Wow, Nezuko-chan has her own vulnerable machine huh? Guess she might be teaching her blood demon art in this vulnerable machine….
Hello. So, this is another episode where I try to do writeups on my own alongside trying to explore, understand and doing practical activity while diving in the world of CTF and cybersecurity. I decided to challenge myself to solve this b2r VM named Nezuko. Created by @yunaranyancat, I wonder if it is actually easy — intermediate level just like how he classified it to be.
Setting up the environment and network scanning
I will use kali linux as my attacking machine and use NAT network for both machines. I either use NAT or host-only whenever I solve b2r challenges. Not sure if you can use a different network adapter (which I personally think you can and it goes to personal preferences), but I prefer to play safe. To make it easier to give out command on my terminal, I ensure that I have enter the root.
First off, I scan for my machine IP address — yeah, I barely remember mine.
Command: ifconfig
Once finished, I proceed with identifying the IP address for Nezuko.
Command: netdiscover -i eth0
Now, since both IP addresses had been identified, let’s get our hands dirty.
Recon
It’s necessary to identify what kind of possible open ports and services running in this target machine. So, I scan for possible open ports and services running on it.
Command: nmap -sC -sV -T4 -A -p- <IP Address Target Machine>
As a result, there are 3 open ports discovered. I’m curious on both http port discovered there, so I decided to take a look at port 80 first, before exploring port 13337. This is because there are robots.txt there and strangely, on the other port, there is a Webmin login page (I presume either of this can be a dummy or a lead to the flag?).
Upon browsing for the site on port 80, I found this cute gif of Nezuko-chan crawling inside out of her box.
Since it was said that there is a robots.txt directory, why not we give it a check. — This felt strange….this just don’t feel like it.
Ouh look, a string….in what base is this?
Randomly threw it (jk) inside cybershef and let the magic do its work…. Ouh? It cannot be decrypted…?
So, I referred back to my notes to identify what format is this string in and hmmmmm seemed like it’s in base 32… I gave my shot.
My hunch was right. It is actually a dummy. It’s okay Nezuko-chan… I know what the other port is 😊
Let’s proceed to check port 13337. Upon browsing and as expected it is a Webmin login page.
Webmin login….why does this sound like an admin login page?
Bingo! It is an admin page (I presume?). But…how…am I…supposed to find the credentials? I tried out the common credentials used and nope! That’s not it. Since I am unfamiliar with this login page itself (the name sounded as if it is somewhat legit so I don’t think brute force would be the way to get in) I decided to browse for anything that is related to Webmin and look what do we have it here….
The latest version released is now Webmin 2.013. I then search for issues regarding to Webmin version 1.920 — This is the version used for this login page.
Ouh? RCE ?
daisyB sending SOS T.T
I found a script related to the vulnerability that can be tried on. So, I copied the script and run a test onto the site, to check whether it is vulnerable or not.
It is VULNERABLE!
Nak recon pun macam macam hal nak kena buat haihhhh…..
To be continued…
