oopsie
Prenote
This box was made by one of my friends, from my CTF team, The WINRaRs. The creator's name is fieldraccoon, go show him some love <3
Enumeration
Firstly, let's start with an nmap scan.
☁ oopsie nmap -T4 -A -v 10.10.129.130 > scan.txt
☁ oopsie cat scan.txt
Nmap scan report for 10.10.129.130
Host is up (0.034s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 14 Dec 27 07:42 creds.txt
|_-rw-r--r-- 1 ftp ftp 17 Dec 27 07:10 test.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.20.228
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 2a:21:f6:7e:2e:3a:d4:db:7a:5b:70:94:c4:c2:74:28 (DSA)
| 2048 ab:40:78:0e:ae:9f:65:23:de:f9:3b:1f:24:1e:67:a2 (RSA)
| 256 3d:87:4d:70:56:d4:1b:09:9c:6c:f3:5b:66:c7:42:bf (ECDSA)
|_ 256 a5:70:42:45:b8:ca:a9:70:6d:13:4f:9b:5f:23:03:6e (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Interesting, we see 2 ports open, an ftp with anonymous ftp login allowed, and 2 files, creds.txt and test.txt.
Foothold
Well, let's try anonymously log in to this ftp server.
☁ oopsie ftp 10.10.129.130
Connected to 10.10.129.130.
220 (vsFTPd 3.0.2)
Name (10.10.129.130:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.We're in. Let's go to passive mode and find these files.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (10,10,129,130,163,156).
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 14 Dec 27 07:42 creds.txt
-rw-r--r-- 1 ftp ftp 17 Dec 27 07:10 test.txt
Files! Let's read them both.
ftp> get creds.txt -
remote: creds.txt
227 Entering Passive Mode (10,10,129,130,249,6).
150 Opening BINARY mode data connection for creds.txt (14 bytes).
john:P@ssw0rd
226 Transfer complete.
14 bytes received in 0.00 secs (402.1140 kB/s)
ftp> get test.txt -
remote: test.txt
227 Entering Passive Mode (10,10,129,130,71,210).
150 Opening BINARY mode data connection for test.txt (17 bytes).
vsftpd test file
226 Transfer complete.
17 bytes received in 0.00 secs (721.8071 kB/s)Of this, the most interesting I see is the credential combination of
john:P@ssw0rdCan we potentially use this elsewhere?
User
Referring back to our nmap scan, we see the ssh service also running. Maybe we can use these creds to get in to ssh.
kali➜~» ssh john@10.10.129.130 [13:56:24]
The authenticity of host '10.10.129.130 (10.10.129.130)' can't be established.
ECDSA key fingerprint is SHA256:3/TUzfGxOPu2WgEO2RBkKDGxQPn+CsscxVBenTzhIa4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.129.130' (ECDSA) to the list of known hosts.
john@10.10.129.130's password:
Welcome to Ubuntu 14.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)
* Documentation: https://help.ubuntu.com/
New release '16.04.7 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Your Hardware Enablement Stack (HWE) is supported until April 2019.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
And we're in, let's check for a user flag.
john@ubuntu:~$ ls
examples.desktop user.txt
john@ubuntu:~$ cat user.txt
flag{i_hope_this_worked}
Yay! User!
Root(method 1)
If we go one directory level up, let's have a look for other directories we could potentially access.
john@ubuntu:~$ cd ..
john@ubuntu:/home$ ls
fieldraccoon ftptest ftp-testuser john
Let's start off by going into fieldraccoon's directory.
john@ubuntu:/home$ cd fieldraccoon/
john@ubuntu:/home/fieldraccoon$ ls
Desktop Documents Downloads examples.desktop Music new-vm Pictures Public Templates VideosOne of these directories are suspicious, new-vm . Let's go into there and delve further.
john@ubuntu:/home/fieldraccoon$ cd new-vm/
john@ubuntu:/home/fieldraccoon/new-vm$ ls
data
john@ubuntu:/home/fieldraccoon/new-vm$ cd data/
john@ubuntu:/home/fieldraccoon/new-vm/data$ ls
our_vsftpd.conf setup.shWeird, what's this script? Let's have a read of it and work out what it does.
