Vulnhub’s KB-Vuln 3 CTF Write-Up
KB-Vuln 3 is a latest installment of the KB-Vuln service by MachineBoy.
This is a great CTF that really gives us a chance to practice some unique password cracking and a few other enumeration vectors.
One of the reasons that I wanted to do a write-up for this box is because the privilege escalation for this VM is really cool and not commonly found in CTFs.
Another reason is that this PE vector is very “real world” so it’s something that you’re likely to find on an actual engagement. More on that later. Let’s start up Nmap.
Nmap Scan
I already found the VM’s IP by using netdiscover.
user@kali:~/Desktop$ nmap -sV -Pn -A -p- 192.168.1.142
Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020–11–09 11:44 EST
Nmap scan report for 192.168.1.142
Host is up (0.00034s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 cb:04:f0:36:3f:42:f7:3a:ce:2f:f5:4c:e0:ab:fe:17 (RSA)
| 256 61:06:df:25:d5:e1:e3:47:fe:13:94:fd:74:0c:85:00 (ECDSA)
|_ 256 50:89:b6:b4:3a:0b:6e:63:12:10:40:e2:c4:f9:35:33 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: KB-SERVER; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_nbstat: NetBIOS name: KB-SERVER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: kb-server
| NetBIOS computer name: KB-SERVER\x00
| Domain name: \x00
| FQDN: kb-server
|_ System time: 2020–11–09T16:45:07+00:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020–11–09T16:45:07
|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.13 seconds
By the Nmap scan we see that there are a few open ports to enumerate. The first of these is SSH. I’m pretty familiar with this version and I know there are no vulnerabilities.
There is a webserver running so let’s check that out.
Cute, huh?
I went ahead and ran Nikto and Dirb on the web server, but I didn’t find anything. I moved onto the SMB share and connected anonymously.
This showed me that there was a share named Files on the SMB server.
I grabbed the website.zip file and went to extract it.
When I tried to extract it, there was a password prompt.
Luckily, there is a tool that can help us with this. It’s called Zip2John.
A pass.hash file showed up in my home folder after a couple of seconds.
We can now use John to crack the hash.
john — wordlist=/usr/share/wordlists/rockyou.txt /home/user/Desktop/pass.hash
The path will be different for your wordlist file and your .hash file. Since I cracked the password previously, I had to go to the .john directory in my home folder and then concatenate the john.pot file to see the previously cracked password.
With our ZIP file password, we can extract it.
The sitemagic folder offers a lot of things to look at. The one that is most useful is the config.xml.php file.
This file offers us an admin username and an admin password. But what does it go to? We already ran dirb on the target. Seeing as how SiteMagic is a pretty common CMS, I decided to see if I could append it to the URL and get to the site.
Turns out, SiteMagic is not on the common or big dirb wordlists. But we found it!
We use our admin username and password jesse to login.
There is a public exploit that you can use to upload a file using Burp, but doing it manually is pretty easy.
I clicked on Content and then clicked on Files. This brought me to a webpage where I could upload my reverse shell.
I clicked upload and selected the php-reverse-shell.php file provided with Kali. This is pentestermonkey’s php reverse shell and works really well.
With the reverse shell uploaded, I needed to set up my NetCat listener and then find the reverse shell on the server. Luckily, the faith was pretty easy to find. Since there was a Files directory in the extracted ZIP file, I browsed to the path under sitemagic.
I found my reverse shell in the images directory and got my reverse shell.
Next came PE. I went to the /tmp folder and checked to see if wget was installed. Since it was, I set up a python server to get LinPeas over to the target. This is an enumeration script that shows PE vectors.
I made the script executable with chmod +x and then ran the script.
After the script ran I saw an interesting SUID vector.
As we all know, systemctl is a pretty important command. This command allows a system administrator to start, stop or enable services on the system.
A quick search on GTFOBins shows that we can use this for a root shell.
Basically, we need to create a service file with a reverse shell inside. I created the service file on my Kali box and transferred it over to the target.
I tried this in the /tmp directory, but it didn’t work so I found another writable directory, /dev/shm. I moved the service file over to it. I then started the service with my NetCat listener set up.
I received a root reverse shell.
I grabbed the root flag to finish out the CTF.
This was a really fun CTF with a PE vector that you might actually find out in the wild. Systemctl is something that could be given sudo privileges for because a lot of the time, sysadmins will need to restart services in order to fix changes.
If you run across this in the future, you’ll know exactly what to do to gain root. Until next time you can follow me on Twitter or on here @assume_breach
