HA: VEDAS Walkthrough (Vulnhub)
Description from Vulnhub
Vedas meaning sacred knowledge or revealed knowledge, are old texts of Hinduism. The level of the lab is intermediate and consists of four flags. This lab is based on the four Vedas, the flags are based on the same which are as follow:
- Rig Veda: It is an Indian collection of Vedic Sanskrit of gods that we worship.
- Yajur Veda: The second Vedic that has prayers and sacrificial instructions.
- Sama Veda: This Veda is a collection of chants and songs.
- Atharva Veda: Enlightens us with the procedures of everyday life.
Note: It is important to note that, all the flags are connected to each other. To reach the final flag, you have to make sure to capture all the flags. Download the VM from here!!!
I must say the machine is not too hard but you have to clear basic for solving Hacking Article’s Machines.
Let’s began with Scanning the victim machine…
Port Scanning
After identifying the intended victim let’s run a Nmap scan to find the open ports and services running.
Web Reconnaissance
So we got two open ports. I tried to enumerate port 80 using gobuster but got nothing but if you have ever solved HA Machines then you have to create your own wordlist using the CEWL tool and I did the same.
Then I run a gobuster scan again, and this time I was lucky.
One thing more the Hacking Articles VM’s are also famous for UDP Scan. Let’s give it a try…
…and here we go. We found two UDP ports. Let’s try to enumerate port 161 and for this, we will use Metasploit. Use the auxiliary snmp_enum module and just set the RHOST option and you are good to goo.
and, yes we got our first flag.
so, continuing from the gobuster scan. Since I found a URI path I visited it but got nothing and then I run another gobuster scan on /Kashyapa/ and another success for me.
This time plenty of URI paths are available but the useful one was /admin. Visiting the page source provides a link which might be vulnerable to SQL injection.
After that, I visited the page which gives me a user name that might be useful.
Now I have a username and a password list so I tried a hydra attack on the /admin path and …
… luckily I got the credentials. ( CMS made simple is also vulnerable to SQL injection you can try this also.)
Now login with the credentials and move to the Content manager section and we got the second flag.
Move to the file manager section and we have an upload section. Now I used the Burp Suite to intercept the request to check what kind of file it accepts. So, finally, I got to know its accepts phtml extension file. Now I uploaded a reverse shell with .phtml extension and open a Netcat listener on a new terminal and yes we got the reverse shell.
But we will not go this way since it’s an SSH credential also. Now login through SSH way and check if the user has sudo Privileges or not. Since the user atri is not on the sudo list we have to check for another way.
After running Linpeas script, pspy32, and enumerating the box I finally run the netstat command and found port 5000 running on localhost.
Now to access port 5000 I used VNC over SSH which encrypts VNC connection over SSH like this
Navigate to the browser and use http://localhost:5000 to access the next flag.
Privilege Escalation
Till here we got three flags but for the fourth flag, we must consider the hint which is all flags are connected.
Now I combined all the strings marked yellow and used reverse MD5 hash decrypter. Use the cracked string as a password for the user Vedas and check if he has any sudo Privilege or not and yes he can run ALL commands.
Simply type sudo su and you get the root Privileges. Now navigate to the root directory to access the final flag.
