Powered by Blogger.
Home » , » CEH Master/ FourAndSix: 2 Vulnhub Walkthrough [netdiscover - showmount - crack password backup.7z & get key]

CEH Master/ FourAndSix: 2 Vulnhub Walkthrough [netdiscover - showmount - crack password backup.7z & get key]

Written By AKADEMY on Sunday, January 10, 2021 | 9:16 AM

iLab thực hành nâng cao cho mod 2,3 và 4 enum của CEH v11 với các tool như netdiscover, nmap, showmount và bẻ khóa tập tin backup.7z (rất khó bẻ) sau đó đọc key rồi móc vào qua ssh

Đây là lab rất hay và hữu ích cho ai muốn lấy chứng chỉ CEH Master

FourAndSix: 2 is the sequel for previously solved vulnerable machine FourAndSix by Fred uploaded on vulnhub. It is not mandatory but is advised to read the prequel of this lab here. You can download the FourAndSix:2 vulnerable lab from here. The challenge is to become root and read flag.txt in the same directory.

Table of Contents:

  • Discovery of IP address.
  • Scanning for open ports and services.
  • Discovering universally accessible directory in the victim’s machine.
  • Cracking the password of archive found in the storage partition.
  • Reading the pub file and logging in using ssh.
  • Discovering utilities with sticky bit on them.
  • Using doas to get root.
  • Snagging the flag!
  • Let’s get started then.

The first step is, as usual, to find the IP of the target machine using netdiscover. In this case, it is

Next, we discover open ports and services using nmap.

The ports open were 22, 111, 2049.

There was only one way to proceed and that is port 2049. So, we used showmount command to check for NFS shared partitions.

Later, we mounted it under the folder name “raj” using the mount command. And we found a 7z compressed file.

But the file “backup.7z” was, unfortunately, password protected.

So, after trying out a number of options like John The Ripper and getting zero success, we found a site online to break its password.

The password was: chocolate

We extracted its contents in the same folder and found a few images along with RSA keys. As port 22 is running SSH service on the target machine, we can use RSA private key to login. We open RSA public key to taking a look at the username.

We tried logging in to ssh but it was asking for a passphrase. So, we created the following script to find the correct password.

From the id_rsa.pub file, we found the user for the secure shell of the victim and logged in to it. The password was: “12345678”.

We used the find utility to discover files or packages with SUID bit set on them.

We found an interesting utility with SUID bit: /usr/bin/doas which is an alternate to sudo.

After reading the “doas.conf” file, we find that “less” can be run as root.

Let’s pick the configuration file and try to understand it word by word. Doas utility executes commands as other users according to the rules in doas.conf configuration file.

Permit/Deny: allows the rule.

Nopass: the user is not required to enter any password.

Persist: After the user successfully authenticates, do not ask for a password again for some time.

Keepenv: The user’s environment is maintained.

Cmd: command is allowed to run.

Since doas configuration file says that less can be run with no password at all as root with no password, it can be used for shell escaping.


Enter v to escape to vi and then “:!sh” to escape to our brand new shell.

The final step was to snag the flag! It was in the root directory as told by the creator of the VM.

id shows that the shell is root shell and finally we read the congratulatory flag using cat!

So this was how we root the FourAndSix:2. Hope you liked it.

Author: Harshit Rajpal 

Share this article :


Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT