VM located here: Vulnhub

First things first, what IP did that VM get?  Then scan it.

Lets take a look in the browser:

Website

Interesting, probably something in the source.

Hmm, I did a little reading on the commodore 64 and the chips they used.  Then spidered the site to discover there is a subdirectory.  Another page, another source to look at 🙂

commodorepage

The source gave a giant clue:

I had an idea of the password and a candidate list but didn’t know where to put it.  There must be something else.

  • mos6502
  • mos6510
  • mos6581
  • mos8580
  • mos6582

Lets fuzz this guy and see what we find:

fuzzer

loginpage

I tried all those passwords but none of them worked, maybe I need to brute force more combinations.  I used crunch to create that password list.  I’m positive on the “mos” part, but four digit number might be something else.  After I made the password.lst I used hydra to brute force it.

After logging in with robhubbard : mos6518 we see that we have a perfect opportunity to upload a our own php code.  First I uploaded a really simple command executor in order to do a light survey.

uploaded

cmd.php

RemoteCmdExecution

LightSurvey

Unfortunately,  it looks like netcat isn’t on the system so I just uploaded a reverse php shell and then upgraded to bash. I just used the one from PenTestMonkey.net. I set up a nc listener then went to the page to have apache execute the php and call me back.

I have a /bin/sh shell with no tty. Lets use python to upgrade our shell.

Oh no, where is python?  Oh good, I see, python3.5 is installed, lets just invoke that.

Win!

Once I had a shell I poked around for a way to escalate my privileges. I first became rhubbard and then found an easy way to root through sudo.

He has all the keys to the kingdom.  I found the following files and copied them to the web server directory to download them easily, now its time to crack this flag open.

First, I had to unzip this password protected zip file. Thankfully time in on my side and I can just brute force it with fcrackzip.

Getting the Commodore 64 emulator to work was by far the biggest challenge in this scenario. First I did an apt-install and then through a lot of research I realized I need to install the latest build to get it to work. That tutorial can be found here.

sidney vulnhub flag

The zipped flag file

Thanks knightmare for another good VM to go through.  Keep up the good work.

 

Walkthrough of Sidney 0.2 on Vulnhub
Tagged on:                                                 

One thought on “Walkthrough of Sidney 0.2 on Vulnhub

Leave a Reply