Basic Pentesing : 2 WriteUp — Vulnhub VM

Host discovery

The VM is in a host only network so I ran a ping scan using nmap.

nmap -sn 192.168.56.0/24

The IP is 192.168.56.102.

Service detection

Running a thorough port scan with nmap on all ports should tell us what kind of services are running. Here’s the scan output.

We have quite a number of services running, two webservers, smb and ssh. Let’s begin by enumerating the webservers.

Enumeration

1. Enumerating the webservers

Checking the link on the browser we don’t see much but after checking its source, the comment points us to a dev section. Instead of trying to guess the exact url, why don’t we bruteforce directories and see which others we can get.

Dirsearch just gave us the one directory we expected. Let’s visit it.

In the development directory we have two txt files with the following messages:

In this dev.txt there’s mention of struts and it’s version 2.5.12 and also that it’s the REST version of the example. This are keywords I used to search what this struts stuff is. After some googling I found it’s a java REST plugin from the Apache guys. Then I found a nice article about an exploit on this version here:

In the other txt file it’s just something about a weak password that was easy to crack.

Next let’s checkout the server at port 8080, which is Apache Tomcat as nmap suggests.

Doing a dirsearch scan on this didn’t yield much useful information and trying default creds on the manager login didn’t work, but from the struts article above the apache struts there was run on a tomcat server.

So visiting the hinted url with the our version number the page is there, now let’s try exploiting this. But before that let’s look at smb to see if there’s any useful information we can gather.

2. Enumerating SMB

Smbmap reveals a share that we can access without credentials, connecting with smbclient we find a staff.txt. This however is just a note and doesn’t have any useful info.

Penetration and Exploitation

Here we are exploiting the vulnerability we saw on struts. The article above has a good manual way for exploiting it but I will just use the available metasploit module. Why not get some metasploit practice while we are at it?!

After launching metasploit run this command and set the options correctly.

use exploit/multi/http/struts2_rest_xstream

We now have a shell as tomcat9 user. Now let’s look for a way to get more privileges.

Looking through directories for useful stuff I found a pass.bak file in home directory of a user kay but no permissions to read it.

Now lets run LinEnum.sh which is always my first go to script for local enumeration.

After running the script I two possibilites for privilege escalation.

The kernel version here is outdated, however gcc was not present to compile the exploit.

The second option is using vim.basic as it has a suid bit set. So we can read the pass.bak file!

This must be kay’s password:

heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Now we can escalate to user kay. This password can also be used to login via ssh.

Looks like kay is part of the sudo group, so we can escalate again to root.

Finally we get to read the flag.txt.

Conclusion

This was a better challenge than the first one, lots of stuff to learn as always.

I didn’t get all the ways to privesc and get a shell, I will look at other writeups for this to see how others approached it.

Questions and feedback is welcome!

Tools used:

  • dirsearch
  • metasploit
  • nmap
  • smbmap
  • smbclient

Twitter: ikuamike

Github: ikuamike

CyberSecurity | CTFs | https://blog.ikuamike.io