Boot To Root, Info Sec 10-June-2018 .NetRussell No comments

b00t 2 r00t – DerpNStink | VulnHub VM

This was a pretty fun machine. It’s been a while since I’ve done a boot to root so I’m happy I picked a good one to dip my toe back in the water. If you haven’t downloaded the VM yet you can find it here . 

I chose this specific VM because the author said it was a culmination of what they had seen in the OSCP labs. For those that don’t know, I failed HORRIBLY about a year ago at the OSCP exam. Two limited shells and one root. Not good enough. My plan now is to continue working on vulnerable VMs in my free time until I’m comfortable enough to take it again.

Many of the VM’s on vulnhub tend to be a little more CTFish than they are OSCPish. I remember maybe one machine that was in the OSCP lab, that had an image with imbedded files in it. However, that’s a pretty common thing you see in VulnHub VMs. It’s just not realistic for what I’m trying to accomplish so this VM was a nice change of pace.

Alright enough babbling, lets get to the root.

Scanning:

As usual I started with a light nmap scan

As you can see from the scan, we have three ports open:

21 (vsftpd 3.0.2)
22 (OpenSSH 6.6.1p1)

and

80 (Apache httpd 2.4.7)


Enumerating:

So naturally the first thing I started with was trying to log into the FTP server with anonymous credentials

No such luck…

Since I didn’t have any user credentials, I didn’t bother with the SSH server just yet. On to trying the webserver.

Interesting little site but not a ton of info here.

I always look at the source on sites that look hand rolled. There’s usually goodies in there.

Sure enough, our first flag was hiding in the source code near the bottom.

Next up I decided to run dirbuster on the webserver root directory to see what we could turn up.

 

Sure enough, more than a couple interesting directories were found. For example in this image we see a phpmyadmin and also a directory called weblog that appears to have a wp-admin directory. For those unfamiliar, wp-*** usually means wordpress.

 

 

When you attempt to navigate to the weblog directory, you get redirected to some other page 🙁

 

I kept digging around and eventually I saw another interesting directory popup. “/webnotes/info.txt”

 

When you navigate to this address you get some helpful information

 

It looks like we need to add that domain to our “/etc/hosts/” file in order to access the blog.

To do this just run “nano /etc/hosts” and enter the information like I have below

 

Sure enough, we get access!

 

At this point it’s pretty safe to say this is a wordpress site, so naturally our next stop is wpscan.

 

 

You’ll notice that not only did wpscan identify some possible vulnerable plugins, but it also identified two users “unclestinky” and “admin”.

Now if you provided wpscan a wordlist and you wait for it to finish, it will spit out the credentials “admin:admin”.

You can take these credentials and give them a try. Sure enough they get you logged in.

 

Once logged in, you’ll see that you have pretty limited options.

There really only seems to be one direction to go, and that’s via Slide Show. Now, I’m almost 100% positive you could just upload a file like “exploit.php.png” via this upload console. However, let’s take the route of using a prebuilt exploit.

Exploiting:

If you remember from our wpscan output, there were a number of vulnerabilities identified. One of these was the slide show arbitrary upload exploit.

You’ll be able to find this exploit by using searchsploit

If you attempt to run the exploit you’ll see that you need to provide it a target, username, password and payload

Thankfully Kali comes with some webshells built in so we just need to pick one.

I personally prefer the php-reverse-shell.php webshell payload.

Once you copy it, don’t forget to open it and swap out the reverse shell address and port.

Deploying is very easy

Once the shell is deployed to the server, spin up a netcat listener and navigate to the shell in the link that’s provided to you.

 

We’re in!

Privilege Escalation:

Now the first place that I head in this scenario is the wordpress site. I head there because I know that wordpress is using the database and I know that it must store the credentials in a config file.

Crack it open and near the top you’ll find our DB credentials.

Now that we have these, remember that phpMyAdmin page we couldn’t access? Let’s give it a try now.

 

Boom! We’re logged in. Things are starting to move now.

I’m sure you could mess around with all the different tables here but I’m interested in one thing. The MySQL.users table. That’s it.

As you can see, there’s a number of users and hashes in here. I copied each of the hashes out and put them into a file called hashes.

I then ran these hashes through john with the command “john –wordslist=/usr/share/wordlists/rockyou.txt hashes”

This produced the credentials “stinky:wedgie57”

With these credentials I decided to give the WordPress site another go.

As you can see, we get logged in and on the dashboard for stinky there’s a flag waiting for us.

Next I decided it was time to try and get a shell for stinky

You’ll note the exception “su: must be run from a terminal” This is because the shell that we had previously wasn’t a TTY shell. You can find a number of different ways to spawn a TTY shell with this Cheat Sheet

Before I start to enumerate for exploits, I always start in the spots where most users would put sensitive things for us to find. Naturally I started working through the “/home/stinky/” directory.

Once you drill down to the Documents directory you’ll find a derpissues.pcap file. I exfiltrated this back to my kali box imediately

I know you can use other tools to analyze pcap files. However, I’m comfortable with wireshark so I opened it there.

One quick filter for HTTP and you see we have a bunch of traffic. Sure enough I find something that looks tempting. A POST request to wp-login.php. It doesn’t get much tastier than that.

A little hunting and you’ll quickly see that there’s some credentials hiding in there for mrderp.

I took these credentials back over to our shell and attempted another su to this user

We got another one!

Getting Root:

Now at this point I was stumped for a little bit. I did all the enumeration I could think of. This user wasn’t a sudoer which really sucked. I also enumerated home directories, hidden files, services running, even OS exploits. All to no avail.

Then I remembered g0tmilk’s Linux enumeration cheat sheet and I started working through it.

Thankfully I did because as soon as I did “sudo -l” I found the answer.

“User mrderp may run the following commands on Derpnstink”

I just needed to find or create this derpy* file and I was home free.

So I did just that. I first created the binaries directory then a file inside it called derpy* with “su root” in it

Just like magic, we have root! GG

 

Summary:

I really appreciate boxes that test multiple areas of discipline. I liked being able to not only run an exploit but also dig through a pcap file. Not every machine touches on so many different things so this was a great time. Hopefully if you’re reading this you were also able to make it through.

Excellent job to the Author: Bryan Smith

I look forward to trying more of your VMs in the future!

Leave a Reply

Your email address will not be published. Required fields are marked *