Vulnhub - KB-VULN:2 and EasyEnum
Two easy boxes rooted; let’s go.
We’ve got a few: FTP, SSH on 22, HTTP on 80 and SMB.
We’ve got no anonymous access to FTP; let’s ignore that. We have login to a share on SMB called ‘Anonymous’ and from that we can retrieve a file called backup.zip. This contains a wordpress installation and a set of creds in a note.
I got the SMB listing with SMBClient:
root@kali:/opt/vulnhub/kbvuln# smbclient -L //192.168.1.90
and then I retrieved the files with smbclient.py:
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
As it turns out, the note file containing the credentials is also on the webserver.
So once we’ve got our credentials we can find the directory we want at http://kb.vuln/wordpress/wp-admin and from there we can do something to gain RCE; I uploaded a new plugin as a ZIP file, and I’m on the box.
Reading /etc/passwd we have one obvious candidate for our user; its kbadmin. We can su to kbadmin using the same password we found earlier, and kbadmin is in the sudo group so then we can just sudo su and we are root. Or groot. Or something. Anyway, we’re done.
Boot2root in 6 steps for script-kiddies.
Timeframe to root this box: 20 mins to never ever.
It’s on you.
Script-kiddies? Aww, you’ll hurt my feelings. Anyway, there are hints:
Use “Daisys best friend” for information gathering.
Visit “Karla at home”.
John and Hydra loves only rockyou.txt
Enum/reduce the users to brute force with or brute force the rest of your life.
SSH and port 80 HTTP only.
Running some gobuster we find a page called mini.php which allows for upload of arbitrary files (including PHP reverse shells) and chmodding of them. I upload a shell, get confused by the chmod syntax (333 works for some reason), and then find the file to get a connection as www-data.
We’ve got a few users: harry, sally, karla, goat, oracle. Running linpeas gives us a hash for the oracle user but not much else. We do find a note saying that karla isn’t really part of this challenge - presumably that’s our ‘Karla at home’ hint. I have no idea who Daisy’s best friend is.
John handles our hash easily but it doesn’t get us any further, and given our hints maybe we need to bruteforce SSH. But which user should we try - we’ve still got harry, sally and goat. Harry and Sally don’t seem to have anything interesting in their home directories, but Goat does - let’s go there.
So, that worked. Let’s SSH in as goat and see what we can do.
I think this did take me longer than 20 minutes. Maybe 30.