Summary
Landing page on default nmap enumerated HTTP port revels a password protected web directory. Using username located by enum4linux or smbclient brute force the website with hydra. A base64 encoded payload passed with burp grants foothold shell. Use socat to port forward ssh to a port that can be bruted. Using bruted credentials login and copy PATH to tmp rename it as SUID. Execute it to gain root shell. This works because the binary does not have an absolute path set.
Action
Nmap Scan
# Nmap 7.91 scan initiated Tue May 11 15:26:02 2021 as: nmap -sC -sV -p- -vvv -oN initialnmap.txt 10.10.25.225
Nmap scan report for 10.10.25.225
Host is up, received echo-reply ttl 61 (0.20s latency).
Scanned at 2021–05–11 15:26:02 EDT for 765s
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.29
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=You want in? Gotta guess the password!
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 401 Unauthorized
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X — 4.X (workgroup: YEAROFTHEFOX)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.7.6-Ubuntu (workgroup: YEAROFTHEFOX)
Service Info: Hosts: year-of-the-fox.lan, YEAR-OF-THE-FOX
Host script results:
|_clock-skew: mean: -19m33s, deviation: 34m37s, median: 25s
| nbstat: NetBIOS name: YEAR-OF-THE-FOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| YEAR-OF-THE-FOX<00> Flags: <unique><active>
| YEAR-OF-THE-FOX<03> Flags: <unique><active>
| YEAR-OF-THE-FOX<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| YEAROFTHEFOX<00> Flags: <group><active>
| YEAROFTHEFOX<1d> Flags: <unique><active>
| YEAROFTHEFOX<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher…
| Check 1 (port 14796/tcp): CLEAN (Couldn’t connect)
| Check 2 (port 46194/tcp): CLEAN (Couldn’t connect)
| Check 3 (port 28614/udp): CLEAN (Failed to receive data)
| Check 4 (port 55680/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: year-of-the-fox
| NetBIOS computer name: YEAR-OF-THE-FOX\x00
| Domain name: lan
| FQDN: year-of-the-fox.lan
|_ System time: 2021–05–11T20:39:07+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021–05–11T19:39:07
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 11 15:38:47 2021–1 IP address (1 host up) scanned in 765.08 seconds
SMB Map
Enum4Linux
Web server is directory protected
Brute users found previously with Hydra
Login to website
Input is filtered. Can not use any special characters
Base64 encode a python reverse shell to bypass filter
Catch with netcat, obtain user flag
Upload enumeration scripts
Linpeas revealed ssh running on local host
User XXX is only allowed user
Upload socat binary, to remote machine and use it to port forward SSH to something we can brute
Use hydra to brute password
Now, we can relax. We have SSH credentials!
SSH to machine as XXX
Make sure to use port 8888
shutdown is NOT using absolute path. Copy bash shell, rename it to shutdown. Run the binary and be rewarded with a root shell.
Root Flag is not in normal place!!
Thanks for reading! :)
