W1R3S is a vulnerable machine by design meant to help you polish your penetration test skills. On this box you are required to gain root access and read a flag located at /root directory.
DHCP is enabled meaning the IP address will be allocated automatically.
In my case, the machine allocated:
192.168.56.101
With the IP address, lets fire up nmap to enumerate the services running on this box:
From the scan, its likely there is a web application running.
Enumeration
Now let's enumerate directories and try discover any interesting paths.
I managed to get those two directories wordpress and administrator.
I did a quick scan on the WordPress site using wp-scan but found nothing interesting. The administrator directory turns out to be the installation setup for Cuppa CMS.
http://192.168.56.101/administrator
Google tells me that CUPPA older versions suffer an LFI vulnerability.
Exploitation
check content of passwd file as follows:
Also lets try check the content of /etc/shadow
Lets try crack shadow and passwd file using John the Ripper
The cracking completes in seconds.
Lets try ssh to the server as follows:
root@root:~# ssh [email protected] 2 The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established. 3 ECDSA key fingerprint is SHA256:/3N0PzPMqtXlj9QWJFMbCufh2W95JylZ/oF82NkAAto. 4 Are you sure you want to continue connecting (yes/no)? yes 5 Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts. 6 ---------------------- 7 Think this is the way? 8 ---------------------- 9 Well,........possibly. 10 ---------------------- 11 [email protected]'s password: 12 Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64) 13 14 * Documentation: https://help.ubuntu.com 15 * Management: https://landscape.canonical.com 16 * Support: https://ubuntu.com/advantageNow since we are logged in as w1r3s lets look for ways to escalate privileges:
To begin with, lets check what we can do at the moment:
Wow!! I can see that
w1r3s is on the sudoers list.This means we can use sudo to run root commands:
This how I got the congratulations message:
Final thoughts:
W1R3S was pretty simple to hack but two key skills were required:
- Ability to enumerate directories - This skill can save you a lot of time since in many cases you will find interesting paths which act as the entry points.
- Ability to search exploits for running services-In this case, I managed to discover a CUPPA exploit by just a simple google search.Use of exploit DB and search engines like google can save you a lot of time.
Posted from my blog with SteemPress : https://latesthackingnews.com/2018/11/09/w1r3s-1-0-1-vulnhub-ctf-walkthrough/
This post has been upvoted for free by @millibot with 0.1%!
Get better upvotes by bidding on me.
More profits? 100% Payout! Delegate some SteemPower to @millibot: 1 SP, 5 SP, 10 SP, custom amount
You like to bet and win 20x your bid? Have a look at @gtw and this description!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit