Introduction

Two easy boxes rooted; let’s go.
KB-VULN: 2
Funbox: EasyEnum

KB-VULN2 ports

We’ve got a few: FTP, SSH on 22, HTTP on 80 and SMB.

We’ve got no anonymous access to FTP; let’s ignore that. We have login to a share on SMB called ‘Anonymous’ and from that we can retrieve a file called backup.zip. This contains a wordpress installation and a set of creds in a note.

I got the SMB listing with SMBClient:

root@kali:/opt/vulnhub/kbvuln# smbclient -L //192.168.1.90

and then I retrieved the files with smbclient.py:

root@kali:/opt/vulnhub/kbvuln# smbclient.py

Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

As it turns out, the note file containing the credentials is also on the webserver.

Wordpress

So once we’ve got our credentials we can find the directory we want at http://kb.vuln/wordpress/wp-admin and from there we can do something to gain RCE; I uploaded a new plugin as a ZIP file, and I’m on the box.

Privesc

Reading /etc/passwd we have one obvious candidate for our user; its kbadmin. We can su to kbadmin using the same password we found earlier, and kbadmin is in the sudo group so then we can just sudo su and we are root. Or groot. Or something. Anyway, we’re done.

EasyEnum

Boot2root in 6 steps for script-kiddies.
Timeframe to root this box: 20 mins to never ever.
It’s on you.

Script-kiddies? Aww, you’ll hurt my feelings. Anyway, there are hints:

Use “Daisys best friend” for information gathering.
Visit “Karla at home”.
John and Hydra loves only rockyou.txt
Enum/reduce the users to brute force with or brute force the rest of your life.

nmap

SSH and port 80 HTTP only.

Webserver

Running some gobuster we find a page called mini.php which allows for upload of arbitrary files (including PHP reverse shells) and chmodding of them. I upload a shell, get confused by the chmod syntax (333 works for some reason), and then find the file to get a connection as www-data.

Users

We’ve got a few users: harry, sally, karla, goat, oracle. Running linpeas gives us a hash for the oracle user but not much else. We do find a note saying that karla isn’t really part of this challenge - presumably that’s our ‘Karla at home’ hint. I have no idea who Daisy’s best friend is.

John handles our hash easily but it doesn’t get us any further, and given our hints maybe we need to bruteforce SSH. But which user should we try - we’ve still got harry, sally and goat. Harry and Sally don’t seem to have anything interesting in their home directories, but Goat does - let’s go there.

Hydra

root@kali:/opt/vulnhub/easyenum# hydra -l goat -P /usr/share/wordlists/rockyou.txt 192.168.1.89 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-25 11:49:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344400 login tries (l:1/p:14344400), ~896525 tries per task
[DATA] attacking ssh://192.168.1.89:22/
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 14344224 to do in 1358:22h, 16 active
[STATUS] 121.67 tries/min, 365 tries in 00:03h, 14344035 to do in 1964:57h, 16 active
[STATUS] 116.57 tries/min, 816 tries in 00:07h, 14343584 to do in 2050:46h, 16 active
[22][ssh] host: 192.168.1.89   login: goat   password: thebest

So, that worked. Let’s SSH in as goat and see what we can do.

Privesc

goat@funbox7:~$ sudo -l
Matching Defaults entries for goat on funbox7:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User goat may run the following commands on funbox7:
    (root) NOPASSWD: /usr/bin/mysql
goat@funbox7:~$ sudo -u root mysql -e '\! /bin/sh'
# whoami
root

I think this did take me longer than 20 minutes. Maybe 30.