templatemo easy profile

A WALK THRU ANALOUGEPOND



This time a few considerations before beginning..

My OSCP course is about to start, just a few more days, and as I was studying to prepare myself for my 0 Day
(The Shellcoders Handbook and the Web Application Hacker's Handbook) I checked VulnHub.com
as I always do and I find this new VM(s) Analougepond by Knightmare
. ... soooo let's take a little break and let's do some more practice :D

I will end up spending a whole week on it. Time well spent I'd say, for I've learned some nice cool things!

Once again the VM displays the Ip on the login screen, very kind, thanks!

so no need to look for it, let's just run nmap.... mmm... just port 22, but as Knightmare suggested we might be overlooking something, so let's check for UDP as well...
There it is: port 161 is wide open :D

After some researching on this service I fire up metasploit and verify that the community string is set to the default one, which is 'public'.


Afterward I spend way too much time trying to troubleshoot the enumeration...
snmpcheck

...until a crazy thought crosses my mind: let's try "eric" and "therisingsun" to ssh our way in... IT WORKS!!
lol that was soo simple
eric1

As soon as I get in I find a .gif file in the home directory, so after some base64 magic transfer (could do it with scp as well, but I love it fancy) I can take a look at it:
retic

Is this the Troll? Probably.
I check the kernel version but I am not able to find any suitable exploit for it (more on this later on)
Next I check netstat and I notice there are a couple of vnc services running on port 5900 and 5901. Interesting. Since I have no access on the machine to vncviewer I set an ssh tunnel to my Kali:
sshTunnel

and start metasploit (I HATE bruteforcing) ...
bruteforcing

... meanwhile I do some more digging around look for some vulnerable SUID files... I get all excited to see PolicyKit... until I check the version...
noJoy

Just out of hope I give it a try anyway... as expected no luck
power

Time to move on and search something else... checking the network interfaces suggests me to take a look at the hosts file as well... interesting: it seems like a couple of other machines on the network (I start to understand the 4 gigs of ram required by the VM).
After pinging the hosts I try to ssh into the first one (192.168.122.1 AKA puppet). With a little googling it turns out to be quite easy: username 'sandieshaw' and password 'puppetonastring' and I am in!
sandie1

Once inside I look around and by searching again for SUID files I come across this ELF in /tmp named "spin". I execute it and... well, it spins. So where what's the purpose? Is this our way to root the box? Probably... I look around and find the source in /etc/puppet .... puppetonastring, puppet.example.com, /etc/puppet... So what is this puppet service?
It turns out (many sys admin are probably laughing right now, but I really never heard of it) that it is a service used to manage and configure different machines without the need to log into each one
Inside the directory we find 3 modules: fiveeights, vulnhub and wiggle.
puppet1

I inspect each one of course and I smile at all the greetings inside vulnhub/manifest/node.pp, classy!
greetings

Moving forward I check inside wiggle and notice that spin and spin.c are owned by sandieshaw, so I can play with it... I save the first for last, dunno why, but when I check inside fiveeights directory I get a hunch and try to login into the third machine, 192.168.122.3 AKA barringsbank
To the utmost of my surprise it works with username 'nleeson' and password 'fiveeights', finally an easy job! but this was just a really lucky hunch, the proper way in, we'll see, is indeed by decrypting the private key under in the rabbit hole. Just a little patience and we'll get to it...
nleeson

Once logged in as nleeson I check the home directory and ... wait for it... there's nothing! Just another troll picture. Damn.
So the search continues as always. So far 3 boxes compromised but no root anywhere. That sucks!
After ages and ages I decide that I'd be better off taking a closer look on the Puppet box, since on this here there's nothing to be done... So here we are, back on box 2 into our /etc/puppet directory to resume where we left off.
TIME TO ROOT!
So it seems that the puppet service checks the presence of /tmp/spin (which is owned by root, how convenient) by copying it from /etc/puppet/modules/wiggle/spin
wiggle

So let's delete the original spin file and echo "test" > spin.
After a while (I will learn every 10 minutes) I get back into /tmp and spin is now been replaced by my "test" ASCII file.
So under the wiggle dir we can edit spin.c and play with the ELF spin, but I soon discover that GCC is not installed. I could try to research alternative methods to compile a shellcode, but it is clear that Knightmare does want to make it hard on us, besides why bother?
Let's just compile our ELF on our machine and get it onto the puppet one:
spinCreation

spinCreation

After a good cup of coffee ... PWNED! One gone, two to go :)


puppetRoot

Now a whole new world pops up...
First things first: the flag! WAR GAMES? I LOVE THAT MOVIE :))))
hint1Decoded

And now let's get a more comfortable shell:
puppetRoot2

Going down the rabbit hole inside the root directory I find this:
rabbitHole

This looks like the proper way to access barringbanks, but for now it can wait...
After some thinking and a LOT of looking around it strikes me: why not using the puppet method again on box 3:
I am root now and can edit the sudoers file inside /etc/puppet/modules/vulhub/files: just add nleeson to it and grab a second cup of coffee...
root2

GOOD! 2 gone 1 to go.
Time to grab the second flag. Danm it! Just a pic:
Hint2

It is a pic from the movie "Rogue Treader"... (FYI the machine is named after the Barrings Bank and Nick Leeson is the trader who brought the bank to its knees by some wild trading)
I check the file for hidden messages with strings and exiftool, but found nothing...
Not that it really matters but for completness' sake (and also 'cause I have no idea what to do next) let's decrypt nleeson's key:
nleeson_key.gpg

pgp

joshua

At this point I have been really stuck for the next 36 hrs. Couldn't find any new idea to complete the VM. So I was practically spoon-fed how to root analougepond by Knightmare via DM on Twitter (thx mate): I just had to look better for a kernel exploit:
finalRoot


Knightmare points me in the right direction also to solve the vnc problem (my bruteforcing yields no results) by suggesting me to check the virsh command. An occasion to learn something new. After some reading I come up with what seems a possible password of the first one:
vnc1pwd

It seems to work:
vnc1

I do the same for the service running on port 5901:
vnc2pwd

Right again:
vnc2jpg

So here we are... Not yet finished the VM, according to Knightmare I still miss the final flag, and as I've been jumping all over the places I guess I made it hard on myself. So I probably need to start to look for it from the last root as it was supposed to happen...
So I go back to /root on barringsbank and examine the content: just me.jpeg. I must have forgotten something and then it hits me: steganography! That is the way:
stegDetect

Yeah but what is the password? In our little chat Knightmare advised me to take notes 'cause I would have needed them... so i nano a file with all I can recall of the VM so far:
passwords

And do a little bruteforce on it (that I can bare)
stegextract

Now I have 'primate_egyptian_flag.txt' which seems to be an hex encoded string... again after a long (too long) time I come up with the solution and decrypt it!!!! :)))
finalFlagDecoded

In the end it was a really challenging adventure which taught me many things among which Knightmare 's tastes in music and interests :)
Really man, this was awesome! Thanks to you as well to VulnHub.com and g0tm1lk for hosting all these incredible VMs. Such a great opportunity to practice and have fun!
Cya all next time :p by Shell0ck :)