Vulnhub Vegeta: 1 Walkthrough


I would say that's a fair assessment but I could also see this causing some problems for beginners.  In general, I think it's always good to remember that "beginner" is based on a person's level of knowledge, tools, etc. 

Assuming that a beginner is reading this post for some help, let me toss out a couple of tricks and also show how I spider out with my enumeration and then come back to what's important. 

First, we kick off with Nmap:

What I'd like to point out is that I didn't go with a full blown scan.  If you're on your own network, a full scan will go quickly.  But if we're scanning a remote system, a full scan could take a long time.  We'll start smaller and work our way out.  First, we go for top-ports which gives us the ability to continue our enumeration but we'll do other Nmap scans in another window. 

Top-ports comes back with port 22 and 80.

We can then hit those two ports with more options to get more info:

While we're enumerating port 80, we run a full scan in that other window:

This way, we can maximize our time and work several avenues in parallel.

Looking at the web port, we find:

Again, working smaller and then bigger, I'll start with Nikto because more times than not, it will finish faster than some of the other tools:

We find some directories to browse, let's check out /admin:

That leads nowhere. 

Nikto finishes and we uncover /login.php:

We check that out but with zero bytes, it's nothing:

We run GoBuster:

We uncover /bulma but let's check to see if there's a robots.txt file:

That uncovers another directory:

Which also leads to nothing.  Lots of miniature rabbit holes on this box. 

Checking out /bulma, we find:

I listen to the wave file and it sounds like Morse code.  We upload it into a decoder and we get a username and password:

It ends up being in lowercase -- trunks : u$3r

We get logged into the system and we see there are entries in .bash_history file:

The user Tom does not exist in /etc/passwd so we'll store this information and take a look around a bit more:

If I'd being paying attention when I was enumerating this page from the browser, I would have noticed the scroll bar going down.  At the bottom, I would have found this base64:

We decode it:

It's encoded twice and when we decode it the second time, we see PNG.  I save it into a file with PNG extension and we find a QR code:

We decode it and we get a password:

This is another rabbit hole, as far as I can tell.

Circling back to our .bash_history file clue, when we view /etc/passwd, we see that trunks is the owner of the file.  Now this is starting to make sense.  The .bash_history file is telling us what we can do.

We echo the contents like we see in .bash_history and then we switch users to Tom using the pre-hashed password:  Password@973

One last thing to do:

That was fun!