evilbox-one-vulnhub-ctf-walkthrough

Evilbox One – Vulnhub CTF Walkthrough

Hello Everyone! Welcome to pentestguy. In this article, we are going to see the walkthrough of the Evilbox One Capture the Flag (CTF) challenge available on Vulnhub. In this Evilbox one vulnhub walkthrough we will cover the initial port scanning, enumeration, directory traversal, SSH key cracking, and privilege escalation to the root user. Let’s dive into the process!

Download Evilbox One VM from vulnhub – link

Port Scanning

We start by performing a port scan using Nmap to identify open ports on the target machine. The command used is:

nmap 192.168.1.X -sV -sC -oN nmap.output
evilbox-one-vulnhub-walkthrough-nmap

The scan reveals two open ports: port 80 (HTTP) and port 22 (SSH).

Directory Fuzzing

Since port 80 runs the HTTP service by default, we proceed with directory enumeration. Using gobuster with the common.txt wordlist, we discover a directory named “secret”.

gobuster dir -u http://192.168.X.X -w /usr/share/dirb/wordlits/common.txt

Fuzzing for PHP Files

Exploring the “secret” directory, we find nothing of interest. To further investigate, we decide to fuzz for PHP files. Using the following command:

gobuster dir -u http://192.168.X.X -w /usr/share/wordlists/common.txt -x php
dir-fuzzing-gobuster

We discover a file named “evil.php.”

Parameter Fuzzing

Testing various actions on the “evil.php” file, we find a parameter named “command” that allows directory traversal. We verify the existence of the user “mowree” and locate an SSH key for that user.

ffuf -u http://192.68.X.X /secret/evil.php?FUZZ=/ect/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt fs 0
ffuf-parameter-fuzzing
lfi-local-file-inclusion

Cracking the SSH Key

To crack the SSH key’s password, we convert it to a format suitable for John the Ripper using ssh2john. The steps involved are:

evilbox-one-vulnhub-walkthrough-ssh-key

Save the contents of “id_rsa” locally.
Set the permissions using “chmod 600 id_rsa
Convert the SSH key to the John format with ssh2john.

ssh2john id_rsa > crack.hash

Run John the Ripper to crack the password.

sudo john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt
evilbox-one-vulnhub-walkthrough-john-ssh

User Flag

With the cracked SSH key password, we log into the system as the user “mowree” and retrieve the user flag.

ssh -i id_rsa [email protected]

Privilege Escalation

To escalate privileges to the root user, we try basic techniques like “sudo -l” but find no useful information. However, we discover that the user has write permission on the passwd file.

Create a password hash for your own password using OpenSSL.

openssl passwd -1 -salt root pass123

Replace the “x” in the passwd file with the generated password hash.

evilbox-one-vulnhub-walkthrough-root

Log in as the root user using the updated password.

Conclusion

In this walkthrough, we covered the process of solving the Evilbox One CTF challenge. We performed port scanning, directory enumeration, parameter fuzzing, SSH key cracking, and privilege escalation to gain root access.

I hope you found this article helpful and encourage you to suggest more topics in the comments. Don’t forget to share this post with your friends. Now you can also collab with us please check our collaboration page, Thank you

Recent Posts

Social Media