment, apart from the anonymous FTP login, so let's take a look at that:

ftp 192.168.56.104
anonymous
<blank password>

Listing the contents shows a directory named .hannah and within that we find an id_rsa file which we will download to our local machine:

Before we attempt to log in to the SSH service using the id_rsa file, the permissions will need updating. A permission level of 600 ensures the owner has full read and write access to the file, while no other user can access the file:

chmod 600 id_rsa

We can now try and login via SSH:

ssh -i id_rsa hannah@192.168.56.104 -p 61000

Success!

We have got an initial shell as hannah and the user.txt flag can be found in the /home/hannah directory.

Privilege Escalation

Running the sudo command shows we have no access to this:

We will need to carry out some more enumeration to find a path to root.

To check for binaries with the SUID bit set, we can run:

find / -perm -4000 2>/dev/null

/usr/bin/mawk stands out as a possible way of escalating our privileges.

As the SUID bit is set on this binary, we can use mawk to do a privileged read of the /root/root.txt file.

First, we'll set an environment variable of the file we want to read (/root/root.txt):

ROOT_FLAG=/root/root.txt

We can then run the mawk command and pass in the above variable:

mawk '//' "$ROOT_FLAG"

...and that's the root flag captured!

Please feel free to contact me via Twitter and thanks for reading.