Back again with another Vulnhub challenge. It’s been a while since my challenge, so wanted something easy to shake the rust off. This challenge is a basic boot2root VM with multiple ways of getting root. This challenge can be found here for those wanting to give it a go.
So starting off with a good old nmap scan gives me a couple of open ports:
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| 2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA)
| 256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA)
|_ 256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
So we have 3 ports open, FTP,SSH and Web, lets take a look at the web site hosted on this VM.
This looks like the default apache homepage, so nothing else to do here. Running nikto to see if there is anything else:
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0xb1 0x55e1c7758dcdb
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header 'link' found, with contents: ; rel="https://api.w.org/"
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2018-03-13 04:46:30 (GMT-4) (20 seconds)
+ 1 host(s) tested
Looks like there is a /secret directory, what could this be?
Doing a bit of research, turns out you will need to add vtcsec to your /ect/hosts file and this will give you the proper page:
Ahh, so this is a WordPress site, so going to http://vtcsec/secret/wp-login.php will take me to the login page.
Trying some dead basic default username and passwords to see if I can get in aaannnndddd boom, username: admin password: admin
Now that I have access to the admin panel, lets open a reverse shell by using wordpwn. Upload the generated zip file into WordPress and activate the plugin by going to editor, select the gotem plugin and then select the wetwork_maybe.php file. In there you will see the directory path for the plugin. Copy that directory path and go to vtcsec/secret/wp-content/plugins/.
This will open up the reverse shell connection, typing in whoami I get www-data, so not root (yet!!).
To make life a little easier, I spawned a bash shell using python:
python -c 'import pty; pty.spawn("/bin/sh")'
Looking around to see how can I get root access, I find the wp-config file with the root password:
Trying to switch to root using that password didn’t work, so I kept looking to see what else I could use to get root. Poking around I found myself in marlinspikes home directory and found backdoored_ftp directory.
Doing a little research, I find out that in late 2010, Proftpd was compromised and had Proftpd 1.3.3c replaced with a backdoored version.
Exiting out of the reverse shell, there are a couple of ways this can be exploited. I went with the very basic, manual approach and telnet into the machine and typed HELP ACIDBITCHEZ.
Awesome, that’s one way to get root. However, the description mentions that there are multiple ways of getting root on this system.
So exiting the ftp server and going back to my reverse shell. I poked around a bit more to see what else I could do to get root.
Going to the /etc directory to take a look at the shadow and passwd files.
The passwd file is world writable, meaning any hashed password I put in there will the password for that account. Doing some more research, I find that I can generate the correct hash using openssl.
Editing the passwd file to have the hashed password for root. Switch to user root, enter the new password and boom I am root (again).
There maybe another way to get root, but I couldn’t find anything.
Overall this challenge wasn’t to bad and liked the inclusion of the compromised ftp application as a way to get root on the system.