C0m80 – Challenge

Introduction

This post is walk-through of how to root C0m80. The challenge is considered hard or at least it was for me. Shout out to @3mrgnc3 for putting it together, I did come out the other end with new tricks up my sleeves. You can download the VM from here. Lastly, my apologies for the lengthy post, I tried my best to keep it to minimal.

Walkthrough

Enumeration is KEY if you plan on conquering c0m80. We’ll start by firing off a quick n’ dirty recon script I made, which consist of nmap, nikto, dirb, and enum4linux. You can download the script from here, I also took the liberty of removing all of the junk output that we don’t care about!

Couple of things stood out for me going through the results, the web server, RPC (possible NFS export), and SMB. Started exploring URL(s) from nikto and dirb results one by one, until I bumped into mantis webpage.

Mantis Bug Tracker

After quick search found the following exploit, and by simply changing the id parameter I found the following users:

For some reason Alice was the only administrator account that allowed me to reset her password! Once logged in, started exploring the application to figure out a way to upload shell, ended up spending hours without luck. No worries though, turns out the application had a number of tickets that basically have everything we need to get the initial foothold on C0m80!

Again, for the sake of keeping this post consistent and short, will only share screenshots and/or snippets of information that are relevant. Also, I will not mention couple RED HERRINGS that I’ve spent a significant amount of time on. The first clue is regarding bestFTPserver (one of BestestSfotware products) in ticket number 5.

And

Also, I grabbed backup copy of bestFTPserver via the link provided by Bob in ticket number 1

At this point, the next logical step would be to reverse engineer ftp104.bkp to its original state and then figure out what the hidden feature is. Looks like backup file is hexdump with date tag. Here’s a snippet.

I used bash jutsu to get it back to somewhat close to it’s original state 😀

And then took the date out and ran the following command

Now running strings on ftp104.exe will reveal our initial foothold

It also reveals that FTP server is listening on port 20021, going back to my nmap scan shows that C0m80 indeed have port 20021 open, Let’s check it out

Looks like we have client-side attack vector. I fired off msfconsole and used autopwn with the following settings

And then sent Bob my malicious link via report-link. The module above did not work as expected which led me to few rabbit holes. Luckily; I had verbose turned on while running autopwn, which shows Bob’s browser details.

Searching for exploits close to Firefox version 13.0 in msfconsole, found CVE-2012-3993, which I then used with following settings

At last, we have reverse shell!

That’s where the post exploitation phase kicks in, I started enumerating the system looking for ways to escalate to root! Here’s the first clue

Unfortunately, VNC credentials did not work and as such I had to look elsewhere for more clues which led me to the following

I think we all agree now I need to search for PWMangr2

Bingo, I grabbed a copy of that file to my local machine and then was presented with password vault

Bob's Passwords

Logged in successfully with password of “alice”! And now we have legitimate RDP credentials.

RDP Creds

Let’s pretend that we have RDP open 😀 and login to C0m80 locally with b0b:AliceIsMyBestie

After hunting for the obvious privilege escalation exploits on c0m80 and going down few rabbit holes AGAIN! I decided to take a break to clear my mind. I revisited my notes the following day and noticed Jeff’s instructions regarding NotepadPussPuss++ in ticket number 6

Looks like B0b is still having access issues

This piece of information made me realize I need to switch to user Al1ce whose a member of the backup group, well going back to my notes again I found there’s RSA key pair under B0b’s .ssh directory that matches al1ce’s authorized_keys. Let’s check what port sshd is listening on

Now let’s switch to user Al1ce (Note: I had to use backups password from B0b’s passwords vault to unlock RSA private key).

Now if you read Jeff’s instructions and nmap results well enough, you probably know there’s NFS share that we need to explore.

Let’s use a pretty neat python script called nfspysh, this script will allow us to interact with “/ftpsvr/bkp” NFS and issue commands such as get, put, chmod, etc.

Now cating the content of  “/etc/exports” reveals that you can upload whatever you want to “/ftpsvr/bkp” as root!

So I created reverse shell using msfvenom.

And then uploaded it to C0m80.

Now all is left for us to do is run it from Al1ce’s terminal

Voila!

Let’s check root flag!

Conclusion

The main take away from this VM is no matter how good you think you’re, there’s always something that you don’t know about or never heard of. Kudos to my friend @3mrgnc3 for this challenge, and for making sure I was on the right track throughout this journey. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel. I hope this post has been informative and I’d like to thank you for viewing.