projects:penetration_testing:vulnhub_walkthroughs:wild_west

Quick Details

This is a write-up for the Wild West v1, Completion time: About 3 hours.

Difficulty: Medium Required knowledge/Tools: Basic Linux,nmap,Linux Privilege Escalation,SMB,

      Source:https://www.vulnhub.com/entry/westwild-11,338/

Running virtualization platform: VMWare

This was particularly difficult because this CTF relied on security through obscurity and after going through numerous privilege escalation techniques I stumbled upon the real answer, which was hidden in a directory. The lesson from this lab is that enumeration is the key and to conduct things as broad as you can and to keep proper notes throught the process. As a result, from now on, I will be using the OSCP template of CherryTree for taking notes, the link of which is here:

      Source:https://411hall.github.io/assets/files/CTF_template.ctb

I did my normal Nmap scan but after realizing that there are better parameters to use for a standard scan, I will from now on, use this one.

      nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.121.131
      

It gives perhaps the best view in terms of data needed.

The services that are running are:

1. SSH on port 22.

2. Webserver on port 80.

3. SMB service on port 139

4. SMB service on port 445.

I first went to the webserver but it was just a static picture, giving a little hint to “Follow the wave”.

I then looked at the SMB services.

This article was very beneficial in connecting and interacting with SMB.

      https://www.madirish.net/59     

The key thing to take away from the article is to ignore the share drives with a $ in the name.

For easier reading, I decided to take another screenshot so it is all concise.

From what I can understand, I see three SMB containers/disks/drives which can be interacted with, and two of them can be connected to as a guest.

So, as far as I understood, the group 03 indicated a user being logged in/being active. I due to my inexperience, I tried multiple ways of connecting.

      smbclient \\\\192.168.121.131\\wave -U guest 

And doing that, gave me the first flag and the credentials to log into the system with the user account wavex, after putting the string through a base64 decoder.

This was the most difficult part of the hacking lab as we needed to get to the account with sudo privileges as wavex did not have them.

I went through numerous websites about gathering information from a linux system, which brought me a nice script about information gathering made in python to be used as privilege escalation.

      www.securitysift.com/download/linuxprivchecker.py
      

That script goes through directories, looking at the permissions and does a few checks without needing sudo. A very important script for recon and something that I'll add to my personal repertoire.

I thought at first to go through the suggested vulnerabilities, which I did. I compiled C code on my host machine and moved the compiled binary to the SMB drive where wavex could do have more power but that was not the answer. After almost two hours of trying to figure it out, I started working through the output of linuxprivchecker.py and I noticed an unusual file.

      rwxrwxrwx 1 wavex wavex 101 Jul 30 05:25 /usr/share/av/westsidesecret/ififoregt.sh

I looked at that file and there was the answer.

I was logged in now as Avenu, a user with sudo privileges and since before I went over some privilege escalation techniques, I was quick to remember the most commonly used one.

And in the root directory was the last flag.

  • projects/penetration_testing/vulnhub_walkthroughs/wild_west.txt
  • Last modified: 2019/08/20 14:00
  • by vares