Sidney 0.2. Vulnhub’s VM Walkthrough

Page

Walk-through on Sidney 0.2 which is available here
https://www.vulnhub.com/entry/sidney-02,149/

Necessary enumerations…

net-discover.png

Target IP discovered: 192.168.3.143

Scanning the target for open ports, both TCP and UDP.

nmap-aggressive-fullport.png

unicorn-tcp-udp-full.png

Focusing on TCP Port 80.

Both DirBuster and Nikto turned up negative.
Next, we will proceed to manually visit our target on the browser.

image-source.png

By viewing the image source on hxxp://TARGET-IP/, we can conclude that there is another directory /commodore64/

Next, we will repeat DirBuster and Nikto, focusing on /commodore64/ instead.

dirb-commodore64-gg.png

nikto-commodore64.png

Nice.

It seems that our target /commodore64/index.php is using a php file manager system.

view-page-source.png

Nice hints on the page source. We can probably login to the file manager system with the username “robhubbard”, and the password should consist of 7 characters, with 3 letters and 4 digits.

Google search on c64 sound chip:

https://en.wikipedia.org/wiki/MOS_Technology_SID

Nice. So we know that the password is probably mosXXXX (“X” being the 4digits).

Next, we will make use of Crunch, a password generating tool in Kali.
Crunch 7 7 -t ‘mos’%%%% -o test.txt

We verify the content of test.txt
possible-password-crunch-success.png

Perfecto, exactly what we want.

We will use Hydra to brute-force the POST form on the php file manager login system.

hydra-bruteforce-success.png

Ez Pz. I chose the difference between success and failure to be “Login system”. It makes sense that if the attempt is successful, we should not be seeing the “Login system” text anymore.

Credentials discovered. robhubbard:mos6518

Note: If SSH was available on our target (Typically Port 22), we should attempt to SSH in. However it was not open.

logged-in.png

FILES UPLOAD!

We will proceed to upload a php-reverse-shell in our /usr/share/webshells/php directory. (Kali)

reverse-shell-success.png

Setting up a listener and browsing to our uploaded php-reverse-shell… Success!

 

 

 

PRIVILEGE ESCALATION PART 1

We proceed to enumerate /etc/passwd list. We discovered user rhubbard, we checked the /etc/group and it seems that rhubbard has sudo privilege.

We continued to “su” to him, but was greeted with a terminal error.
It seems that the error can be solved easily.

fixed-python-spawn-tty.png

Done.root-achieved.png

Finding the flag.

getting-the-flagzip.png

We download the flag.zip over to our own attacking box.

cracked-flagzip.png

Cracking the password protected flag.zip with our trusty rockyou.txt wordlist.

It seems that the flag is in .d64 format. Which can be viewed by installing the vice c64 emulator. Running “strings” command on the flag.d64 can also show the brief content of the flag.

PRIVILEGE ESCALATION PART 2

By running uname -ar and cat /etc/*-release command, it appears that our target is vulnerable to a local privilege escalation exploit:

https://www.exploit-db.com/exploits/39772/

We upload the zipped exploit using the php file manager system and unzip it on our target. Following the instructions, we should be able to successfully exploit this and achieve root privilege.

39772-to-root.png

Done.

Stay safe~

-9emin1