Vulnhub’s KB-Vuln 1 CTF Walkthrough
KB-Vuln is an older VM, but I thought I would do a write-up on it because it has so much to offer.
While this box is labeled easy, there are a lot of loop-holes in it and I think the lessons that it presents are very important for newbies to take notice of.
The VM is designed to run off of VirtualBox and that’s how I ran it. I’m not sure if it will run on VMWare.
We’ll start out with some basic enumeration with Nmap.
Enumeration
root@kali:~# nmap -sV -Pn -A 192.168.1.95
Starting Nmap 7.70 ( https://nmap.org ) at 2020–10–05 15:41 EDT
Nmap scan report for kb-server.attlocal.net (192.168.1.95)
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.96
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 — secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 95:84:46:ae:47:21:d1:73:7d:2f:0a:66:87:98:af:d3 (RSA)
| 256 af:79:86:77:00:59:3e:ee:cf:6e:bb:bc:cb:ad:96:cc (ECDSA)
|_ 256 9d:4d:2a:a1:65:d4:f2:bd:5b:25:22:ec:bc:6f:66:97 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: OneSchool — Website by Colorlib
MAC Address: 08:00:27:09:6B:FC (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=10/5%OT=21%CT=1%CU=39871%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=5F7B7700%P=i686-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%T
OS:S=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=
OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=F
OS:E88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT ADDRESS
1 1.15 ms kb-server.attlocal.net (192.168.1.95)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.53 seconds
root@kali:~#
We have a few ports open here. The most notable is the web server on port 80. The Nmap scan revealed that anonymous login was enabled on FTP so I logged in to see if there was any way to upload a shell.
As you can see, there was no directory traversal enabled and there wasn’t anything noticeable in the current directory. I decided to move on.
Port 22 was a bust. No exploits or vulnerabilities. So, I headed over to the webserver.
As you can see, it’s a landing page for a CMS. I ran Dirb and Nikto with nothing really sticking out. So, I took a look at the source code on the landing page.
About 3/4 down the page we see a comment “Username : sysadmin.” This was unusual for this type of source code so I tried to brute force the SSH service with this username against the rockyou.txt wordlist.
It didn’t take long before I had my first password for the SSH service.
I logged in and started my privilege escalation procedures after grabbing the user.txt flag.
Using id I saw that this user was part of the lxd group and the sudo group.
I thought that would be the end of the CTF. Not a bad box for a beginner. But when I tried sudo, sysadmin wasn’t in the sudoer’s file.
That’s okay, I can use the lxd privilege escalation method, I thought. I won’t post all of the screenshots here, but I will tell you that it didn’t work. I was back to square one.
So, I started over. I decided to see if there were any other users on the box. The /etc/passwd file was telling.
I saw that there was a user named eftipi that had a bash login. I decided to try to brute force their login also.
With the new user’s password, I logged in via SSH.
When I logged in, I saw that there was not a home directory for the user. I spun up a python server and transferred Linpeas.sh over to the target.
One thought that I had before I ran the script was to mutate the password pattern. Sysadmin’s password was password1 and eftipi’s password was password3.
I tried my new password list against the root user using Hydra, but it didn’t pan out. Back to the script, we see that the Message Of The Day is writable.
Navigating to the directory, we see that the 00-header file is writable and run by root.
I checked to make sure that NetCat was installed and chose a bash reverse shell since there was a Bash interpreter. Using vi, I inserted my bash reverse shell one-liner into the file.
I saved the file and set up my NetCat listener. Since the MOTD is triggered by a user logging into the system, I logged in as sysadmin. I didn’t get a reverse shell. But when I logged in as eftipi, I received my root shell.
I grabbed the last flag.
This was a really fun VM with some good rabbit holes. I wanted to do a write-up to show beginners that this box proves you should not give up on enumeration even if you think you have an easy win on privilege escallation.
Follow me here or on Twitter @assume_breach
