Lab – LazySysAdmin

Ah, good old laziness comes in various forms and flavors. Hey, they even included sloth in deadly sins list. For a reason I might say. Today we’ll look at our typical IT sinner – the lazy sysadmin.

This is not a lab actually, but a way to demonstrate why you have to store passwords in safe place and never ever use one password more than once. In this example lazy admin did exactly the opposite! Ok, here’s our enumeration scan:

root@kali:~# nmap -sV -sC -O -A 192.168.89.131
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-23 08:01 EDT
Nmap scan report for 192.168.89.131
Host is up (0.00080s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info:
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.89.150
|_ error: Closing link: (nmap@192.168.89.150) [Client exited]
MAC Address: 00:0C:29:DB:5F:C2 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -3h20m01s, deviation: 5h46m24s, median: -2s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: lazysysadmin
| NetBIOS computer name: LAZYSYSADMIN\x00
| Domain name: \x00
| FQDN: lazysysadmin
|_ System time: 2019-05-23T22:01:46+10:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-05-23 08:01:46
|_ start_date: N/A

TRACEROUTE
HOP RTT ADDRESS
1 0.80 ms 192.168.89.131

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.24 seconds

There’s a website with a piece of wisdom:

lazyadmin

I like this approach, it really works.

Guess what, there’s also a SMB running. Let’s connect and look around:

root@kali:~# smbclient -L 192.168.89.131
Enter WORKGROUP\root's password:

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share$ Disk Sumshare
IPC$ IPC IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.

Server Comment
--------- -------

Workgroup Master
--------- -------
WORKGROUP

Let’s connect to share$ and browse:

root@kali:~# smbclient //192.168.89.131/share$
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Aug 15 07:05:52 2017
.. D 0 Mon Aug 14 08:34:47 2017
wordpress D 0 Tue Aug 15 07:21:08 2017
Backnode_files D 0 Mon Aug 14 08:08:26 2017
wp D 0 Tue Aug 15 06:51:23 2017
deets.txt N 139 Mon Aug 14 08:20:05 2017
robots.txt N 92 Mon Aug 14 08:36:14 2017
todolist.txt N 79 Mon Aug 14 08:39:56 2017
apache D 0 Mon Aug 14 08:35:19 2017
index.html N 36072 Sun Aug 6 01:02:15 2017
info.php N 20 Tue Aug 15 06:55:19 2017
test D 0 Mon Aug 14 08:35:10 2017
old D 0 Mon Aug 14 08:35:13 2017

3029776 blocks of size 1024. 1456128 blocks available

I’ll grab text files with our usual wp-config.php and look inside them:

root@kali:~# cat todolist.txt 
Prevent users from being able to view to web root using the local file browserroot@kali:~# cat deets.txt
CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

root@kali:~# cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'Admin');

/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

And here laziness comes into play. I might guess, that login is Togie, because it looks like it’s a suitable base for a password – your name =) Login + password makes perfect:

root@kali:~# ssh togie@192.168.89.131
##################################################################################################
# Welcome to Web_TR1 #
# All connections are monitored and recorded #
# Disconnect IMMEDIATELY if you are not an authorized user! #
##################################################################################################

togie@192.168.89.131's password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

* Documentation: https://help.ubuntu.com/

System information as of Fri May 24 00:45:26 AEST 2019

System load: 0.08 Memory usage: 8% Processes: 196
Usage of /: 46.2% of 2.89GB Swap usage: 0% Users logged in: 0

Graph this data and manage this system at:
https://landscape.canonical.com/

133 packages can be updated.
0 updates are security updates.

We’re in. Let’s use the same password for root:

togie@LazySysAdmin:~$ su
Password:
togie@LazySysAdmin:~$ sudo su
root@LazySysAdmin:/home/togie#
root@LazySysAdmin:/home/togie# ls
root@LazySysAdmin:/home/togie# cd /root/
root@LazySysAdmin:~# ls
proof.txt
root@LazySysAdmin:~# cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851


Well done :)

Hope you learn't a few things along the way.

Regards,

Togie Mcdogie


Enjoy some random strings

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu

I must say, I’ve never seen such examples in real life. But overall laziness and lack of security policies multiplied by lack of audit can make terrible things. And sometimes it’s not about laziness, but negligence. But it’s all the same for hacker as you might guess.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s