Walkthrough – FourAndSix 2.01

FourAndSix 2.01 is a boot2root aimed at beginners.  You can download it from vulnhub here.

Scanning & Vulnerability Analysis

First step is to find our target’s IP address. We’ll accomplish this with arp-scan


arp-scan -l

Our target is located at 192.168.56.102. The next step is to determine what ports are open, using nmap.


nmap -sV -T4 -O -F --version-light 192.168.56.102

Port :22

OpenSSH 7.9 is connected to port 22. Some cursory research with searchsploit reveals no likely vulnerabilities here.

Port :2049

There is a network file share running behind port 2049. We can use showmount to tell us what directory(ies) is being shared. Incidentally, we also learn the likely name of one of the users on the machine, too.

We make a directory to which we will mount that network share, and then mount it. Keep in mind, this isn’t downloading a copy of those files, we are connecting directly to the files on that computer. I forgot this while working with this target, and ended up doing a lot of the following work on the target machine rather than locally. Looking in the network share, we find a 7zip archive. The archive appears to contain a number of images, along with a public and private key. These might be useful for logging into the target via SSH!

Exploitation

7z Brute-Force

If we try to extract the files, though, we’ll find that the archive is password protected!

Luckily, JohnTheRipper (JTR) is capable of brute-forcing 7zip archive passwords. I quickly found that the tool to convert 7zip archives into a format that JTR can handle is included in the version installed on Kali. I followed the instructions at this post to get the correct version, and then progressed with brute-forcing. First, the password hash needs to be pulled from the archive with the following command:


/opt/JohnTheRipper/run/7z2john.pl backup.7z > backup.7z.hash

Then, using john and rockyou.txt, we can brute-force that hash.

Now that we have the password, we can extract the files from the archive.

Looks like the images are just fluff, we could always come back and look for some hidden information in them if we needed to. Let’s start with the id_rsa files, though.

SSH

Taking a look at the public key, the key’s comment is user@fourandsix2. This matches the directory name of the file share (/home/user/storage), and indicates that our username is likely literally “user”

Let’s try logging in with the key.

Unfortunately, the key is protected with a password, meaning we will have to brute force a second password. This is why it is best practice to protect authentication certificates whenever possible. If the user had not, we would already have authenticated access to his/her system.

SSH Brute-Force

Now I tried using john to crack this password, too, but I couldn’t get it to work. I even ended up checking some other write-ups to see if others had any success, and I couldn’t find anyone who had. Not the end of the world, though, we can write our own script to brute-force the credentials. It won’t be nearly as fast, but it should work.


#!/bin/bash

IFS=$'\n'       # make newlines the only separator
set -f          # disable globbing
for pass in $(cat < "$1"); do
  # echo "tester: $pass"
  if ssh-keygen -c -C "user@fourandsix" -P "$pass" -f "$2" &>/dev/null
    then
      echo "[+] Password Found: $pass"
      break
  fi
done

Success!

SSH Login

Now that we have a password, we can try logging in to the target again.

Reconnaissance

Unfortunately, sudo isn’t available, so that escalation isn’t available to us. With Toppo, we had success with files that had the suid bit set (see that walkthrough for a quick explanation of what this is and how it can be used). This time I tried a different one-liner to list all of the files owned by root that had that bit set.


find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

Vulnerability Analysis

doas

4th in the list is /usr/bin/doas. Of course sudo wasn’t available, I completely overlooked the OS type identified by nmap in the beginning. We’re working with an OpenBSD target, doas is like sudo but on OpenBSD machines. Let’s see if we can identify whether or not “user” is authorized to use doas.

“user” is allowed to read the contents of the authorization log as root using the command less. This is our ticket! less has a dangerous convenient feature that allows us to execute a shell from within the program. If we are allowed to run less as root, and we can open a shell from within less, we can likely escalate our privileges very easily.

Exploitation

doas less

Let’s read the contents of the auth log as root with less


doas /usr/bin/less /var/log/authlog

From within less, we can get a shell by typing ‘v’ which starts “visual mode” and allows us to enter in a command followed by ‘:!sh’ which opens up a new shell. Let’s see who we are.

We have root!

Bonus – Get Root Password

Let’s see if we can crack any user passwords. First step is to grab the passwd and shadow-equivalent files. The BSD equivalent of /etc/shadow is /etc/master.passwd. Since we have root, we can save each of these files to the file share, change the owner of these copies, and copy them onto our attacker machine.

Next, we use unshadow to convert these two files into a format that john can handle


unshadow passwd master.passwd > unshadowed

The password hashes are bcrypt hashes, we can use john and rockyou.txt to try to brute-force them.


john --format=bcrypt -w /usr/share/wordlists/rockyou.txt unshadowed

After a little bit, I was able to successfully crack the root password, princess1

Installing JohnTheRipper

Recently I was working on a boot2root called FourAndSix (walkthrough here), and I needed to brute force the password for an encrypted 7z archive. If you haven’t used it, JohnThe Ripper comes with all kinds of tools to pull hashes from various file types into a format the John can work with, a common example being unshadow. In this case, I found that the version of JTR that comes with kali doesn’t contain a lot of those tools, including the 7z one. There is a jumbo version out there that you can install to get access to an increased variety of tools.

I found a pretty good guide for installing this version of John here (or inserted below), and found it so useful that I wanted to save it for future use in Kali installations. So, with all due credit to webpwnized, I’m going to copy the content of his video here for future use. I encourage you to go ahead and watch the actual video if you want to set up the jumbo version of JTR, sometimes it’s better to watch along rather than read along, and he/she deserves the views for his/her work.

Before we can install our new version of JohnTheRipper, we have some prerequisites to work through. First:


apt install build-essential libssl-dev yasm libgmp-dev libpcap-dev libnss3-dev libkrb5-dev pkg-config libopenmpi-dev openmpi-bin zlib1g-dev libbz2-dev

Next, Rexgen prerequisites


apt install flex cmake bison git

Now Rexgen itself


cd /opt
git clone https://github.com/teeshop/rexgen.git
cd rexgen
./install.sh
ldconfig

Now we can download JohnTheRipper:


cd /opt
git clone https://github.com/magnumripper/JohnTheRipper.git

And install it


cd /opt/JohnTheRipper/src/
./configure --enable-mpi
make -s clean && make -sj4

Not only can this version of JTR do more, it’s a great deal faster than the version bundled with Kali. See the video below to see how to compare the two versions, webpwnized was able to get roughly 4 times faster speeds.