john@ubuntu:/home/fieldraccoon/new-vm/data$ cat setup.shsudo apt-get update
sudo apt-get install -y vsftpd
sudo apt-get install -y openssh-server
# ssh s**t
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
sudo chmod a-w /etc/ssh/sshd_config.factory-defaults
sudo systemctl restart ssh
# ftp firewall allow
sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
# ftp config
sudo cp data/our_vsftpd.conf /etc/vsftpd.conf
sudo service vsftpd restart
# ftp file serve
sudo mkdir -p /var/ftp/pub
sudo chown nobody:nogroup /var/ftp/pub
echo "john:P@ssw0rd" | sudo tee /var/ftp/pub/creds.txt
sudo bash -c 'echo "flag{i_hope_this_worked}" > /home/john/user.txt'
sudo chown john:john /home/john/user.txt
sudo chmod u+rx /home/john/user.txt
sudo chmod u-w /home/john/user.txt
sudo chmod go-rwx /home/john
sudo bash -c 'echo "flag{root_flag_poggers}" > /root/root.txt'
sudo chown root:root /root/root.txt
sudo chmod u+rx /root/root.txt
sudo chmod u-w /root/root.txt
sudo chmod go-rwx /root
Interesting, this may have been a script the creator ran to setup the machine and forgot to remove. Line 30 shows:
sudo bash -c 'echo "flag{root_flag_poggers}" > /root/root.txt'This shows us this flag being echoed into the root flag file, maybe we can try this as the root flag?
It worked!
Root(method 2)
Let's give sudo -l a run to see what we can do.
john@ubuntu:/$ sudo -l
Matching Defaults entries for john on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on ubuntu:
(ALL) NOPASSWD: /bin/catWow, we can cat files! Let's maybe guess where the root flag would be hiding and cat it!
john@ubuntu:/$ sudo cat /root/root.txt
flag{root_flag_poggers}It worked!
Root(method 3)
Tired and out of options, let's try social engineering! I kindly asked the author what the account password was. He obliged.
Let's try this with the name fieldraccoon.
kali➜~» ssh fieldraccoon@10.10.185.114 [14:42:52]
fieldraccoon@10.10.185.114's password:
Welcome to Ubuntu 14.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)
* Documentation: https://help.ubuntu.com/
New release '16.04.7 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Your Hardware Enablement Stack (HWE) is supported until April 2019.
Last login: Sun Dec 27 03:26:21 2020 from 192.168.42.129And we're in. Let's get the root flag.
fieldraccoon@ubuntu:~$ sudo su
[sudo] password for fieldraccoon:
root@ubuntu:/home/fieldraccoon# ls
Desktop Documents Downloads examples.desktop Music new-vm Pictures Public Templates Videos
root@ubuntu:/home/fieldraccoon# cd
root@ubuntu:~# cd /root
root@ubuntu:~# ls
root.txt
root@ubuntu:~# cat root.txt
flag{root_flag_poggers}It worked!
Lessons to learn: Hardening your own machine's services
Our first way of getting user was exploiting ftp. Let's harden ftp so people can't exploit it in future.
This can be done by opening /etc/vsftpd.conf and changing the line anonymous_enable to NO.
Have a check on your ubuntu machine to see if this is set like this.
Lessons to learn 2: Deleting setup scripts
This is a pretty easy thing to do. Before putting a machine in production, make sure there's no setup script, and removing any.
root@ubuntu:/# ls
bin boot cdrom dev etc home initrd.img lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz
root@ubuntu:/# cd home
root@ubuntu:/home# ls
fieldraccoon ftptest ftp-testuser john
root@ubuntu:/home# cd fieldraccoon
root@ubuntu:/home/fieldraccoon# ls
Desktop Documents Downloads examples.desktop Music new-vm Pictures Public Templates Videos
root@ubuntu:/home/fieldraccoon# cd new-vm/data
root@ubuntu:/home/fieldraccoon/new-vm/data# rm setup.sh
root@ubuntu:/home/fieldraccoon/new-vm/data# ls
our_vsftpd.confMaking our machine more secure!
