Covfefe is available at VulnHub. This machine is for beginners, if you’re new to pen-testing, you’ll learn some great enumeration & cracking skills. Getting the first shell is easy but you must have at least basic knowledge of buffer overflows to get root.
I’ll be using Parrot Security OS throughout the Walkthrough but you can use Kali Linux or any other distro you want.
Turn on the machine and use netdiscover to find the machine on your network
sudo netdiscover -i wlan0 -r 192.168.8.1/24
Now register this IP address (192.168.8.153) in your DNS configuration file “/etc/hosts”. Enter
sudo nano /etc/hosts
and then add the following line
192.168.8.153 covfefe.local
You can use this domain name instead of IP address. Now run a full Nmap scan
nmap -p- covfefe.local
We found one SSH port open and two HTTP Servers running. We’ll first check the Web Server on port 80.
Nothing in the source code. Now check the robots.txt file, it doesn’t exist. Our last try is to brute-force some directories. I’ll be using gobuster but you can use dirb or any other tool. Run the following command,
gobuster -u http://covfefe.local:80 -w /usr/share/wordlists/dirb/common.txt -e
Nothing here. Our next option is to enumerate the second web server. Now check the robots.txt file.
“/.bashrc” and “.profile” have nothing useful but “/taxes” has our first flag
Now we’ll brute-force directories. Enter the following command in the terminal,
gobuster -u http://covfefe.local:31337 -w /usr/share/wordlists/dirb/common.txt -e
There’s nothing in “/.bash_history”, “/.bashrc” and “/.profile”, but “/.ssh” may contain some login keys. The file “id_rsa.pub” in “/.ssh” directory contains Public SSH Key for user “simon”. Just download the file using curl,
curl http://covfefe.local:31337/.ssh/id_rsa.pub > publickeys
Now download the private key “id_rsa” and attempt an SSH login.
First, you’ll have to change file permissions. Then attempt an SSH login, unfortunately it says the file is encrypted. Next, we’ll brute-force the encrypted file using John The Ripper. Run the following
ssh2john privatekey > private.john john --format=SSH private.john --wordlist /usr/share/wordlists/rockyou.txt
As you can see, we successfully cracked the password. Now, time to log in and perform some “Post-Exploitation”.
Checking the “/root” directory reveals a flag and a C code file.
We don’t have sufficient permissions to read flag.txt, but we can read and run the file “read_message.c”. In the source code, we get our second flag and some vulnerable looking code.
Here comes the Buffer Overflow part. As you can see from line No.10, it allocates 20 bytes for the buf[20] string. This line is the main cause of Buffer Overflow. When you provide input of more than 20 characters, the buffer will overflow. We can change the flow of the buffer. After entering the name “Simon”, we’ll give it garbage input until 20 characters, then we’ll change the flow of the program to “/bin/sh”. This will cause to run BASH as root.
And finally we’re ROOT!!