Vulnhub - CALLME: 1
Introduction
Machine name: Callme
Level: Easy
flags: user, root
Description: This is a Linux box with a custom remote access
This is CALLME: 1 from Vulnhub. I did the foothold/user part of this myself, and then checked a writeup for the privesc. Which I didn’t successfully run; whatever.
Ports
- 22/tcp open ssh
- 111/tcp open rpcbind
- 2323/tcp open 3d-nfsd
2323
Entry to this box is via port 2323; connecting with telnet gets this:
So we need a way to bruteforce the password for admin. We know it’s admin because if we get this if we try one that doesn’t exist:
username:
doesnotexist
Password
dunno
user does not exist
Expect
I had never used /bin/expect before but some googling told me it was the way to go. Well, one way anyway. I had two scripts:
and:
What I did was run caller.sh and redirected the output to a file, which I then flicked through looking for something unusual. Yes, it’s not optimal; I’m a hack.
Anyway one entry stood out:
So the password is booboo - what does the message mean?
ONE THOUSAND THIRTY THREE
Initially I though maybe this was a delay, like I had to wait 1.033 seconds and retry, but that didn’t seem right. What did You are not ready sorry mean? Could it be a connection back looking for an open port? The numbers always seemed to be between about 1000 and 4000. I made a new slight change to my script:
I opened a listener on port 1234, called the script from an infinite loop on the command line, sending the output to the void, and waited:
root@kali:/opt/vulnhub/callme# while :; do ./booboo.sh;done > /dev/null
After a few minutes, I got my shell. This was a CMD shell, which was running under WINE. Apart from knowing it exists, I know basically nothing about WINE.
Still, I got the user. See here for someone else’s writeup of the rest. Also he had better scripts. It’s all good.