Note: this post was originally posted on another blog I had in June 2020, and I worked through this VulnHub machine to fix my enumeration and note-taking abilities after failing the OSCP exam the second time.
This box was basically all dependent on enumeration. There’s a lot to look at and go through, but you have to keep going and searching. 95% of the time is spent getting the initial shell. I really liked this box because I got to focus on enumeration and note-taking.
Keeping a cool head, taking good notes about what was found and tried, and pushing forward was key. It isn’t a straight shot to a shell, and there’s a lot of content to go through.
Run gobuster on ports 80 and 8080
Possible users discovered and cuppacms possible?
NFS share available, /var/nfsshare with user:pass for SMB
Used user:pass with NFS for anonymous share and secured share
********** ABOUT US *********
* We are a fun-loving group *
that takes our work quite
* seriously. In our line of *
work, we believe that the
* most important quality of *
our work is our effort to
* TRY HARDER. TRYING HARDER *
takes courage. We believe
* we can strive for greater *
heights, and achieve good
* things as long as we dare *
to TRY HARDER. Are you up
* to our challenge? I think *
you should TRY HARDER! :)
Can’t connect to the machine, likely only allowing localhost.
ERROR 1130 (HY000): Host '10.88.42.130' is not allowed to connect to this MariaDB server
[17:34:34]🔴->1 root[ ~/VulnHub/bravery ]# smbclient -L \\\\10.88.42.131
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server 4.7.1)
SMB1 disabled -- no workgroup available
[17:34:42]🔥root[ ~/VulnHub/bravery ]#
Unfortunately, I couldn’t access those shares without a login.
[17:19:59]🔥root[ ~/VulnHub/bravery ]# showmount -e 10.88.42.131
Export list for 10.88.42.131:
[17:20:02]🔥root[ ~/VulnHub/bravery ]#
mount 10.88.42.131:/var/nfsshare nfsshare
for file in $(find nfsshare -type f); do echo ">> $file <<"; cat $file; done
>> nfsshare/README.txt <<
read me first!
>> nfsshare/qwertyuioplkjhgfdsazxcvbnm <<
Sometimes, the answer you seek may be right before your very eyes.
>> nfsshare/discovery <<
Remember to LOOK AROUND YOU!
>> nfsshare/password.txt <<
Passwords should not be stored in clear-text, written in post-its or written on files on the hard disk!
>> nfsshare/explore <<
Exploration is fun!
>> nfsshare/enumeration <<
Enumeration is at the heart of a penetration test!
>> nfsshare/itinerary/david <<
David will need to fly to various cities for various conferences. Here is his schedule.
1 January 2019 (Tuesday):
New Year's Day. Spend time with family.
2 January 2019 (Wednesday):
0900: Depart for airport.
0945: Check in at Changi Airport, Terminal 3.
1355 - 2030 hrs (FRA time): Board flight (SQ326) and land in Frankfurt.
2230: Check into hotel.
3 January 2019 (Thursday):
0800: Leave hotel.
0900 - 1700: Attend the Banking and Enterprise Conference.
1730 - 2130: Private reception with the Chancellor.
2230: Retire in hotel.
4 January 2019 (Friday):
0800: Check out from hotel.
0900: Check in at Frankfurt Main.
1305 - 1355: Board flight (LH1190) and land in Zurich.
1600 - 1900: Dinner reception
2000: Check into hotel.
5 January 2019 (Saturday):
0800: Leave hotel.
0930 - 1230: Visit University of Zurich.
1300 - 1400: Working lunch with Mr. Pandelson
1430 - 1730: Dialogue with students at the University of Zurich.
1800 - 2100: Working dinner with Mr. Robert James Miller and wife.
2200: Check into hotel.
6 January 2019 (Sunday):
0730: Leave hotel.
0800 - 1100: Give a lecture on Software Security and Design at the University of Zurich.
1130: Check in at Zurich.
1715 - 2025: Board flight (LX18) and land in Newark.
2230: Check into hotel.
7 January 2019 (Monday):
0800: Leave hotel.
0900 - 1200: Visit Goldman Sachs HQ
1230 - 1330: Working lunch with Bill de Blasio
1400 - 1700: Visit McKinsey HQ
1730 - 1830: Visit World Trade Center Memorial
2030: Return to hotel.
8 January 2019 (Tuesday):
0630: Check out from hotel.
0730: Check in at Newark.
0945 - 1715 (+1): Board flight (SQ21)
9 January 2019 (Wednesday):
1715: Land in Singapore.
1815 - 2015: Dinner with wife.
2100: Clear local emails and head to bed.
So, I have a username “david” and “qwertyuioplkjhgfdsazxcvbnm” is likely a password, too. That’s two clues to it now. I added the username and password to the growing password list.
SMB – Revisited
Now that I have some usernames and passwords, I tried out “david” and “qwertyuioplkjhgfdsazxcvbnm” first, and it worked!
