Hey all, in this walkthrough we will take billu box which is hosted on vulnhub.com and show you exactly how to hack it. There are many ways to exploit this virtual box but our goal will be to get root access. I found this machine relatively easy and perfect for beginners. For an experienced person though, this shouldn’t be too difficult at all and basically it all depends on enumeration and how well it is done. So without wasting time let’s start our journey:
This is how it looks:
In my case the IP was 192.168.225.21 as you can see below(using command netdiscover):
Now we will use our old friend inbuilt kali tool nmap which is a very powerful enumeration tool:
As you can see in the result we have two open ports 22 and 80 which are running ssh and http respectively. I also tried the fragment scan but had the same result and we can continue our enumeration with both of these.
I navigated to my web browser as port 80 was open and it displayed a devil like character but we can also see clues which showed that there is mysql running on this.
But unfortunately so far it isn’t helpful for us as I tried some basic sql injection techniques and I found nothing working for us.
Then I remembered that we also have dirb and nikto(in case port 80 was open). So I ran nikto first but here also I found nothing helpful for us. Then I ran dirb and got some useful directories that could be helpful for further enumeration:
I found some as you can see below one of those:
As you can see that test directory showed that ‘file’ parameter is empty. Please provide file path in ‘file’ parameter. It means it may have a LFI(Local File Inclusion) vulnerability. I further enumerated some more directories that were in the output of dirb and found nothing special then I came back to this test directory again and decided to do enumeration in this itself. For that I used a tool called curl which is already present in our kali machine which is an inbuilt tool to transfer data with the URLs itself. It supports certain protocols like DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP etc. The first thing I did was this:
The result means we can read the files present in the box. Thats NICE!!!!
Now I use what I found via dirb as input to check certain results, one of which below was:
As its visible that we found two files c.php and head.php. This all can be done through Birpsuite or Zap also but I preferred command line.
So now we will enumerate these two files
We found what we needed here and that is the username and the password. I tried doing ssh using these but nothing seemed to work. I also looked for the source code of the page and I found nothing helpful as there was no directory in it. I decided to get back to our enumeration process which I was carrying on via curl. Now I decided to look at the config files in the /phpmy directory as we were able to read the files easily.
And so what was the result, I found the username and password again but this time they were different.
This time I navigated to the webpage and entered the credentials but it again failed. I tried these credentials in ssh and as we know hard work never fails and so we got shell access and fortunately it was root. As you can see below:
There is one more way which I will hint here that this machine can also be exploited by entering the previous credentials that is billu/billb0x on the web logon page which we had found initially and then we will be directly in the web directory.
From here we can just upload our reverse shell to gain access to the shell which in this case it will not be root. After escalating privileges there you will have root access.