Vulnhub Vegeta: 1 Walkthrough


    I would say that's a fair assessment but I could also see this causing some problems for beginners.  In general, I think it's always good to remember that "beginner" is based on a person's level of knowledge, tools, etc. 

    Assuming that a beginner is reading this post for some help, let me toss out a couple of tricks and also show how I spider out with my enumeration and then come back to what's important. 

    First, we kick off with Nmap:

    What I'd like to point out is that I didn't go with a full blown scan.  If you're on your own network, a full scan will go quickly.  But if we're scanning a remote system, a full scan could take a long time.  We'll start smaller and work our way out.  First, we go for top-ports which gives us the ability to continue our enumeration but we'll do other Nmap scans in another window. 

    Top-ports comes back with port 22 and 80.

    We can then hit those two ports with more options to get more info:

    While we're enumerating port 80, we run a full scan in that other window:

    This way, we can maximize our time and work several avenues in parallel.

    Looking at the web port, we find:

    Again, working smaller and then bigger, I'll start with Nikto because more times than not, it will finish faster than some of the other tools:

    We find some directories to browse, let's check out /admin:

    That leads nowhere. 

    Nikto finishes and we uncover /login.php:

    We check that out but with zero bytes, it's nothing:

    We run GoBuster:

    We uncover /bulma but let's check to see if there's a robots.txt file:

    That uncovers another directory:

    Which also leads to nothing.  Lots of miniature rabbit holes on this box. 

    Checking out /bulma, we find:

    I listen to the wave file and it sounds like Morse code.  We upload it into a decoder and we get a username and password:

    It ends up being in lowercase -- trunks : u$3r

    We get logged into the system and we see there are entries in .bash_history file:

    The user Tom does not exist in /etc/passwd so we'll store this information and take a look around a bit more:

    If I'd being paying attention when I was enumerating this page from the browser, I would have noticed the scroll bar going down.  At the bottom, I would have found this base64:

    We decode it:

    It's encoded twice and when we decode it the second time, we see PNG.  I save it into a file with PNG extension and we find a QR code:

    We decode it and we get a password:

    This is another rabbit hole, as far as I can tell.

    Circling back to our .bash_history file clue, when we view /etc/passwd, we see that trunks is the owner of the file.  Now this is starting to make sense.  The .bash_history file is telling us what we can do.

    We echo the contents like we see in .bash_history and then we switch users to Tom using the pre-hashed password:  Password@973

    One last thing to do:

    That was fun!

    © 2020