Vulnhub’s Bravery…
Today, I am going to write about one of my favorite boxes in term on initial enumeration, a lot of rabbit holes and I like the fact that the author spent effort and time to put a lot of files in the machine, perhaps to discourage us to further enumerate the box.
If you’re looking to further sharpen, develop or enhance your enumeration skills, this might be one of the boxes for you.
So now, let’s download the box and mount it on our VM. I put my kali machine and our target box on a separate subnet, as always practiced.
To discover my target’s IP, I ran an arp-scan.
Strangely, my arp-scan didn’t work.
I tried netdiscover command, and waited a little while.
Again, what happened was netdiscover didn’t catch the IP, however, after waiting for few moments, it showed IPs on my subnet but did not terminate.
I added the target IP on my /etc/hosts file and run nmap network scan.
With the target IP already known, let’s now discover the ports running on our target. I ran masscan to discover all ports.
Like arp-scan, masscan won’t work against our target on our current network set-up, so let’s just run another nmap port scan.
We got 13 ports to deal with, but there are familiar ports for me.
Let’s now run autorecon by Tib3rius against our machine.
As expected, we got a lot of port running on this machine, it means that we need to perform a lot of enumeration on this machine.
After autorecon finished, let’s check the results.
Let’s first check the port 22.
There’s nothing interesting for me here, however, we got the OpenSSH 7.4 (protocol 2.0), perhaps that will come handy later.
Going on port 3306, a know mySQL port.
I says that we can’t log in from our IP, perhaps it has some IP whitelisting going on the application? On to the next one..
Checking on DNS port 53.
Okay, so we got dnsmasq 2.76 running on port 53, it is also worth taking note of.
Let’s now check the port 111
autorecon has listed the files inside the nfsshare, a very interesting file “password.txt” and a weird file name was inside. Let’s now further enumerate it.
NFS Enumeration
- List the available mount points.
So, our target machine got /var/nfsshare directory for us to mount on our kali machine.
2. Create a temp dir and mount the nfsshare.
let’s now explore the directories and files inside, this will be the start of long and mind exhausting “Forrest of Files” enumeration.
Checking on the files,
We got nothing from “password.txt” file, however, the file qwertyuioplkjhgfdsazxcvbnm, stands out to me. Let’s list down what we got, so we got david as a user name, form the itinerary folder, then password ‘might’ be the qwertyuioplkjhgfdsazxcvbnm.
david:qwertyuioplkjhgfdsazxcvbnm
Let’s now check the samba ports, let’s open the enum4linux file that was created by autorecon.
What stands out for me here, is the user that was grabbed by enum4linux.
so, we have confirmed that david was actually a user of the machine, together with rick.
Checking the share permissions.
so, there are 2 interesting shared folders here, 1st is anonymous which we have read access, and secured directory which we have no access to ‘as’ anonymous.
let’s try to list the contents of anonymous shared folder.
Honestly, the files are overwhelming. Let’s download all the files to our local and let’s search the files locally.
The ff. are the files inside the smb shared folders.
On this file, it says something about migration to Sharepoint, and about email deletions, emails are good source of information!
It says here, that genevieve will migrate to a CMS application, maybe we can use a credentials laying around to login to CMS?
The ff are from other folders..
I won’t posting others, it doesn’t give us lead or clues to our target, you could only imagine this “Forrest of Files”, too many and too big and very exhausting.
In the end, I only got something about the migration to CMS and the names of the folder which is a possible username.
I went on to enumerate ports 443/80 and 8080.
I read the autorecon findings on both ports and the ff. are the informations which may lead us what we are looking for, a content management application.
PORT 8080
I went on and check all the possible hidden page and directories.
I stumbled upon the /public directory on port 8080 and did another gobuster on this end, however, I got nothing.
Port 80
finally! I got a directory traversal on port 80 /files directory, let’s check what we can get from here.
Another forest.. but we got something interesting
it says about remininding gen about cuppaCMS, now we know what kind of CMS App they’re trying to deploy.
I was kind of excited when I read about the CMS application name, I stumbled upon on the same CMS in Tryhackme and was familiar with its vulnerability.
However, after spending excessive time on enumerating the ports, I still got no possible endpoint to get my initial shell on the target.
