LazySysAdmin

Introduction

Today I tried LazySysAdmin from VulnHub. (https://www.vulnhub.com/entry/lazysysadmin-1,205/)

Steps

Started with the good ole nmap. This time I use the flag -sC which uses the default scripts. I also used the normal flags that I usually go with -sV (Version Detection) and -O (OS Detection)

We see:

  • SSH

  • HTTP

  • SMB

  • MYSQL

  • IRC

lazysys1.PNG
lazysys2.PNG

We see that it has Samba running and give that a quick check. It turns out that it has Anonymous read access enabled!

lazysys3.PNG

We see what looks like a website root directory. Poking at the files, we see one that looks like it contains some kind of password.

We take a look at what website that it is running. None of the links seem to work or provide any additional information. Perhaps it’s a dead website.

lazysys7.PNG

We remember the /wordpress/ directory from the SMB enumeration and take a look at that. We see a user ‘togie’ who is clearly not happy with setting up wordpress. We now have a name of a user setting up websites and a password for someone who doesn’t care anymore.

We take the username and password over to the open SSH port and give it a go. Success!!

We see that the user togie was truly lazy and saved his password where he could easily see and remember it. Unfortunately, so could anyone else that tried some basic enumeration.

lazysys9.PNG

Once we are connected to SSH, we try the easiest way to get root ‘sudo su’. Turns out this user has sudo privileges! we are root!!

Conclusion

This VulnHub machine was pretty fun! One neat thing I did learn while poking around was a new way to escape a privileged shell. Between SSH as togie and the ‘sudo su’ command we were locked in a restricted shell. Jumping right to root got us out of the restricted shell. While playing around with the restricted shell, I found the an escape path on this page (http://www.cyberry.co.uk/resources/breaking-out-of-jail-shell/) that used man pages. Open a man page and then type ‘!bash’. I’m not sure how often that escape works, but it happened to work here!

lazysys11.PNG

Kioptrix Level 1 - My first writeup!

Introduction

So this is my first ever VulnHub write-up! It’s probably not the best or most clearly written but we all gotta start somewhere, right??

For my first write-up I’ve chosen Kioptrix Level 1 to keep things simple. (https://www.vulnhub.com/entry/kioptrix-level-1-1,22/)

Start

We first go with nmap to see what we have to work with.

Kioptrix1.png

We see that Samba is running on port 139 and we want to dig in a little more. Unfortunately it looks like the version of smbclient that enum4linux uses no longer reports samba version. I’m not sure why it works this way, I haven’t dug into it much yet.

Kioptrix2.png

To enumerate the Samba version, we start up Metasploits smb_version scanner.

Kioptrix3.png

We see that the machine is running Samba 2.2.1a. A searchspoit search shows nothing for the exact version. Altering the search shows some more options. There are a bunch of Samba 2.2.x exploits we can look at.

Kioptrix4.png

Taking a peek at the first 2.2.x exploit shows that it is for a BSD machine. The nmap scan doesn’t seem to indicate BSD so we can skip this one.

Kioptrix5.png

Checking the second 2.2.x exploit, we see that it is a generic linux Samba exploit so we decide to try that one.

Kioptrix6.png

After doing a quick check of the exploit for any special compiling options or changes we need to make, we see it’s ready to go as is and compile it. Once complied we run it to see the arguments we need to provide. Once we see we just need to provide an IP, we run the exploit.

Kioptrix7.png

And we have root! :)

Conclusion

Well, If you’ve made it this far, thank you! Hopefully this wasn’t too painful to read and maybe even somewhat informative! I hope to do more in the future while honing in my documentation and blogging skills.