This machine is one of the machines from the OSCP preparation guide I received from one of my teachers. This machine is the next on list and it can be downloaded on: vulnhub
The challenge or goal of the machine lists the following:
**Note: Just a virtual hard drive. You’ll need to create a new virtual machine & attach the existing hard drive**
The walk-through will be divided in a couple sections following the standard penetration testing process: Information gathering –> Exploitation –> Post exploitation. It could be divided into more steps, but for complicity we do these three. Since what we downloaded is a virtual hard drive, a
.vmdk file we have to do the following in Vmware workstation since it is not possible to just import it.
1. Create a new virtual machine
2. Select custom (advanced), otherwise we won’t be able to select a custom virtual hard drive.
3. Make a new Linux virtual machine and go through the steps till “select a disk”
4. Select use an existing virtual disk and select the downloaded disk.
5. Go through the process and make the virtual machine.
To start of we will find the IP address of the machine with nmap since netdiscover takes a while on my VMware. We will use the command
nmap -sn 192.168.0.0/24 for this. The vulnerable machine has the IP
So to start of the machine we scan the machine for open ports with nmap. We will do two scans;
nmap -sV -sC 192.168.0.134 -oA nmap and
nmap -sV -sC 192.168.0.134 -p- -oA fullnmap. The parameter breakdown:
-sV is for service and version enumeration,
-sC is for basic script usage.
-p- to do a full port scan.
-oA to save all output to a couple different files.
So we got port 22 ssh, 80 http, 139 and 445 for samba netbios.
This is probably one of these machines where we have to exploit samba, but the enum4linux script is still broken. Which enumerates Samba. Lets see if we can use it this machine or that we have to use Metasploit. But to start of again. Lets run our Nikto and Dirb on the http service and have a manual look at the web page. We use
nikto -host http://192.168.0.134 -output nikto.txt and
dirb http://192.168.0.134 -o dirb. Nothing special about these commands, we again save the output to a text file.
The website shows us a login page:
Lets try some basic SQL injection and basic login credentials such as
' or 1=1 #,
' or 1=1 -- and
admin:admin. We instantly get some errors.
and some sql error when we try
' , looks vulnerable to SQL injection. I checked the nikto and dirb results and there is a
So I tried a SQL injection with the username
john and password
' or 1=1# and we are logged:
The credentials are john:MyNameIsJohn. Lets try to SSH with ssh email@example.com and supply the password. We are logged in as john:
So we got a limited shell as john, which it says is the ligGoat shell. Seems like a made up shell. With the ? command we can see the command which we are allowed to use. Which are
cd clear echo exit help ll lpath ls. We are not allowed to go out of the home directory. Does not seem like we can do to much since I got kicked out twice already.
I tried the following shell escapes but I had no luck. Seems like a dead end for now.
Information gathering SMB
Back to finding more information about the SMB ports. Since enum4linux is still not running fully I have to rely on metasploit. We can start metasploit with
msfconsole and with
search smb we can find all the modules related to samba. Lets
use auxiliary/scanner/smb/smb_version to check the SMB version. We have to set the RHOST variable which we see empty if we do
show options. We can set RHOST with set
RHOST 192.168.0.134. If we do
run the module will run.
Seems like it is running Samba 3.0.28a. So looking up any relevant exploits with
searchsploit lead me to nothing. After this machine I will try to find a resolution for enum4linux or find some other script/tools to use to enumerate samba. There should be some nmap script available.
So after fucking around with SMB and not finding anything I thought to myself and go back to the limited shell. I managed to break out with
echo os.system('/bin/bash'). A command normally used to spawn a tty shell. But I guess you can use it to break out of a limited shell if there is python installed and you can use echo.
The contents of /etc/passwd tells us there are a couple more users: loneferret and robert. Robert has a kshell and loneferret has a normal /bin/bash shell. In the home directory of loneferret is an interesting sql history file, but not readable by us. After looking around in the
/var/www directory I found database credentials. The username is root and there is no password -_-
To connect to the database we can use
mysql -u root. We can use the following commands to check into the database:
show databases; use members; select*from members;
This gives us an encoded password for robert. Since it ends with == it seems to be base64 decoded. Which we can decode easily. But it doesn’t seem like a its base64.
Jokes on me, the password of rober is just
su robert and the password we are now the Robert user. We are in the limited shell again so lets use your echo command to escape.
echo os.system ('/bin/bash') But this isn’t allowed for robert? Dammn. Tried it again and it is because there is a space between system and (. Okay then… Mistakes can happen.
echo os.system('/bin/bash') works! I went back to John and had the same error when I pasted it. Stupid space.
We are the robert user now, but there isn’t anything special he can do so we become root. To do the enumeration we can use
https://github.com/rebootuser/LinEnum. So lets clone this to our /opt folder. Then copy the
LinEnum.sh file to our
/var/www/html directory. Start up apache2 and we can wget the .sh file on our target machine. But it does not connect 🙁
nc is not available either, git neither lets do some manual enumeration. When looking through the processes I found that mysql was running as root. We can already access the database as root. There should be a way to misuse this process and spawn a root shell? Lets google and came up to this article.
This didn’t work since I could not run gcc. After going crazy and looking up a walk-through I found out that I could use
select sys_exec('usermod -a -G admin robert'); to add robert to the sudo group. Then we can do
su root to change to the root user.