Press "Enter" to skip to content

Vulnhub Super Mario Host: 1.0.1 Walkthrough Part 1

Hi fellows,

In this post I want to show you another walkthrough of a Vulnhub machine. This time it is the Super Mario Host which can be found here. As always, if you haven’t solved this challenge yet, I hardly suggest that you first try it by yourself and consult this post as a reference.

So lets start. In order to determine the IP-address of the Super Mario Host I use the netdiscover tool. This gave me the IP-address of 192.168.56.102. Running nmap on this host reveals that there are two open ports, i.e., Port 22 and Port 8180. I started examining the port 8180, since this looks a bit special. Connecting to it within a browser results in the default page of nginx. The source reveals nothing interesting. As a next step I run dirbuster on that webserver.

root@kali:~/Documents/vulnhub/supermario# dirb http://192.168.56.102:8180 /usr/share/wordlists/dirb/big.txt -w

...
---- Scanning URL: http://192.168.56.102:8180/ ----
+ http://192.168.56.102:8180/server-status CODE:403|SIZE:215)
+ http://192.168.56.102:8180/vhosts (CODE:200|SIZE:1364)                                                                                                                                                                                                                                
...

Connecting to the /vhosts folder returns a configuration file of a virtual host. One interesting point is there: ServerName mario.supermariohost.local. So lets try to connect to this one. Unfortunately there was nothing. Since it is a local host name, I added this host to my /etc/hosts file. Reconnecting revealed a new webpage, which seems to be a game. However, the game did not work on my machine. The source-code also didn’t show anything. So I again run dirbuster on this host. The same run as before did not reveal anything, so I looked for *.php files.

root@kali:~/Documents/vulnhub/supermario# dirb http://mario.supermariohost.local:8180 /usr/share/wordlists/dirb/big.txt -w -X .php

...
---- Scanning URL: http://192.168.56.102:8180/ ----
+ http://192.168.56.102:8180/command.php (CODE:200|SIZE:231)
+ http://192.168.56.102:8180/mario.php (CODE:200|SIZE:7080)   
...

There is another page called command.php. This page allows us to check whether a user exists or not. So I tried several Super Mario characters like Mario, Luigi, Peach, Todd etc. Some of them exist, some don’t. However, I suddenly realized that this function seems to be a bit random. When entering nothing and hit search, it either returns nothing or “User Exists” or “User not found”. Weird.

Anyways, at that point I wanted to examine the open ssh port. In order to do so, I first created a list with several usernames from the Super Mario universe. Then I created a password list using john.

root@kali:~/Documents/vulnhub/supermario# john --wordlist=user --rules --stdout > passwords
root@kali:~/Documents/vulnhub/supermario# cat passwords
...
Peach1
Mario1
...
luigiluigi
...

This gave me a password list with simple passwords based on the usernames. In a next step I used those two files to feed hydra with in order to crack ssh.

root@kali:~/Documents/vulnhub/supermario# hydra -L users -P passwords ssh://192.168.56.102
...
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.56.102 login: luigi password: luigi1
...

Boom!! Luigi uses a very easy password. So we are able to connect to the machine now. At this point I want to finish this first part. Maybe you can solve the second part by yourself. Otherwise, wait until I publish the second part. As usual, if you have any hints, comments or other nice approaches, do not hesitate and write a comment. Stay tuned for the second part!

Cheers

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *