Today we are working on Empty: 1.0.1, a boot-to-root available from Vulnhub.com. This challenge is by creator Tyron and is rated Medium with the caveat that “Sys admin knowledge would be helpful.” While this gave me some trepidation as I have zero sysadmin knowledge, I nevertheless set up the box in VMWare Player and got started.
Initial Enumeration
We start with nmap scans.
Here is the cropped output of “nmap 192.168.209.236 -p22,2121,8000,8080,8291 -sC -sV”
Interestingly, port 8000 showed up as “open” on the initial scan, but “closed” on the deeper scan. I initially wrote this off as either a quirk of nmap or of the box, but it turns out I was wrong. More on this later.
Nmap shows port 8080 as http so I began by browsing to it in Firefox, which results in a login page. The page helpfully tells us it is MikroTik RouterOS v6.42. Since we don’t have any real idea on login creds for this page, I searched for some applicable exploits on exploit-db.com. We find a credential disclosure vulnerability for our exact version of OS.
Conveniently, there is a Metasploit module for this exploit, so I gave it a try.
The exploit finds the admin credentials for the web interface.
Let’s say you have designs on earning your OSCP and you would rather not use Metasploit. We have a second option to exploit this vulnerability:
After downloading the Go version of the exploit we need to build it and then run the binary.
The Go version of the exploit successfully find the same credentials.
After logging in with the admin creds we found, I spent some time looking around the site and eventually ended up in the Files section. I was able to upload files, but I wasn’t sure how to access them. I then began looking at the existing files that were available for download. The file anything.auto.rsc gives us an interesting finding.
It appears we have a port knocking sequence set up.
After using knock to perform the port knocking sequence, I do a quick nmap scan and once again notice that tcp/8000 is open. I tried the knocking sequence one more time and then tried to access that port in Firefox.
With port 8000 open we can access a web shell. A quick check of the available commands using “?” and we can spawn a shell with root access and read the root flag! The session times out within a few minutes. I was also able to spawn a reverse shell on my attacker box by running pentestmonkey’s bash reverse shell, but this also times out within a few minutes. That is slightly frustrating, but we can still get root and access what we need. Did you find a better way to get root? Drop me a comment and let me know.
