Another day, another root. I learn something new on every boot to root I do usually. However, I’m happy to say I finally came across something I’ve wanted to learn for a long time but I was never able to get a straight answer on it. This is a fun little machine. I hope you enjoy it too.

Download Coffee Addicts here

Author: BadByte

Defining the Attack Surface

Per my usual for vulnerable virtual machines on my network that I know aren’t going to mind if I hit every port, I run my initial nmap scan

nmap -sC -p- -oN nmap_full_output 192.168.158.182

(nmap (-sC script scan) (-p- all ports) (-oN output normal _file name_) (target address))

It appears that this host has an SSH service running and also what appears to be an HTTP server

Let’s see what the browser looks like when we visit the HTTP server

Haha well it doesn’t get much more clear than that for what we need to do next.

nano /etc/hosts

Append the line machine_ip coffeeaddicts.thm at the bottom of the file. For me it looks like this

Once I get this added I visit the site again and this is what we get now

It appears the website has been hacked lol… Let’s move on.

Nikto is next

nikto -h http://coffeeaddicts.htm

Nothing super useful here. I log the apache version in my notes. It might be useful later since nikto says it’s out of date.

Now onto more enumeration. Dirbuster is next

dirb http://192.168.158.182 /usr/share/wordlists/dirbuster/directories.jbrofuzz

Finally our enumeration starting to return some fruits. We find a wordpress directory under the coffeeaddicts.thm domain. Now we can really start digging in. Let’s first see if the site is still intact by visiting it in the browser. Then we’ll continue with enumeration.

The wordpress site appears to just have been moved to this directory. Everything seems functional so I think this is going to be our point of entry.

Now that we’ve identified our point of entry let’s start trying to see if we can find some holes in it. The first thing I did was navigate around the site. I pulled images down and ran them through binwalk. I tried posting a comment to see if I could sneak some php in, no dice there. I also looked at the comments to see if there were any clues in there. As it turns out, there might be!

This doesn’t mean a ton to me just yet but I’m willing to bet that the password is here.

I’m going to run wpscan next to see if there’s anything I’m missing. WpScan will also enumerate for all users which is super helpful.

wpscan --url http://coffeeaddicts.thm/wordpress

WpScan appears to have returned two more nuggets for us. First is a possible php exploit for this plugin. The second is we have identified a username for the site gus.

Now that we have a username and some options for a password, let’s try logging in as gus. Unless someone specifically changes the login directory code, it should be under the root directory in a directory called /wp-admin just go there and you should get a login prompt for most wordpress sites.

For this site it’s http://coffeeaddicts.thm/wordpress/wp-admin

After a bunch of trial and error, I landed on the credentials gus:gusineedyouback

And we’re in!

Now, resist…… RESIST THE URGE to click update…… must …. resist……

Gaining Entry

There’s a few ways we might attempt to get in from here I’d imagine. We could look at the specific vulnerabilities for this version of wordpress. We can try and sneak something in via media upload. However, before I start poking at stuff, I like to navigate around and just see what options we have. In this case I’m thankful I did because this was super easy to bypass this time.

Under plugins, we have the plugin editor. This editor allows us to drop arbitrary php into a file and save it. Extraordinarily useful if you’re attempting to get a reverse shell.

Which is exactly what I did. I hand jammed a simple bash reverse shell, had it stuck into the tmp directory, started my netcat listener on port 443, and then ran my shell.

Please take special care and note that this index.php file is not the main site index.php. It’s the akismet index.php so you’ll need to navigate to the proper url to invoke it.

http://coffeeaddicts.thm/wordpress/wp-content/plugins/akismet/index.php

Privilege Escalation

Part of my priv esc methodology has become always starting in the home directory. There always seems to be goodies in there. When I ls -la the home directory I see there’s two users

Since we’re on the gus bus right now, I start with his.

Apparently someone had or has sudo access. Also there’s a few files in here we’re going to want to look at.

The first two are readme.txt and user.txt (which I’m assuming is our user flag)

hello, admin. as you can see your site has been hacked, any attempt of fixing it is futile, as we removed you from the suoders and we changed the root password. ~Nicolas Fritzges

Interesting that the hacker would sign a personal letter to the user with their name but eh moving on lol

So our user used to be a sudoer now they’re not. Also, it appears the root password has been changed.

The last file I want to look at in gus’s home directory is the .bash_history file because if our hacker was logged in as gus it might give us some clues as to what they were doing. Unfortunately though, it’s restricted and we can’t access it as the www-data user

Now let’s move over to the /home/badbyte directory and see what’s hiding in there

Hmm interesting… I wonder if there’s anything yummy in the .ssh directory. Since the permissions says I can look in, let’s take a peak

:-O

Sure enough, we have the hackers ssh private key…. Jackpot

Now admittedly, I knew that this was important but I didn’t know how to use it. I remember asking years ago someone how to actually utilize finding someone’s private key and I only got blank stares. At first I tried using ssh-keygen to create a new public key but that didn’t work out for me.

After a little research I figured out you first need to use john the ripper to brute force the passphrase out of this. Then you can login with it. Here’s the steps I took.

wget https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/run/ssh2john.py
python3 ssh2john.py id_rsa | tee hash
john hash --wordlist=/home/kali/rockyou.txt

(borrowed from this walkthrough here [thanks op])

This ended up spitting out the passphrase of password pretty quickly. I’m so thankful I came across this box. NOW I KNOW (and knowing is half the battle)

Anyhow, once you have the passphrase sshing in is very straight forward

inside the .ssh directory I did ssh -l badbyte -i id_rsa 192.168.158.182

_we’re in_

Getting Root

I once again start with the /home/ directory. Just this time I step into /home/badbyte first. Since we’re logged in as the hackers user, I should be able to see the history file this time. Sure enough, we can see the steps they took on the machine.

It appears that the hacker changed some permissions, deleted stuff, accessed the database, and … wait ….

gtfoh…

Could it be we have found our path to root?

attempting to access the root directory from here though shows permission denied.

The last step you need to take is running su root and using the hacker’s password of password once more

At that point you’re able to grab the root flag

Summary

This was a relatively straight forward box. Nothing to insane here and plenty of breadcrumbs to help you find your way. I was extremely happy I was finally able to flex using a private key to gain access. This has been on my bucket list for a while.

On to the next box!

Leave a Reply

12 − eleven =