Vulnhub’s Hemisphere: Lynx Vulnerable VM CTF Write-Up
Hemisphere: Lynx is a vulnerable VM hosted on Vulnhub.
This is categorized as an easy box, but I wanted to do a write-up on it because of a specific tool that I haven’t seen that much of.
There are a few times where you will use this tool when you doing Vulnhub VMs, OSCP labs and HackTheBox so I thought I would take this opportunity to do a write-up on when it’s pretty clear to use this and how you can quickly implement it into your hacker tool bag. All right! let’s get started.
Enumeration
I started out with a simple Nmap script.
user@kali:~/Desktop$ nmap -sV -Pn -A -p- 192.168.1.101
Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020–10–29 12:04 EDT
Nmap scan report for Lynx.attlocal.net (192.168.1.101)
Host is up (0.00055s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 26:21:06:43:f3:27:b0:2f:df:eb:37:c0:26:d7:58:2a (RSA)
| 256 cd:a2:e4:63:31:78:79:a1:56:1d:1d:bd:85:ee:6b:fb (ECDSA)
|_ 256 dd:bc:7e:1d:a3:ad:ff:aa:1a:3f:d3:68:a4:42:ea:1b (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Lynx
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
Service Info: Host: LYNX; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: -20m00s, deviation: 34m38s, median: 0s
|_nbstat: NetBIOS name: LYNX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: lynx
| NetBIOS computer name: LYNX\x00
| Domain name: \x00
| FQDN: lynx
|_ System time: 2020–10–29T17:04:52+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020–10–29T16:04:52
|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.40 seconds
user@kali:~/Desktop$
From Nmap, I saw that there were a few ports open. I started from the top of the scan and went through the ports. The FTP service did not allow for anonymous login.
I moved down to the SSH service, but I knew there were no vulnerabilities with this version from past experience. Next was the web server.
Dirb didn’t yield anything useable so I browsed to the page.
From the page we can see that this is just a one-off splash page for the CTF. It’s in Spanish so I didn’t really know what it was saying. But, I did know that there weren’t any CMS apps running or a login page. I curbed this for a second and moved on to the SMB ports 139 and 445.
A quick connection with SMBClient showed that there were only 2 shares on the server.
This is categorized as an easy box, so getting a reverse shell through the IPC$ or print$ share is pretty unlikely.
Going back to the webpage, we see a lot of writing here. It’s typical when you don’t have a web portal or any vulnerable entry points to have a username and password as part of a webpage’s content.
So, I decided to use a webscraper program called Cewl to put together a wordlist and then run this against the open services. Here’s the syntax
cewl 192.168.1.101 -m 6 -w wordlist.txt
To break this down, we have the program name, the webpage url and then -m. This flag is the minimum letter count of the words that it scrapes. So it won’t put any words with less than 6 letters into the wordlist. The -w flag is to write the file and then wordlist.txt is the file name. Pretty simple.
As you can see form the output, we have a few words here. You can customize the wordlist based on more simple combinations, but you’re probably not going to find a password or username that is less than 4 letters.
I took the wordlist and ran Hydra against the FTP and SSH services. After a couple of seconds, I got a hit on both services with the same username and password.
There are two paths that you can take to a root shell. I’ll start with the SSH route.
SSH Path To Root
I started out by logging into the SSH service with the username and password.
I grabbed the user.txt file to get the user flag.
I set up a python server for HTTP file transfers from my Kali box to the target.
Then I transferred the LinPeas.sh script over the target.
Going through the script, I something interesting in the Desktop directory for johannes.
There was a .creds file. I browsed to the directory and found the file. It was hidden so I had to use ls with the -lah flag.
When I concatenate the .creds file I get what looks like a base64 encoded hash.
I copy the base64 code and decode it on my Kali box.
echo MjBLbDdpUzFLQ2FuaU84RFdNemg6dG9vcg== | base64 -d
This gives me what looks like a password.
20Kl7iS1KCaniO8DWMzh:toor
But it looks reversed. We can use the rev tool in Kali to reverse it.
echo MjBLbDdpUzFLQ2FuaU84RFdNemg6dG9vcg== | base64 -d | rev
And now we have our root password.
root:hzMWD8OinaCK1Si7lK02
I used su to log in as root.
And then I grabbed the final root flag.
FTP Path To Root
I started out by FTPing into the server as user johannes.
This gave me full directory traversal throughout the server. I can go to the Desktop directory and with an ls -lah I can see the .creds file.
Using the get command, I download the file to my Kali box.
Since it has a . at the beginning of the file, even after I download it, it’s hidden. So I change the filename to make it visible on my desktop.
I concatenate the file and see that it’s in base64. I then decode it and use rev for the root password.
echo MjBLbDdpUzFLQ2FuaU84RFdNemg6dG9vcg== | base64 -d | rev
With the root password, I try to SSH directly, but it doesn’t work so I SSH in as johannes and switch to root with the password.
This was a great CTF and I really had some fun hacking my way through. The use of Cewl was a great way to show beginners how to create a wordlist from URLs. You will run into this if you’re doing HackTheBox or OSCP lab machines, I promise. If you’re a casual CTF’r, you might not see it as much.
Follow me on here or on Twitter @assume_breach
