This machine is the kind that will measure your research ability. This VM is running on VirtualBox. It includes 2 flags:user.txt and root.txt.
This is KB-VULN: 3 from vulnhub. After doing Tenderfoot I rolled straight into this one and knocked it over too.
Ports
This box has:
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
So, SSH, HTTP and SMB; gotcha.
SMB
We have anonymous login to SMB; I used nautilus. I’ve been liking it lately.
In the share we find website.zip which has a password protected note file in it. No problem:
What’s the contents?
Hi Heisenberg! Your website is activated. –> kb.vuln
Username : admin
Password : jesse
Have a good day !
So we have some credentials. Let’s check out the website. Also I added kb.vuln to /etc/hosts, but it probably wasn’t necessary.
Website
The website is running Sitemagic, same as Cewlkid: 1. So we have arbitrary PHP file upload. I use the GUI to upload a shell and find it at:
http://kb.vuln/files/rev-plugin.php
Note: the file is called plugin because I originally used it for a Wordpress thing. It’s nothing special, just a bash reverse shell.
I catch the shell in a listener and we’re away.
Privesc
We’ve only got one prominent user (heisenberg) and they’re in the sudo group so we’re probably going there or direct to root. Linpeas says systemctl has the SUID bit set; so that’s our method.
GTFOBins has a technique, but it fails. Hmmm. I try a slightly different custom service, but get an error:
Failed to lookup unit file state: Invalid argument
There doesn’t appear to be anything wrong with the service file, but the system isn’t happy. After some trawling through stackoverflow and other places, I visit /etc/systemd/system/multi-user.target.wants and find a broken symlink: