Vulnhub Vegeta: 1 Walkthrough

by Vince
in Blog
Hits: 10393

The description states:  "THIS IS A MACHINE FOR COMPLETE BEGINNER , GET THE FLAG AND SHARE IN THE TELEGRAM GROUP (GROUP LINK WILL BE IN FLAG.TXT)"

I would say that's a fair assessment but I could also see this causing some problems for beginners.  In general, I think it's always good to remember that "beginner" is based on a person's level of knowledge, tools, etc. 

Assuming that a beginner is reading this post for some help, let me toss out a couple of tricks and also show how I spider out with my enumeration and then come back to what's important. 

First, we kick off with Nmap:



What I'd like to point out is that I didn't go with a full blown scan.  If you're on your own network, a full scan will go quickly.  But if we're scanning a remote system, a full scan could take a long time.  We'll start smaller and work our way out.  First, we go for top-ports which gives us the ability to continue our enumeration but we'll do other Nmap scans in another window. 

Top-ports comes back with port 22 and 80.

We can then hit those two ports with more options to get more info:


While we're enumerating port 80, we run a full scan in that other window:


This way, we can maximize our time and work several avenues in parallel.

Looking at the web port, we find:


Again, working smaller and then bigger, I'll start with Nikto because more times than not, it will finish faster than some of the other tools:


We find some directories to browse, let's check out /admin:


That leads nowhere. 

Nikto finishes and we uncover /login.php:


We check that out but with zero bytes, it's nothing:


We run GoBuster:

We uncover /bulma but let's check to see if there's a robots.txt file:


That uncovers another directory:


Which also leads to nothing.  Lots of miniature rabbit holes on this box. 

Checking out /bulma, we find:


I listen to the wave file and it sounds like Morse code.  We upload it into a decoder and we get a username and password:


It ends up being in lowercase -- trunks : u$3r


We get logged into the system and we see there are entries in .bash_history file:


The user Tom does not exist in /etc/passwd so we'll store this information and take a look around a bit more:


If I'd being paying attention when I was enumerating this page from the browser, I would have noticed the scroll bar going down.  At the bottom, I would have found this base64:


We decode it:


It's encoded twice and when we decode it the second time, we see PNG.  I save it into a file with PNG extension and we find a QR code:


We decode it and we get a password:


This is another rabbit hole, as far as I can tell.

Circling back to our .bash_history file clue, when we view /etc/passwd, we see that trunks is the owner of the file.  Now this is starting to make sense.  The .bash_history file is telling us what we can do.


We echo the contents like we see in .bash_history and then we switch users to Tom using the pre-hashed password:  Password@973


One last thing to do:


That was fun!