Apr 22, 2021
Vulnhub Grotesque: 2 Write-up
Hi guys! In this write-up I am going to walk you through solving the vulnhub machine Grotesque: 2.
Lets start with nmap scan. I scanned the machine to find the open port and the result really shocked me. The scan showed open ports from 22 to 555. Except port 22 all are showing same service running.
I opened IP and some random ports in the browser and got the below result. Similar image found on random ports, including 80,443 etc.
I decided to FUZZ the port number to check if I can get anything else. For that I have created a file with port numbers from 22 to 555.
wfuzz shows result on port 258.
Opening IP with port 258 in browser showed below image.
So we have potential usernames: satan,raphael,angel,distress,greed & lust.
I used hydra, but it was taking too much time to find the password. Then I decided to look at source code and there is hand.png image.
Then I downloaded the image on my local machine and used this site to analyze image. First I tried to zoom the image and found alpha-numeric string embedded in it.Its MD5 hash.
I used CrackStation to crack it.
So now we have potential usernames and password. Lets use hydra to found correct username and password combination SSH into the box.
Found valid username and password combination for SSH.
Let’s SSH into the machine.
User.txt
I downloaded both linPEAS.sh and pspy64s on the victim machine.
When I execute linPEAS.sh, it showed me:
- There are root files in /home/angel/quiet directories.
2. Modified interesting files in 5 mins, which are same as above.
This is pointing to some cron job..let’s use pspy.
As you can see, the pspy showed scripts “write.sh” and “check.sh” are running after some fixed intervals. But I don’t have permission to access those.
After spending some time, I decide to delete all files in /home/angel/quiet, to see what happen.
As soon as the two scripts run, it created files again in quiet folder but all are same.
I again decide to run linPEAS.sh to check if I see any difference in output. This time it showed me a new file rootcreds.txt in / directory under “Modified interesting files in the last 5 mins”
So I opened it for reading and got root creds.
The final flag.
I want to see what is there is check.sh and write.sh and here is the O/P.
When check.sh run, it executes ls command in /home/angel/quiet, if there is no files, it writes root creds in a file called rootcreds.txt in “/” directory and give it read,write and execute permissions.
The write.sh creates files from 1 to 2323 and write “quiet” in all those files.
That’s it, please let me know if you like the write up.
References:
