Alfa: 1 Vulnhub (Writeup)

Difficulty: Medium

NMAP:

As we can see port 21 is allowed and 139–445 too, so let’s enumerate this ports

As we can see , there is a photos called “milo” and a directory called “thomas” , so thomas can be a user? let’s enumerate samba.

Command: enum4linux -a -r 192.168.1.123

Nice that confirm that user “thomas” is the local user. So now lets browse.

First thing i’m doing is /robots.txt and we found a rabbithole, but if you scroll down the page we find a brainfuck

Scroll down the page and..

Decode it just google “brainfuck decode” and we found the directory /alfa-support browse it.

Command injection? Nope, doesn’t work but Thomas says that he lost the password, and the password contain the name of his pet followed by 3 numerical digit, but wait! We have the photos of FTP port 21, called milo.jpg , so milo can be the thomas’s pet! Now we need to create the worlists for brute-force port ssh 65111.

CRUNCH:

I’ll use cruch for generate the wordlists.

Command: crunch 7 7 1234567890 -t milo@@@ -o wordlists

HYDRA:

Now we have the worldists , so let’s bruteforce port ssh

Command: hydra -l thomas -P wordlists ssh://192.168.1.123:65111 -t 64

Brute-force DONE!!! anddd…

We are in and take the flag.txt!! Enumerate more !

USER ENUMERATION:

I tried to find the SUIDs, GUIDs, I tried to see in crontab and sudo doesn’t seem to work, the kernel dont’seems to be exploitable. The only thing I noticed is that this .remote_secret file is run as root. The file is certainly editable, but it is not convenient because there is something inside, such as an encrypted password.

Ok, we remain to see the services running, and we can see that the localhost is running as root and has a port 5901

SSH TUNNELING && PRIVILEGE ESCALATION:

Now let’s try tunneling to that door. with the following command: ssh -L 5901:127.0.0.1:5901 thomas@192.168.1.123 -p 65111

Nice now in our terminal we can try to see if , this port 5901 is really opened.

And it’s is!!! The command lsof confirm confirms that the tunnel is established

Now we can try with VNC to log as a root with the file .remote_secret that contain the encrypted password.

command: vncviewer -passwd .remote_secret localhost:5901

AND WE ARE ROOT!!

Thank you all, and i hope this is useful.

-0xJin

| eCPTX | C|EH Master | CompTIA Security + | eJPT |