digital world.local: Vengeance Walkthrough – OSCP Way

Vengeance is one of the digital world.local series which makes vulnerable boxes closer to OSCP labs. This box has a lot of services and there could be multiple ways to exploit this, Below is what I have tried.

Lab requirement:
1. Kali VM
2. Download Vengeance: https://www.vulnhub.com/entry/digitalworldlocal-vengeance,704
3. Some patience.

I have written article already about how to set up lab environment using both virtualbox/vmware, please find it on this link: http://www.anonhack.in/2018/06/creating-your-own-hacking-lab-the-beginners-guide/

Let’s start!

  1. Finding the IP of your vulnerable machine in your environment:
    $ netdiscover

    You can follow below article for other methods: http://www.anonhack.in/2018/06/part-2-finding-the-ip-address-of-your-victim-in-your-vmware-hacking-lab-network/,http://www.anonhack.in/2018/06/finding-the-ip-address-of-your-victim-in-your-hacking-lab-network/

  2. Let’s check open ports on the target (172.16.37.138):
    Focus I picked: 80,checked a bit of 110, 139 and 445,22222
  3. On port 80, you will find wordpress blog:
    Found some names on the comments section.
    This website was not loading properly because the links of this page have a local domain called “vengeance.goodtech.inc” in them which was not defined on my system, so if you want to make this website work, you will need to add a local domain entry in /etc/resolv.conf file, like below:
    After this if you traverse through the website, the pages will load just fine.
    I tried a lot of fuzzing during this time to fetch out the wp-login page as well as to find more information about or some vulnerability through wpscan as well. But it didn’t help. I changed my focus to another port afterwards.
  4. SMB.
    A little information about SMB: Server Message Block – a service used to share files/resources/printers in a network of devices. It is TCP and newer version of SMB runs on 445 port.
    I used SMBmap command to fetch information on what the target host is sharing:It seems we have “READ ONLY” access to print$ and sarapublic$ directories, let’s fetch details out using smbclient command.you can use command “get <filename>” inside smb to get all files locally. In the above listed files, you will find one file “eaurouge” which is actually a bash script file, I tried to put my version of bash using put command but somehow that didn’t work.
  5. Unzipping the gio.zip
    From the files that we got from sarapublic$ smb share, there was one zip file which contains “pass_reminder.txt” file, which I think we need to see:So let’s hash up this zip to use john on this.
    we need to use tool “zip2hash” to fetch the hash of the password from the gio.zip file and then we can feed that hash value to john with the different wordlists.

    $ zip2john gio.zip > gio_hash
    Feed gio_hash to john command using below command:
    $ john gio_hash --wordlist=/usr/share/wordlists/rockyou.txt

    rockyou.txt was a waste of time and then I used a bunch of different seclists passwords file which were of no use too.
    Later, I just created a script which can give me a wordlist out of all the .txt files I got through smbclient from sarapublic$ share.

    import argparse
    import re
    parser=argparse.ArgumentParser()
    
    parser.add_argument("-tf",help="Text File location",type=str)
    parser.add_argument("-o",help="NAme of the output file after converted into wordlist",type=str)
    
    args=parser.parse_args()
    filename=args.tf
    outfile=args.o
    
    def read_convert(filename,outfile):
        wordlist=[]
        with open(filename,"r") as f:
            for line in f:
                if line != "":
                    for word in line.split():
                        w="".join(re.sub("[^a-zA-Z]*","", word))
                        if w != "":
                            wordlist.append(w)
    
        with open(outfile,"w") as f1:
            for l in wordlist:
                f1.write(l+"\n")
        
    read_convert(filename,outfile)
    

    Running the above code gave me an wordlist from all the text files that I added in a single file.
    Running John on it gave me the password for the zip:

    In the same zip file there is a ted_talk ppt which gave out the real password:
    name :     

    circuit and corner:   

    I got to know this from here: https://onestopracing.com/best-f1-corners-of-all-time/
    So if we put those values in the password reminder format, we will get : giovanni_130R_Suzuka
    I tried ssh with this password for user sara,Qin, Qinyi from the wordpress comment and also from the information found on the text files from smb.
    I have got a hit for user: qinyi.

  6. Hint!
    From the reminder file under qinyi home directory, I’ve got a hint:
    “Push config file to sara via private channel”

    Now we know there is another channel which we need to find. Command “Sudo -l” gave this output:

    I tried running this but there is permission denied and if I run this service with nginx, it ask for password.
    So I tried a bunch of things here, checked network config (ifconfig), checked netstat -a to see what ports are open and what I can’t see. This page helped me with the commands I was looking for : https://www.networkworld.com/article/3563523/how-to-see-what-users-are-up-to-in-linux.html
    /etc/passwd:

    we know there is tftp service,dovecot mail server and some service pollinate.
    “$ ps- ef” command output:
    This showed that /home/sara/private directory is served on the tftp server under port 69. So from Kali, I tried to make connection with tftp server:

    The file was a bash script, so I added a bash reverse shell command at the bottom of it:

    Tried to upload it to the tftp, this time it worked:

    Now, all we need to do is turn on our listener:

    $nc -lp 1337

    and run the file under qinyi using this command:

    and when you check your listener window, you will have the root for vengeance:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: