Press "Enter" to skip to content

Vulnhub Analoguepond 1 Walkthrough: Part 1

Hi

In this post I want to start with a walkthrough of the Vulnhub challenge Analoguepond 1. Since I have not finished this box yet, I will split this walkthrough into several parts. This here is the first part. So lets start.

The first thing I usually do when I start such a challenge is to scan the network in order to find out on which IP address I can find the box. In order to do so I usually use netdiscover.

root@kali:# netdiscover -r 192.168.56.0/24 -i eth1

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                            
                                                                                                                                                          
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                          
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    **:**:**:**:**:**      1      60  Unknown vendor                                                                                         
 192.168.56.100  **:**:**:**:**:**      1      60  PCS Systemtechnik GmbH                                                                                 
 192.168.56.101  **:**:**:**:**:**      1      60  PCS Systemtechnik GmbH 

As you can see, the IP address of the box is 192.168.56.101. So lets do a portscan over it to determine the open ports. At this point, you should keep in mind the hint at the description which says “Remember TCP is not the only protocol on the Internet”. This led me to do a complete portscan (i.e. inclusively UDP). This took quiet a while, but finally gave me this

22/tcp  open          ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
68/udp  open|filtered dhcpc
161/udp open          snmp    SNMPv1 server; net-snmp SNMPv3 server (public)

The interesting ports are ssh and snmp. I assume that the snmp is the protocol that was pointed to in the hint. I first tried to log in over ssh with some easy passwords, but there was no luck. So I connected to the port 161 to find out whats hidden there. I used the tool snmp-check to do a first check.

root@kali:# snmp-check 192.168.56.101
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 192.168.56.101:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 192.168.56.101
  Hostname                      : analoguepond
  Description                   : Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64
  Contact                       : Eric Burdon <eric@example.com>
  Location                      : There is a house in New Orleans they call it...
  Uptime snmp                   : 00:14:28.61
  Uptime system                 : 00:14:12.85
  System date                   : 2017-4-29 21:32:41.0

Cool, there is already a name, Eric! This might be a username. The second interesting thing is the location. Searching the string on Google immediately resulted in articles about a song from The Animals which is called ‘The House of the Rising Sun’. So the answer is probably therisingsun which could be a password. I have also tried some other things on that snmp port, but I had no luck. Therefore I tried to login on the ssh port with the gained username an (hopefully) password. And indeed it worked ๐Ÿ˜€

In ericโ€™s home folder was not much to find. Some common files like the .bashrc, .bash-history (it has been deleted), but also an image called reticulatingsplines.gif which relates to SimCity. However, I could not yet figure out what this image has to do with the whole box. In a next step, I looked through the usual places where something useful could be hidden, like the /tmp folder, /etc/passwd file and a bunch of other stuff. Eventually I checked the OS and I found out something interesting

eric@analoguepond:~$ uname -a
Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

The kernel version seems really outdated. Maybe there is a vulnerability on the kernel which allows us to escalate the privileges. After some time googling I found this: https://www.exploit-db.com/exploits/39166/. I compiled it locally on my Kali machine and then uploaded it to the box. Run it there and boom, we have a root shell ๐Ÿ˜€

So lets go to the /root folder

eric@analoguepond:/tmp$ ./exploit 
root@analoguepond:/tmp# whoami
root
root@analoguepond:/tmp# cd /root
root@analoguepond:/root# ls -al
total 24
drwx------  3 root root 4096 Apr 26 20:51 .
drwxr-xr-x 22 root root 4096 Jan  7 18:42 ..
-rw-r--r--  1 root root 3106 Feb 20  2014 .bashrc
-rw-------  1 root root  237 Dec 17 09:38 flag.txt
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
drwx------  2 root root 4096 Apr 26 20:51 .ssh
root@analoguepond:/root# cat flag.txt 
C'Mon Man! Y'all didn't think this was the final flag so soon...?

Did the bright lights and big city knock you out...? If you pull
a stunt like this again, I'll send you back to Walker...

This is obviously troll flah #1 So keep going.
root@analoguepond:/root#

and cool I found the troll flag that was also mentioned in the description.

With root privileges on the box and the first (troll) flag I want to finish the first part of this walkthrough. As always, if you have any questions about the steps I have done or if you have just some comments or tips, please do not hesitate and write a comment or write me directly. Please stay tuned for the second part.

Cheers

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *