In this post I want to show you another walkthrough of a Vulnhub machine. This time it is the Super Mario Host which can be found here. As always, if you haven’t solved this challenge yet, I hardly suggest that you first try it by yourself and consult this post as a reference.
So lets start. In order to determine the IP-address of the Super Mario Host I use the
netdiscover tool. This gave me the IP-address of
nmap on this host reveals that there are two open ports, i.e.,
Port 22 and
Port 8180. I started examining the port 8180, since this looks a bit special. Connecting to it within a browser results in the default page of
nginx. The source reveals nothing interesting. As a next step I run
dirbuster on that webserver.
root@kali:~/Documents/vulnhub/supermario# dirb http://192.168.56.102:8180 /usr/share/wordlists/dirb/big.txt -w ... ---- Scanning URL: http://192.168.56.102:8180/ ---- + http://192.168.56.102:8180/server-status CODE:403|SIZE:215) + http://192.168.56.102:8180/vhosts (CODE:200|SIZE:1364) ...
Connecting to the
/vhosts folder returns a configuration file of a virtual host. One interesting point is there:
ServerName mario.supermariohost.local. So lets try to connect to this one. Unfortunately there was nothing. Since it is a local host name, I added this host to my
/etc/hosts file. Reconnecting revealed a new webpage, which seems to be a game. However, the game did not work on my machine. The source-code also didn’t show anything. So I again run
dirbuster on this host. The same run as before did not reveal anything, so I looked for
root@kali:~/Documents/vulnhub/supermario# dirb http://mario.supermariohost.local:8180 /usr/share/wordlists/dirb/big.txt -w -X .php ... ---- Scanning URL: http://192.168.56.102:8180/ ---- + http://192.168.56.102:8180/command.php (CODE:200|SIZE:231) + http://192.168.56.102:8180/mario.php (CODE:200|SIZE:7080) ...
There is another page called
command.php. This page allows us to check whether a user exists or not. So I tried several Super Mario characters like Mario, Luigi, Peach, Todd etc. Some of them exist, some don’t. However, I suddenly realized that this function seems to be a bit random. When entering nothing and hit search, it either returns nothing or “User Exists” or “User not found”. Weird.
Anyways, at that point I wanted to examine the open
ssh port. In order to do so, I first created a list with several usernames from the Super Mario universe. Then I created a password list using
root@kali:~/Documents/vulnhub/supermario# john --wordlist=user --rules --stdout > passwords root@kali:~/Documents/vulnhub/supermario# cat passwords ... Peach1 Mario1 ... luigiluigi ...
This gave me a password list with simple passwords based on the usernames. In a next step I used those two files to feed
hydra with in order to crack
root@kali:~/Documents/vulnhub/supermario# hydra -L users -P passwords ssh://192.168.56.102 ... [DATA] attacking service ssh on port 22 [ssh] host: 192.168.56.102 login: luigi password: luigi1 ...
Boom!! Luigi uses a very easy password. So we are able to connect to the machine now. At this point I want to finish this first part. Maybe you can solve the second part by yourself. Otherwise, wait until I publish the second part. As usual, if you have any hints, comments or other nice approaches, do not hesitate and write a comment. Stay tuned for the second part!