Billu: Box 2 Vulnhub Walkthrough
Hello Guys! This is Russell Murad working as a Junior Security Engineer at Enterprise Infosec Consultants (EIC).
In this writeup, we’ll break a machine named “Billu: Box 2”.
You can download it from here.
I’ve configured both Vulnhub machine and my kali machine on the Virtualbox bridge connection.
Vulnhub said that “This virtual machine is having intermediate to medium difficulty level.”
But I personally find it easy.
- First, we are going to check my victim machine’s IP using arp-scan.
2. Then let’s try to find out some open ports using Nmap.
3. We have 80 port open. Let’s enumerate it using firefox.
Wappalyzer said it’s built with Drupal 8. There’s a popular exploit in Github named “DrupalGiddeon2” which can be downloaded from here.
4. It’s developed with Ruby. We’ll run it using our victim IP.
It’s working !!!
5. Now, for getting reverse shell while we’ll use “nc”, it’ll give “netcat-openbsd package”. But using “ncat” we can get the job done.
Our kali machine will get a connection from the server.
6. After that we’ll try to manually enumeration and stuff.
But when we check on “/etc/passwd” then we’ll find something useful!
There is a password hash stored in the “/etc/passwd” file.
In the modern-day, In Linux system, password hashes are stored in the “/etc/shadow” file. Besides, the “/etc/passwd” file has 777 permission.
That means any user can modify or delete it.
7. So, now we’ll make a copy of the “passwd” file into our kali machine.
In which we’ll replace “indishell” hash with our generated hash.
For generating a hash we’ll use OpenSSL.
Where salt and password is abc and pass123.
8. Let’s replace the indishell hash with the new one.
Keep in mind we have to add extra “:0:0” after the hash in that line.
9. Now, let’s use apache or python SimpleHTTPServer for transferring that passwd file into our victim machine. Delete or replace genuine passwd file from /etc with our new passwd file.
10. Let’s login with user “indishell”, give the password — pass123.
And it works !!! We’ve gained root privilege !!!
So, guys, that’s it for today.
Thank you for reading this write-up. Cheers!