Vulnhub Isro Walkthrough

We scan the host with nmap –A –T4 –p- 192.168.1.7 –vv

Dirb search results

I found a code inside the page http://192.168.1.7/bhaskara.html

This is a 64 code decoding it came with a path /bhaskara visiting the path gave us a file to download

The file is somehow encrypted tried different method and TrueCrypt worked but it needs a password , so we have to extract the hash first from the file using a john tool called Truecrypt2john.py ( google it )

python true.py bhaskara > hash

Now the password is Xavier , let’s use it to extract the file.

Then I  downloaded all the images to my machine and stated to extract the information from them , I suspected on image over all Aryabhata.jpg as it’s different name and now showing on the main page.

Using the command steghide

Also when running dirb with –X php came with a result

Trying the page with LFI ?file=../../../etc/passwd came with :

As we can see from the output there is only one user which is isro.

Now following this article I was able to upload a shell to the host and get a connection shell :

https://rawsec.ml/en/local-file-inclusion-remote-code-execution-vulnerability/

using burpsuite we can repeat the page connect.php and upload our shell there , we going to try this method as it worked with me

this is what burpsuite will looks like after we decode out shell.php code from msfvenome to base64

We use msfconsole to get a shell with the settings in the shell.php file

Then we break jail with python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

As we can see we can add new user with root privilege.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s