Since we got a ‘possible’ credential of david, let’s try to access the ‘secured’ folder in SMB using smbclient.
and it worked!
Let’s get all the files inside and scan it locally.
Okay, so we got 3 possible pages or directories, and a magic word?
/genevieve
/developmentsecretpage
/devops/directortestpagev1.php
So I put them on burp and fire up the intruder module.
I got a result on the ‘genevieve’, after pondering, the clue was there all along, they are telling ‘gen’ to set up and migrate to a CMS….
So after playing with the site for a minute, and clicking on Internal Use, I was redirected to….
I immediately tried to brute-force the login using hydra, using the smb names are users and the ‘magic’ word as password.
However, as expected it didn’t work.
CuppaCMS has a known vulnerability of LFI and RFI… we can find this using searchsploit.
Reading through the file..
It explains here that we can perform an LFI and read /etc/passwd by going to the link provided, we can also get the Config file.
As we can see, we got root credentials, to log in, but we are not going to do that…
Let’ check the /etc/passwd.
We got root, david and rick as users that has logins..
Now, we’re going to do the RFI vulnerability, in which, we will going to issue the RFI command thru our browser, we will set up a python http server to host a reverse php page, which will the browser will render and throw a reverse shell to our netcat listener.
Note to self :
I was trying to do the LFI to RCE attack vector, once you have successfully did it, update this thread.
Again, we have exploitd the RFI vulnerability of the machine and got out initial low-privileged shell :)
Privilege Escalation
Before checking anything, let’s try to upgrade our shell by invoking the python pty shell.
We also performed sudo -l, and seems that our user doesn’t belong to sudoers file, we also performed the “export TERM=xterm” so we can clear the screen when we need to.
NFS Share
I remember that we have mounted an NFS Share, I remember from the lectures of Tib3rius, that we can escalate our privileges using nfs share if the “no_root_squash” was defined in /etc/exports file…
However, let’s enumerate first and see if there are other way we can root the machine…
Now let’s check the home directory where our users working directory are located, we might see some files that will help us to escalate from service account to user account.
However, we are not allowed to..
From here, let’s upload privEsc scripts to automate our privEsc enumeration. I upload my 3 favorites, lse.sh, LinENum.sh and linpeas.sh.
I ran lse.sh first, with level 0, hoping that I won’t be needing other scripts..
And we got an interesting binary with SUID bit set, visiting GTFOBins to check for the binary.
Since we got a SUID bit on cp command, we can..
1. Just copy and /etc/passwd file and insert a back door user with root privileges.
2. Copy the /etc/shadow file and crack the users password.
as POC, let’s try to copy the /etc/shadow and put it on our kali machine, read the shadow file…
as we can see, we got the hash of root’s password ready for cracking…
Now, let’s try to insert a back door user with root priv in passwd file and replace the existing one.
now, copy the tampered passwd to /etc/passwd.
then let’s switch, to our backdoor user.
and we got root!
So, let’s also try to check the nfsshare, reading the /etc/exports file..
Switching back to low-level user…
And we got “no_root_squash” on nfsshare, let’s try to make a elf payload, based on Tib3rius’ privEsc techniques.
Notice that it was saved as root, now we can chmod to set it as executable and SUID.
Try to execute it..
Nothing happens.. So I copied my bash going to nfs share, set SUID bit and run it on my target machine.
I got an error about no such file or directory…
I taught that since I was using debian distro, this is not compatible with RHEL distro.
I copied the target’s bash to the nsf share folder.
Notice the file permission of the bash file.. it still under apacher user..
Now on our Kali Machine, let’s copy the bash file and rename it to evilbash..
Now it was has the permission we want it to have.
I now set the SUID bit on.
not let’s run this on our target machine
And we got root as well! :)
Takeaways:
My main takeway is about the enumeration of the machine, I spent a ‘more than usual’ amount of time just enumerating every bit of the machine to gain my initial shell. It was exhausting!!! and sometimes I got the feeling that I am going nowhere, however, as I always remind myself, enumeration is one of the key skills that separates a good hacker…
Enumeration on the machine was the key part, escalating your privilege to root is easier..
Overall, I will recommend this box as part of developing the enumeration skills, also, I would try to enumerate faster next time.. My next goal is to sit and enumerate my target until I got my initial shell.
