Hello Everyone! Welcome to pentestguy. In this article, we are going to see the walkthrough of the Evilbox One Capture the Flag (CTF) challenge available on Vulnhub. In this Evilbox one vulnhub walkthrough we will cover the initial port scanning, enumeration, directory traversal, SSH key cracking, and privilege escalation to the root user. Let’s dive into the process!
Download Evilbox One VM from vulnhub – link
Port Scanning
We start by performing a port scan using Nmap to identify open ports on the target machine. The command used is:
nmap 192.168.1.X -sV -sC -oN nmap.output
The scan reveals two open ports: port 80 (HTTP) and port 22 (SSH).
Directory Fuzzing
Since port 80 runs the HTTP service by default, we proceed with directory enumeration. Using gobuster with the common.txt wordlist, we discover a directory named “secret”.
gobuster dir -u http://192.168.X.X -w /usr/share/dirb/wordlits/common.txt
Fuzzing for PHP Files
Exploring the “secret” directory, we find nothing of interest. To further investigate, we decide to fuzz for PHP files. Using the following command:
gobuster dir -u http://192.168.X.X -w /usr/share/wordlists/common.txt -x php
We discover a file named “evil.php.”
Parameter Fuzzing
Testing various actions on the “evil.php” file, we find a parameter named “command” that allows directory traversal. We verify the existence of the user “mowree” and locate an SSH key for that user.
ffuf -u http://192.68.X.X /secret/evil.php?FUZZ=/ect/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt fs 0
Cracking the SSH Key
To crack the SSH key’s password, we convert it to a format suitable for John the Ripper using ssh2john. The steps involved are:
Save the contents of “id_rsa” locally.
Set the permissions using “chmod 600 id_rsa“
Convert the SSH key to the John format with ssh2john.
ssh2john id_rsa > crack.hash
Run John the Ripper to crack the password.
sudo john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt
User Flag
With the cracked SSH key password, we log into the system as the user “mowree” and retrieve the user flag.
ssh -i id_rsa [email protected]
Privilege Escalation
To escalate privileges to the root user, we try basic techniques like “sudo -l” but find no useful information. However, we discover that the user has write permission on the passwd file.
Create a password hash for your own password using OpenSSL.
openssl passwd -1 -salt root pass123
Replace the “x” in the passwd file with the generated password hash.
Log in as the root user using the updated password.
Conclusion
In this walkthrough, we covered the process of solving the Evilbox One CTF challenge. We performed port scanning, directory enumeration, parameter fuzzing, SSH key cracking, and privilege escalation to gain root access.
I hope you found this article helpful and encourage you to suggest more topics in the comments. Don’t forget to share this post with your friends. Now you can also collab with us please check our collaboration page, Thank you
