Avatar

Labs / Matsudo

  • Medium
  • Released 16 May 2024

🔐 Can you break into this misconfigured server?

Step into the shoes of a penetration tester and tackle this realistic SSH-based challenge. This server might look secure from the outside, but weak credentials and dangerous sudo configurations could be your ticket to complete system compromise. 🎯 Master the art of reconnaissance, brute-force attacks, and privilege escalation in this hands-on Linux exploitation scenario.

2
Flags
40
Points
Medium
Guided Mode
Solution Available
Free Access
Start Lab Environment

Launch your dedicated AWS machine to begin hacking

~1-2 min setup
AWS dedicated
Private instance
Industry standard
Medium

Matsudo - Complete Solution Walkthrough

Step 1: Network Reconnaissance

  1. Start by scanning the target to identify open ports:
nmap -sS -sV -Pn <target-ip>
  1. The scan reveals that ports 22 (SSH) and 80 (HTTP) are open
  2. Answer to question 1: 22

Step 2: SSH Banner Analysis

  1. Connect to the SSH service to view the banner:
ssh <target-ip>
  1. The banner reveals "Welcome to Charlie's Server"
  2. Answer to question 2: Charlie

Step 3: SSH Brute Force Attack

  1. Based on the banner, we know the username is likely "charlie"
  2. Use hydra to brute-force the SSH password:
hydra -l charlie -P /usr/share/wordlists/rockyou.txt <target-ip> ssh
  1. The attack reveals the password: trustno1
  2. Answer to question 3: hydra (the most commonly used SSH brute-force tool)

Step 4: Initial Access

  1. SSH into the server using the discovered credentials:
ssh charlie@<target-ip>
  1. Enter the password: trustno1
  2. You should now have access to the system as user charlie

Step 5: Privilege Escalation Enumeration

  1. Check sudo privileges for the current user:
sudo -l
  1. This command lists the sudo privileges of the current user
  2. Answer to question 5: sudo -l
  3. The output shows that charlie can run sudoedit on any file

Step 6: Sudoedit Privilege Escalation

  1. The sudoedit permission allows editing files as root
  2. We can exploit this to gain root access by editing /etc/passwd or /etc/sudoers
  3. First, let's get the user flag:
cat /home/charlie/flag-user.txt
  1. For root access, we can exploit the sudoedit vulnerability by editing /etc/sudoers:
sudoedit /etc/sudoers
  1. Add a line to give charlie full sudo access:
charlie ALL=(ALL) NOPASSWD:ALL
  1. Save and exit, then escalate to root:
sudo su -

Step 7: Flag Retrieval

  1. As root, retrieve the root flag:
cat /root/flag-root.txt
  1. You now have both user and root flags, completing the challenge

Security Implications and Lessons Learned

  • Weak Passwords: Using common passwords like "trustno1" makes systems vulnerable to brute-force attacks
  • Sudo Misconfigurations: Granting sudoedit permissions without proper restrictions can lead to privilege escalation
  • Information Disclosure: SSH banners can reveal sensitive information about system owners
  • Defense: Use strong passwords, implement fail2ban, and carefully configure sudo permissions

Tools and Techniques Summary

  • nmap: Network reconnaissance and port scanning
  • hydra: SSH password brute-forcing
  • sudo -l: Enumerating sudo privileges
  • sudoedit: Exploiting sudo misconfigurations for privilege escalation