PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 8.4p1 Ubuntu 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.46 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEA
| http-robots.txt: 6 disallowed entries
|_/test/ /t3$t@123/ /includes/ /external/ /api/ /hashes/
|_http-server-header: Apache/2.4.46 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.6.2
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.6.2
MAC Address: 80:00:0B:3C:4A:7E (Intel Corporate)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: 1s
| nbstat: NetBIOS name: FILESERVER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| FILESERVER<00> Flags: <unique><active>
| FILESERVER<03> Flags: <unique><active>
| FILESERVER<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
NMAP scan shows us 4 ports out which http and smb service looks interesting to us
We have three shares here out of which shares
looks interesting
But we can see that we don't have read access to any of them so let's move on !
On the web server we can see a default apache page
Since we already know about robots.txt
from the nmap scan we can just visit that file and see what entries we may find
None of these directories lead us to anywhere so let's fuzz for files and directories using gobuster
This is only returned us robots.txt so no files are on the server , let's go a step back and run enum4linux-ng
to enumerate users through smb
This gave us the username test
, if we remember from robots.txt file there was entry named test
and t3$t@123
so this maybe test user's password
With this we logged into shares
directory on smb and we see few files there
HINT
file contains a username and a hash
clark:46a8047d5f9178c75aa6bf1090592427
While pass.txt
contains list of potential passwords so we need to crack the clark
's hash using the provided worlist , we can either use hashcat
or john
but I'll be using hashcat for cracking this md5 hash
So we got clark's password , now we need to ssh into the machine
This user isn't in sudoers group also isn't allowed to run any commands as other user so let's enumerate the machine to find other user folders
Here we see Deep.zip
which was not related to rooting for this box as it only contains a flag and we can get flag by just cracking this archive's password by using the previous password list , so moving on we see .bash_history
that's important to look at what commands the user ran
After switching to maker
we realize that this user is in villan
group so let's see what files are owned by villan group
/etc/passwd
file is owned by this group so this means that we can read/write to this file , let's verify this
All that is left to do is to add a hash in root's entry, you can do this by generating a password hash using openssl
but I just copied my hash from /etc/shadow
and just pasted there
And with this we rooted this fun, amazing , challenging , hard ,OP,hackathon,not a vulnhub copied box.