2 Flag first user And second root, learning: exploit, Web Application, Enumeration, Privilege Escalation - www.hackNos.com. Format: Virtual Machine (Virtualbox - OVA). Operating System: Linux. Date release: 27 Nov 2019
URL: mhz_cxf: c1f
Author: hackNos: Os-hackNos
Set up the Machine with a host-only adapter and run a net discover command to find the associated IP. My interface eth1 is Host-Only on my main OS (Kali Linux).
netdiscover -i eth1
We can identify the machine with the IP 192.168.56.117, so we will scan it for open ports with nmap to a file named “nmap” with the following command:
nmap -sS -p- -A -o "nmap" 192.168.56.117
To start, port 80 is open so we will investigate this port with a browser.
There is not much to see, this is the default Apache web page meaning there is probably another web page we are not seeing.
Let’s run a dirb scan to discover more paths we can further enumerate with the following command:
One of the results that have been returned is /tsweb so let’s see what is on there:
This is clearly a Wordpress site so let’s run a scan with WPScan. Please note, the newer version of WPScan requires an API token to view the vulnerabilities you can get from their website.
The following command will scan the site and hopefully return any users, vulnerable plugins and vulnerable themes:
wpscan wpscan --url http://192.168.56.117/tsweb/ -e u,vp,vt
We have found a user called “user”. This is worth noting.
We have also identified a vulnerable plugin called gracemedia-media-player which is susceptible to LFI.
Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI) require_once($_GET['cfg']); The parameter "cfg" it is not sanitized allowing include local files on /gracemedia-media-player/templates/files/ajax_controller.php
A link to the exploit DB page: ExploitDB
LFI is usually an exploit for attackers with authenticated access, meaning we need to be authenticated as a user or admin for this Wordpress site.
Initially, I tried brute-forcing the password since Wordpress has an easy brute-force function with the following command:
wpscan --url http://192.168.56.117/tsweb --passwords /usr/share/wordlists/rockyou.txt --usernames user
This would essentially use the rockyou.txt wordlist against the username “user” to see if any would work.
This did not work, so I tried to look into the /etc/passwd directory with Path Traversal. Read more about this on OWASP.
This was also given in the POC (Proof of Concept) in the exploit.
Visiting the following URL allows us to view the passwd file of the system:
This is to further investigate. Flag is a user with a hash value associated with it.
Let’s try and crack this md5 hash. I added this hash to a file named “hash” and asked John to crack it.
echo "$1$flag$vqjCxzjtRc7PofLYS2lWf" > hash john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt-long hash
We got a password!
Let’s try ssh into the machine with the following command:
We are logged in as flag.
The change directory command is restricted so we will have to use ls to discover what is on the system.
I checked the Wordpress config file and found database credentials worth noting:
Some more enumeration on the system reveals something interesting in the backup directory:
ls -la /var/backups/passbkp
Let’s crack this md5 hash like before. Again I save it to a file called hash.
john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt hash
And the following password has been found:
We will try ssh into another user called Rohit. This user was identified from the /home directory.
Let’s check sudo Privileges:
Rohit clearly has all sudo privileges, so running the following command should give us root:
And we have root!
id cd /root ls