Vulnhub – Sahu-V1.1 Walkthrough

We start with nmap -A -T4 -p- –vv

An ftp anonymous login we can see a file we download it to our machine but it asks for a password:

Ok tried to brute force it but didn’t find the right password, meanwhile dirb search came with this search pattern:

So following the path pattern it will end with /H/A/R/Y/A/N/A/ and we came to see a page:

The source page we can see there is a hidden line:

Well I tried to extract the file with the word hurrry but didn’t wok, but it did work with the image of the map we downloaded before:

Steghide extract –sf Haryana-1-1.jpg

We came with a text file with half a password:

So let’s find this part of the password , we could use man crunch to generate the right password pattern:

After trial and errors I came to find the right pattern crunch 6 6 -t 5AH@^% >crunch.txt

After extracting the file with the password we have a new username and password for the ftp service to login with:

So let’s login with user sahu and password sahu14216:

Then it failed to login to ftp:

So what we have now is ssh so let’s try it out:

Failed too:

Ok lets try smbclient :

It worked and we have a new text file ssh.txt, so we download it and see what we have:

I copied to the target machine and a result of running the script I found out that I can edit /etc/passwd:

So all we have to do now is add a new user with root privilege :

openssl passwd -1 -salt hacker 123456

echo ‘hacker:$1$hacker$6luIRwdGpBvXdP.GMwcZp/:0:0:root:/root:/bin/bash’ >> /etc/passwd

su hacker

Password: 123456

And we are ROOT!! Cat the flag.txt from the root folder and we are DONE!!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s