Lessons to learn 3: Removing malware
There is a piece of malware installed on every linux machine named vim. Please delete this at your earliest convenience, as it is bad for the system.
This can be done via the following:
root@ubuntu:~# cd /etc/vim
root@ubuntu:/etc/vim# ls
vimrc vimrc.tiny
root@ubuntu:/etc/vim# rm vimrc
root@ubuntu:/etc/vim# rm vimrc.tiny
root@ubuntu:/etc/vim# cd ..
root@ubuntu:/etc# rmdir vim
root@ubuntu:/etc# ls
acpi brltty.conf deluser.conf gnome inputrc lintianrc mtools.conf popularity-contest.conf rmt subgid upstart-xsessions
adduser.conf ca-certificates depmod.d gnome-app-install insserv locale.alias nanorc ppp rpc subgid- usb_modeswitch.conf
alternatives ca-certificates.conf dhcp groff insserv.conf localtime netscsid.conf profile rsyslog.conf subuid usb_modeswitch.d
anacrontab calendar dictionaries-common group insserv.conf.d logcheck network profile.d rsyslog.d subuid- vbox
apg.conf chatscripts dkms group- iproute2 login.defs NetworkManager protocols samba sudoers vmware-tools
apm colord.conf dnsmasq.d grub.d issue logrotate.conf networks pulse sane.d sudoers.d vsftpd.conf
apparmor compizconfig doc-base gshadow issue.net logrotate.d newt python securetty sysctl.conf vsftpd.conf_default
apparmor.d console-setup dpkg gshadow- john lsb-release nsswitch.conf python2.7 security sysctl.d vsftpd.conf.orig
apport cracklib drirc gtk-2.0 kbd ltrace.conf obex-data-server python3 selinux systemd vtrgb
apt cron.d emacs gtk-3.0 kernel machine-id opt python3.4 sensors3.conf terminfo wgetrc
aptdaemon cron.daily environment hdparm.conf kernel-img.conf magic os-release rc0.d sensors.d thermald wodim.conf
at-spi2 cron.hourly firefox host.conf kerneloops.conf magic.mime pam.conf rc1.d services thunderbird wpa_supplicant
avahi cron.monthly fonts hostname ldap mailcap pam.d rc2.d sgml timezone X11
bash.bashrc crontab fstab hosts ld.so.cache mailcap.order papersize rc3.d shadow ucf.conf xdg
bash_completion cron.weekly fstab.d hosts.allow ld.so.conf manpath.config passwd rc4.d shadow- udev xml
bash_completion.d cups fstab.orig hosts.deny ld.so.conf.d mime.types passwd- rc5.d shells udisks2 yum
bindresvport.blacklist cupshelpers ftpusers hp legal mke2fs.conf pcmcia rc6.d signond.conf ufw zsh_command_not_found
blkid.conf dbus-1 fuse.conf ifplugd libaudit.conf modprobe.d perl rc.local signon-ui updatedb.conf
blkid.tab dconf gai.conf iftab libnl-3 modules pki rc.local.vmimport skel update-manager
bluetooth debconf.conf gconf init libpaper.d modules-load.d pm rcS.d speech-dispatcher update-motd.d
brlapi.key debian_version gdb init.d libreoffice mtab pnm2ppa.conf resolvconf ssh update-notifier
brltty default ghostscript initramfs-tools lightdm mtab.fuselock polkit-1 resolv.conf ssl UPower
root@ubuntu:/etc#Malware is gone!
Final Thoughts
I hope you enjoyed this writeup. Skills learnt here involve:
Enumeration via nmap
Exploitation of anonymous ftp
Checking directories for flags.
Hardening ftp
Removing vim
Last updated
Was this helpful?