Hey everyone, welcome back! Today, we’re diving into a new Vulnhub machine called Naruto. If you love anime, you’re in for a treat with this one. Let’s get started and see what challenges and adventures await us!
Challenge Description
Book your tickets to The Konohagakure, and train under Master Jiraiya, Hokage Uzumaki and Tsunade. Use your hacking skills to stop Orrochimaru and Rescue Sasuke. Hack this boot to root and get the title of “The Number One Hyperactive, Knucklehead Ninja”
ENUMERATION IS THE KEY!!!!!
Scanning
Without wasting time let’s get start scanning this machine.
I first scan target with nmap fast scan
Here we found 4 open ports i.e. 22,80,139 and 145
Samba Enumeration
Before going to web let’s enumerate samba shares
For finding samba shares i am using smbmap
smbmap -H 192.168.226.156We found Naruto share with Read Only Permission let’s try accessing this share via anonymous login using smbclient tool.
As you can see in the above image we got a file inside this share, you can download this using get method.
Inside file we only find story and on second paragraph writer focusing on gara word a lot as compared to other character.
Web Enumeration
We found nothing more in samba port so i start enumerating port 80.
There’s no robots.txt file and dirb tool showing Directory Is Listable, that means we can see all file inside directory via directly visiting on browser.
But i found nothing interesting there too. Then i tried gara character as directory and got another page.
Here we find website using Drupal and had Login Page
Before accessing Login page i tried finding Drupal version using wappalyzer extension
And we find drupal version and some other stack information.
Now let’s access login page
Here we find Login in with Create Account and Reset Password section.
I tried finding no. of user exist on drupal via visitng /gara/user/1 and found only 1 user exist. If you try to access /gara/user/2 then you get this page.
but in case of 1 you get access denied message
Let’s try login using drupal cms default username and password. (You can search for default password on google)
after trying admin as user and password we successfully login into admin account.
Here i started exploring Drupal for potential RCE vulnerabilities.
And found a page https://medium.com/@briskinfosec/drupal-core-remote-code-execution-vulnerability-cve-2019-6340-35dee6175afa
Using metasploit drupal_restws_unserialize exploit i gain shell
then i gain tty shell using python command
python -c 'import pty;pty.spawn("/bin/bash")'Privilege Escalation
I uploaded linpeas.sh script for enumerating system
got a priv esc vector
i simple go to gtfobins and copy below command
after running the command we got root shell
BOOMM!! Naruto Solved Successfully
