VulnHub: /dev/random: scream

Initial foothold

  1. Network discovery

My target is 10.0.2.28.

2. Port scan

There’re 4 open ports: 21, 22, 23, and 80.

3. OS and service scan

There’re services as listed:

  • Port 21 WAR-FTPD 1.65 w/ anonymous login
  • Port 22 WeOnlyDo sshd 2.1.3 (protocol 2.0)
  • Port 23 telnet
  • Port 80 Tinyweb httpd 1.93

4. Vuln scan

No useful information.

Service Enumeration and exploitation

  1. FTP

Anonymous login

Explore its directory

I don’t have any permission except READ.

Continue exploring

TINY.EXE indicates that this /bin may related to Tinyweb httpd service.

There’re logs and the interesting one is OpenTFTPServerMT.log. This indicates that there may be running TFTP on this machine.

There’re index.html and cgi-bin. This may mean that this directory is storing data for Tinyweb httpd.

No data here.

Next is to search for a public exploit script.

After searching for any exploits w/ google, I came across this.

When you read the code, you’ll notice winsock.h. This script is meant to be compiled on Windows.

To compile the script w/ Linux, in my experience, I always encounter many problems using Linux command line. So, I will use wine to install Dev-C, compile the script w/ Dev-C to get exe file, and finally run the exe w/ wine again.

First, download Orwell dev-c

Continue installation process as same as Windows

Copy the code

Compile, I encountered errors.

After googling, I found that I need to add “-lws2_32” to the compiler option.

Click Tools -> Compiler Options and add “-lws2_32” as shown in the snapshot.

Compile again, now I got an exe file.

Run the exe w/ wine

Supply an option. Since the target system is XP sp3, I’ll use any options which are closest to the target.

Connect to port 7777

No shell

Use another option

Connect to port 7777

No shell

I also found another python script that was tested on Windows XP SP3. I’ll try to use this.

Read the script

I have to create new shellcode to match my machine. Here is my command.

Copy new shellcode to the python script and edit target IP.

Create Listener on port 443

Run the script

Back to the listener, no shell. I’ll proceed to the next service

2. SSH

Connect

No matching key exchange found. Cannot connect.

Specify algorithm and encryption method

Now I can connect.

Search for public exploits

Open metasploit and search for exploits

Failed. I’ll proceed to the next service.

3. Telnet

Connect

I don’t have any credentials.

4. HTTP

Access the site

View page source

Nikto

Nothing

Directory scan

Nothing

5. Remember from FTP enumeration that there’s the TFTP log. It’s file transfer protocol based on UDP port 69. I’ll scan for open UDP port

There’s open UDP port 69.

7. TFTP

Remember from FTP enumeration, reverse shell perl script can be uploaded to cgi-bin.

I’ll upload test.txt, first I’ll change TFTP to binary mode

Now access /cgi-bin/test.txt

I can upload the file, but I cannot run.

Next is uploading perl “Hello World” script from this guide

Access via http

Exploitation

  1. Prepare listener on port 443

2. Create reverse shell script, I used this guide

Copy only the perl code and edit IP and port to match your listener

Upload it

Access it, there’s an error.

I edit the script as shown in the snapshot.

Upload again

Access it

3. Back to listener, now I got the shell

4. Verify the shell

Privilege Escaltion

  1. List system info

This machine is 32-bit.

2. List system task

I will replace an exe file w/ reverse shell. I’ll start w/ “FileZilla server.exe” because I don't have any permission except READ.

Let’s change directory to “\”

I could not change as expected. I need more reliable shell.

2. Create and upload another shell

Create listener on port 80

Create exe shell

Upload it w/ tftp

Run the shell w/ listener on port 443

Back to listener om port 80, I got another shell

3. Replacing filezilla

On listener port 80

Find filezilla.exe path

Find task name

Stop task

Next is replacing another reverse shell

Back to attacker machine, create exe reverse shell on port 21

Upload w/ tftp

Create listener on port 21

Back to shell/listener on port 21

rename old exe file to be backup

Copy shell2.exe to replace filezilla

Start Filezilla task

Back to listener on port 21, judging by the path, I’m administrator (root).