Hey everyone, welcome back! Today, we’re diving into a new Vulnhub machine called Katana.
Challenge Description
- Difficulty: Intermediate
- Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).
- Warning: Be careful with “rabbit hole”.
Without wasting time let’s get start scanning this machine.
Scanning
I first scan target with nmap fast scan
nmap -F -sV <target_ipOutput:
Here we got bunch of open ports.
I tried accessing FTP port first :) may be we get anonymous access there
Anonymous access Not Found :\
Samba Enumeration
we also got samba service port open i.e. 139 & 445, Let’s try enumerating shares using smbmap
smbmap -H <target_ip>
Found nothing in shares too :(
Accessing & Enumerating Port 80
After accessing port i got a cool katana image
I tried different steps for enumeration like checking robots.txt, page source etc. Found Nothing !!
I started directory enumeration using dirb tool and a directory named as /ebook
after accessing this directory we got a book store page
As you can see below there is a admin login page let’s access this first
It asking us for name and pass i tried some random password like admin:password etc. And surprisingly admin:admin works.
I tried grabbing shell via uploading php reverse shell on add new book > images option. But it didn’t work.
Here i move to another port i.e. 7080 this is running on lightspeed and we get same website we got on port 80 i tried enumeration again but found nothing here.
Let’s move on to next port i.e. 8088 and we got same katana sword as before on web page. I started directory and file enumeration on this website and found some
I access `upload.html` and got a page where we had two option for upload file
Let’s try uploading our php-reverse-shell here.
and file uploaded successfully we can see moved location i.e. /opt/manager/html/katana_php-reverse-shell.php
I tried accessing this file but didn’t found this location on port 8088 i tried accessing this file on different port i.e. on port 8715 after accessing this port web it asks us for user and pass. I tried admin as user and admin as password again and it work here too :)
And after accessing that file location we get shell too
here before doing anything let’s gain tty shell using python
then i upload linpeas.sh inside this box using python3 http server
python3 -m http.server 8000for downloading file i use wget
Before running linpeas i give executable permission using chmod
chmod +x linpeas.shLet’s run this script
We found a privilege escalation vector
we also find katana user and root hash we can try to crack them but i am using python2.7 capability for privilege escalation via container escape technique
For exploitation we had to run below command
/usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash");'Here,
-c tells the Python interpreter to execute the Python code provided as a string in the subsequent argument.
and python code first import os library then sets the user ID of the process to 0, which is the user ID of the root user in Unix-like operating systems, and finally executes the command “/bin/bash” in a subshell, which starts a new Bash shell.
After running above exploit we got root shell :-) for flag you can visit location /root
Katana Machine Solved Successfully !!