After manually going through the files, most of them are empty, so I decided to use some bash to go through them.
find . -type f > filelist.txt
while read -r line; do [ -s "$line" ] && echo ">> $line <<"|tee -a ../anonymous_nonempty_files.txt; cat "$line"|tee -a ../anonymous_nonempty_files.txt ; done < ../filelist.txt
>> ./sara's folder/gossip_corner/gossip18 <<
Qiu gives me too much work. I'm really stressed.
>> ./sara's folder/gossip_corner/gossip27 <<
Misconfigurations are the nightmare of system administrators.
>> ./sara's folder/gossip_corner/gossip5 <<
If only I could get back at the boss... she's so nasty. She controls EVERYTHING and doesn't trust me in even administering her tomcat server.
>> ./sara's folder/gossip_corner/gossip23 <<
Que sera sera, whatever will be, will be.
>> ./sara's folder/email/2048 <<
2048 is a game.
The CTF is not just a game. It's more than a game. It's about TRYING HARDER... and making sure this machine gets rooted!
ALL THE BEST! TRY HARDER!
>> ./genevieve's folder/CMS/migration/important! <<
need to migrate CMS. obsolete. speak to qiu about temporarily using her IIS to test a sharepoint installation.
>> ./genevieve's folder/email/spear <<
Amidst the flurry of content are certain files that may stand out. Smart bravery will allow you to read what you want; stupid bravery is called recklessness.
>> ./patrick's folder/work!/present_for_qiu/present <<
Should I bring her to watch the "Phantom of the Opera"?
Hmmmm... but she looks so stressed recently... :-(
>> ./patrick's folder/work!/samba/david_secured_share/readme/readme.txt <<
Please DO NOT spread the password around.
>> ./kenny's folder/vuln_assessment_team/windows/XP_disclaimer <<
XP is no longer provided; please upgrade to win7 or win10 because we no longer support XP.
>> ./readme.txt <<
-- READ ME! --
This is an INTERNAL file-sharing system across SMB. While awaiting migration to Sharepoint, we are currently relying on the use of the SMB protocol to share information.
Once we migrate everything to Sharepoint, we will kill off this temporary service. This service will be re-purposes to only share UNCLASSIFIED information.
We also noticed the archival of plenty of e-mail. Please remove all of that before migration, unless you need them.
Genevieve the Brave
I didn’t see anything useful in the files, but I did add two new users: “kenny” and “genevieve.”
[18:15:37]🔥root[ ~/VulnHub/bravery/smb/secured ]# smbclient \\\\10.88.42.131\\secured -U david
Enter WORKGROUP\david's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Sep 28 09:52:14 2018
.. D 0 Thu Jun 14 12:30:39 2018
david.txt N 376 Sat Jun 16 04:36:07 2018
genevieve.txt N 398 Mon Jul 23 12:51:27 2018
README.txt N 323 Mon Jul 23 21:58:53 2018
17811456 blocks of size 1024. 13166144 blocks available
smb: \> prompt
smb: \> get *
NT_STATUS_OBJECT_NAME_INVALID opening remote file \*
smb: \> mget *
getting file \david.txt of size 376 as david.txt (73.4 KiloBytes/sec) (average 73.4 KiloBytes/sec)
getting file \genevieve.txt of size 398 as genevieve.txt (97.2 KiloBytes/sec) (average 84.0 KiloBytes/sec)
getting file \README.txt of size 323 as README.txt (105.1 KiloBytes/sec) (average 89.3 KiloBytes/sec)
And the file contents.
[18:16:34]🔥root[ ~/VulnHub/bravery/smb/secured ]# cat david.txt
I have concerns over how the developers are designing their webpage. The use of "developmentsecretpage" is too long and unwieldy. We should cut short the addresses in our local domain.
1. Reminder to tell Patrick to replace "developmentsecretpage" with "devops".
2. Request the intern to adjust her Favourites to http://<developmentIPandport>/devops/directortestpagev1.php.
[18:16:37]🔥root[ ~/VulnHub/bravery/smb/secured ]# cat genevieve.txt
Hi! This is Genevieve!
We are still trying to construct our department's IT infrastructure; it's been proving painful so far.
If you wouldn't mind, please do not subject my site (http://192.168.254.155/genevieve) to any load-test as of yet. We're trying to establish quite a few things:
a) File-share to our director.
b) Setting up our CMS.
c) Requesting for a HIDS solution to secure our host.
[18:16:48]🔥root[ ~/VulnHub/bravery/smb/secured ]# cat README.txt
README FOR THE USE OF THE BRAVERY MACHINE:
Your use of the BRAVERY machine is subject to the following conditions:
1. You are a permanent staff in Good Tech Inc.
2. Your rank is HEAD and above.
3. You have obtained your BRAVERY badges.
For more enquiries, please log into the CMS using the correct magic word: goodtech.
[18:16:53]🔥root[ ~/VulnHub/bravery/smb/secured ]#
So, this is awesome; now I have more web URLs that I didn’t have previously.
I tried /developmentsecretpage and /devops on port 80 and 8080, but it was 404 on both. Fortunately, /genevieve was not 404.
Port 80 – Revisited
Browsing the website on /genevieve is a template site but has a link to Cuppa CMS!