Hack into the machine and investigate the target. Please allow about 5 minutes for the machine to fully boot! Note: The theme and security warnings encountered in this room are part of the challenge.
Nmap
└─$ nmap 10.10.205.187 -sC -sV Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-01 20:58 PDT Nmap scan report for 10.10.205.187 Host is up (0.15s latency). Not shown: 996 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 108af572d7f97e14a5c54f9e978b3d58 (RSA) | 256 7f10f557413c71dbb55bdb75c976305c (ECDSA) |_ 256 6b4c23506f36007ca67c1173c1a8600c (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: techsupport | NetBIOS computer name: TECHSUPPORT\x00 | Domain name: \x00 | FQDN: techsupport |_ System time: 2023-04-02T09:28:30+05:30 |_clock-skew: mean: -1h50m00s, deviation: 3h10m31s, median: -1s | smb2-security-mode: | 311: |_ Message signing enabled but not required | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2023-04-02T03:58:30 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.15 seconds
Looks like an SMB share is open to guests. I think we should take a look and see if there is anything in there.
┌──(kali㉿kali)-[~/Downloads]
└─$ smbmap -H 10.10.205.187 -R
[+] Guest session IP: 10.10.205.187:445 Name: 10.10.205.187
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
websvr READ ONLY
.\websvr\*
dr--r--r-- 0 Sat May 29 00:17:38 2021 .
dr--r--r-- 0 Sat May 29 00:03:47 2021 ..
fr--r--r-- 273 Sat May 29 00:17:38 2021 enter.txt
IPC$ NO ACCESS IPC Service (TechSupport server (Samba, Ubuntu))
Looks like they left us a txt file. Lets grab it and see what it tells us.
┌──(kali㉿kali)-[~/Downloads] └─$ smbmap -H 10.10.205.187 -R -A enter.txt [+] Guest session IP: 10.10.205.187:445 Name: 10.10.205.187 [+] Starting search for files matching 'enter.txt' on share websvr. [+] Match found! Downloading: websvr\enter.txt
I cam SMB map again this why with the -R for recursive so we can dig into dub directories and -A to grab the file name if it matches. So I looked for the enter.txt that showed up in the first scan.
GOALS ===== 1)Make fake popup and host it online on Digital Ocean server 2)Fix subrion site, /subrion doesn't work, edit from panel 3)Edit wordpress website IMP === Subrion creds |->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula] Wordpress creds |-> So we know there is something called Subrion running on the server and it looks like it is encoded. Base64? not sure. But if the txt file is to be believed the site does not work anyway. Let's hold on to this for now and keep looking around I ran Gobuster and found two directories. /wordpress (Status: 301) [Size: 318] [--> http://10.10.205.187/wordpress/] /test (Status: 301) [Size: 313] [--> http://10.10.205.187/test/]
Both sites really had no where to go in them and nothing in the source. But I really liked the scam site. It was oh so cute.
So it looks like it is time to check out the Subrion, it looks like Subrion is an CMS site and the going to http://10.10.1.1/subrion really was broke. So I googled the default admin panel location and found it to be /panel. I confirmed it is working and ready to be logged in. So its time to crack what ever this is 7sKvntXdPEJaxazce9PXi24zaFrLiKWCk from the text file. "[cooked with magical formula]" made me think about cyber chef so I went there and put in the encode and I got this.
Base58 = Scamsite as the password I was able to log in. I have wasted many hours trying to get a shell from CMS's before so I did not spent anytime looking this time around I did find the version number 2.4.1 so I googled it to see if there was a vuln for it and there was and it would give me a shell. So I downloaded the py script from exploit db and ran it. I am not going to give you the link. Spoiler the shell is crap.
It was hands down worthless. I was stuck in the directory with no way out. I was able to wget but I could not chmod +x or run anything. After about 20 minutes of screwing around I thought I should be able to get a shell from the web app so that is what I did.
I dug around until I found the upload area of the app. Once I did I noticed the file that the py script uploaded. it ended in a .phar extension. I googled the extension and found out it was an excutable. So I made a new file.txt and grabbed a reveser shell from revshells gogo php pentestMonkey. I put it in the newely made txt file and renamed it badman.phar
Then I went to http://10.10.*.*/subrion/uploads/Badman.phar Case sentisive. And my rev shell called home!!
Finally a real shell. I jumped to /tmp and ran wget to upload my linpea.sh script and a quick chmod +x later we had linpeas.sh off and running.
╔══════════╣ Analyzing Backup Manager Files (limit 70)
-rwxr-xr-x 1 www-data www-data 7756 Jun 14 2018 /var/www/html/subrion/includes/api/storage.php
$member = $this->_iaDb->row(['password'], iaDb::convertIds($client_id, 'username'), $iaUsers::getTable());
return ($member && $member['password'] == $iaUsers->encodePassword($client_secret));
╔══════════╣ Analyzing WordPress Files (limit 70)
-rwxr-xr-x 1 www-data www-data 2992 May 29 2021 /var/www/html/wordpress/wp-config.php
define( 'DB_NAME', 'wpdb' );
define( 'DB_USER', 'support' );
define( 'DB_PASSWORD', 'ImAScammerLOL!123!' );
define( 'DB_HOST', 'localhost' );
I am saving you all the output because I totally over looked this the first time around, and possibley the second. Sooooo much time wasted trying other things. Learn from my mistakes. Grab all the good info first put in notepad,oneNote,cherrytree or what every note taking software you use and try the easiest things first.
The password for the user scamsite is ImAScammerLOL!123
The /etc/passwd file was listed in linpeas which shows the user names
So I SSH'd in [email protected].*.* with the password and we had a user. Getting root was a little too easy after this.
The first thing I always do once I have a user is sudo -l
Anytime you can run anything as sudo that is great news, or bad news depending on which side you are on. Off to GTFObin's to see what I can do with iconv Well it looks like I can read/write any file that root can
Well this is game over. You can read the shadow file crack the password or just just cron jobs and see what runs as root and get a shell. But really all I wanted was the root.txt So that is what I did.
And there is the flag. Pretty easy right? Maybe for you. :-p I wasted a bit of time with the linpeas file over looked the db information the first time around and of course all that CRAP py shell.