I will share with you a new Walkthrough for Vulnhub machines. My File Server: 2 This CTF machine is Created by Akanksha Sachin Verma You can download here this CTF . I would call this box on the easy side but there are a lot of moving parts that can cause you to follow some different directions. I don\u2019t want to say to much so let\u2019s get at it.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-18-23-51.png\")
<\/p>\n
Penetration Testing Methodologies<\/strong><\/h3>\nNetwork Scan<\/strong><\/p>\n\n- Netdicover<\/li>\n
- Nmap<\/li>\n<\/ul>\n
Enumeration<\/strong><\/p>\n\n- SMBMAP<\/li>\n
- Nikto<\/li>\n
- Telnet<\/li>\n<\/ul>\n
Exploit<\/strong><\/p>\n\n- Injecting id_rsa.pub via FTP<\/li>\n
- Spawn PTY shell<\/li>\n
- \n
ProFTPd 1.3.5 – File Copy<\/p>\n<\/li>\n<\/ul>\n
Privilege Escalation<\/strong><\/p>\n\n- Capture the Flag.<\/li>\n
- Password<\/li>\n
- Kernel Exploit<\/li>\n<\/ul>\n
<\/p>\n
Network Scanning<\/h4>\n
So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I\u2019ve found is 192.168.56.3<\/p>\n
netdiscover -i vboxnet1<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-22-57-22.png\")
<\/p>\n
Let\u2019s proceed with network scan using Nmap aggressive scan as given below.<\/p>\n
nmap -p- -A 192.168.56.3<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-23-00-14.png\")
<\/p>\n
Enumeration<\/h3>\n
It was very interesting as there were so many services running on the host network. We saw FTP\u2019s \u201canonymous login enabled\u201d and port 445 was also available for SMB.<\/p>\n
![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-23-00-25.png\")
<\/p>\n
In order to enumerate SMB and identify a username as \u201csmbuser\u201d, I use the following command.<\/p>\n
smbmap -H 192.168.56.3\r\nsmbclient -L 192.168.56.3<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-23-03-56.png\")
<\/p>\n
So we used Nmap script for more enumeration<\/p>\n
nmap --script smb-enum-shares.nse -p445 192.168.56.3<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-29-18-46-00.png\")
<\/p>\n
From the output of Nmap script scan, we came to know about the existence of “smbuser”. On login with smbclient with “smbuser” with password “smbuser”. But we don’t have write permission in it. On login with another smb share i.e. “smbdata”, we came to know that we have write permission in it. This can be helpful.<\/p>\n
We also explore the IP host in the web browser as port 80 has been opened for the HTTP service.<\/p>\n
![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-23-05-27.png\")
<\/p>\n
I chose to run Nikto for HTTP weak config listing, and luckily found an entry for \u201creadme.txt,\u201d let\u2019s test this in the web browser.<\/p>\n
nikto -h http:\/\/192.168.56.3<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-23-08-04.png\")
<\/p>\n
I chose to run nikto for HTTP weak config listing, and luckily found an entry for \u201creadme.txt,\u201d let\u2019s test this in the web browser.<\/p>\n
![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-23-10-45.png\")
<\/p>\n
Since we have NFS service running on port 2069, we may be able to mount a share and find some juicy data! You\u2019ll need to install nfs-common package if it doesn\u2019t exist already. So I created a user by name of file2 and id @99<\/p>\n
then I mounted the nfs share to \/tmp\/mnt as follows<\/p>\n
useradd -u 99 file2\r\nmkdir \/tmp\/mnt\r\nmount -t nfs 192.168.56.3:\/smbdata \/tmp\/mnt -nolock\r\ncd \/tmp\/mnt\/<\/pre>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-29-12-01-52.png\")
<\/p>\n
- \n
- Netdicover<\/li>\n
- Nmap<\/li>\n<\/ul>\n
Enumeration<\/strong><\/p>\n
- \n
- SMBMAP<\/li>\n
- Nikto<\/li>\n
- Telnet<\/li>\n<\/ul>\n
Exploit<\/strong><\/p>\n
- \n
- Injecting id_rsa.pub via FTP<\/li>\n
- Spawn PTY shell<\/li>\n
- \n
ProFTPd 1.3.5 – File Copy<\/p>\n<\/li>\n<\/ul>\n
Privilege Escalation<\/strong><\/p>\n
- \n
- Capture the Flag.<\/li>\n
- Password<\/li>\n
- Kernel Exploit<\/li>\n<\/ul>\n
<\/p>\n
Network Scanning<\/h4>\n
So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I\u2019ve found is 192.168.56.3<\/p>\n
netdiscover -i vboxnet1<\/pre>\n
<\/p>\nLet\u2019s proceed with network scan using Nmap aggressive scan as given below.<\/p>\n
nmap -p- -A 192.168.56.3<\/pre>\n
<\/p>\nEnumeration<\/h3>\n
It was very interesting as there were so many services running on the host network. We saw FTP\u2019s \u201canonymous login enabled\u201d and port 445 was also available for SMB.<\/p>\n
<\/p>\nIn order to enumerate SMB and identify a username as \u201csmbuser\u201d, I use the following command.<\/p>\n
smbmap -H 192.168.56.3\r\nsmbclient -L 192.168.56.3<\/pre>\n
<\/p>\nSo we used Nmap script for more enumeration<\/p>\n
nmap --script smb-enum-shares.nse -p445 192.168.56.3<\/pre>\n
<\/p>\nFrom the output of Nmap script scan, we came to know about the existence of “smbuser”. On login with smbclient with “smbuser” with password “smbuser”. But we don’t have write permission in it. On login with another smb share i.e. “smbdata”, we came to know that we have write permission in it. This can be helpful.<\/p>\n
We also explore the IP host in the web browser as port 80 has been opened for the HTTP service.<\/p>\n
<\/p>\nI chose to run Nikto for HTTP weak config listing, and luckily found an entry for \u201creadme.txt,\u201d let\u2019s test this in the web browser.<\/p>\n
nikto -h http:\/\/192.168.56.3<\/pre>\n
<\/p>\nI chose to run nikto for HTTP weak config listing, and luckily found an entry for \u201creadme.txt,\u201d let\u2019s test this in the web browser.<\/p>\n
<\/p>\nSince we have NFS service running on port 2069, we may be able to mount a share and find some juicy data! You\u2019ll need to install nfs-common package if it doesn\u2019t exist already. So I created a user by name of file2 and id @99<\/p>\n
then I mounted the nfs share to \/tmp\/mnt as follows<\/p>\n
useradd -u 99 file2\r\nmkdir \/tmp\/mnt\r\nmount -t nfs 192.168.56.3:\/smbdata \/tmp\/mnt -nolock\r\ncd \/tmp\/mnt\/<\/pre>\n
<\/p>\n
![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-29-12-06-40.png\")
<\/p>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-23-53-54.png\")
<\/p>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-16-22-53.png\")
<\/p>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-29-12-18-04.png\")
<\/p>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-29-12-20-34.png\")
<\/p>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-29-12-27-07.png\")
<\/p>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-28-16-41-26-1.png\")
<\/p>\n![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-29-12-52-16.png\")
![\"\"](\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/03\/Screenshot-from-2020-03-29-12-51-06.png\")
<\/p>\n