VulnHub – Basic Pentesting 1

Setup

Our attacking box is a virtual machine that has the IP 192.168.56.102 and runs an updated Kali Linux 2020.3. Throughout the penetration test, we will try to avoid using any automated exploitation tools. The target is Basic Pentesting 1, a vulnerable virtual machine to practice penetration testing. It has the IP 192.168.56.104 and we have no further information about this target.

Information Gathering

Since we are already on the same subnet as the target and we know the IP, the first step is to scan for open ports with nmap. We decide to do a quick TCP scan and have nmap guess the software and versions running on each port (-sV). We also avoid pinging the host (-Pn) and don’t need DNS resolving (-n).

sudo nmap -sV -Pn -n 192.168.56.104

Image 1: Results of an nmap-scan of the target.

Note that this scan took only about 7 seconds. If we were to add UDP scanning as well (-sU) it would take a bit over 18 minutes. We have the following open ports to investigate:

FTP server (ProFTPD 1.3.3c on port 21)
SSH server (OpenSSH 7.2p2 Ubuntu)
webserver (Apache httpd 2.4.18 Ubuntu)

Let’s start with the webserver.

Exploitation

Webserver

The first thing we do is connect to the server with a browser. We are greeted with a default “It works!” page. For good measure we also use “View Source” but that just reveals some plain HTML.

Next, get a quick overview by running nikto on the webserver.

nikto -h 192.168.56.104

Apart from the fact that the Apache version is outdated (worth checking for exploits) and some other potential vulnerabilities, nikto was able to detect a directory /secret/ which seems worth investigating by accessing it directly in the browser.

Image 4: Connecting to 192.168.56.104/secret with a browser.

Seems like we found a WordPress blog. However, the layout looks broken, and hovering over the “Hello World” link reveals it is pointing to http://vtcsec/secret/index.php/2017/11/16/hello-world/. To fix this, we add a line for vtcsec in the /etc/hosts file of our attacking box.

sudo nano /etc/hosts
... in the file ...
127.0.0.1       localhost
127.0.1.1       kali
192.168.56.104  vtcsec

That fixes things. We can check for the WordPress admin interface by going to 192.168.56.104/secret/wp-admin/. Surprisingly, the default username/password combination admin/admin works and we can access the admin dashboard.

Since we can load PHP-Code in WordPress by pasting it into a plugin or by editing the theme (Appearance -> Editor) and refreshing the page, we can install a PHP reverse shell. Kali-Linux comes with a selection of premade shells to pick from.

cat /usr/share/webshells/php/php-reverse-shell.php

To use the reverse shell, we use nc to listen (-l) for incoming connections on a specified port (-p 1122) on our attacking box.

nc -vnlp 1122

We activate the “Hello Dolly” plugin and copy-paste the reverse shell to replace the code of the plugin (Plugins -> Editor) and change $ip and $port to the IP of our attacking box and the target port (1122).

Image 6: Modified WordPress plugin with PHP reverse shell code.

After clicking the “Update File” button, we successfully gain a shell as the user www-data (note that it might appear as if nothing happened but we get the shell as soon as we click the button).

Image 7: Catching the reverse shell with nc.

Post Exploitation

The next step is to escalate our rights from the user www-data to the superuser root. Let’s see what user accounts with a login shell exist on the target machine. We exclude ‘false’ and ‘nologin’ with grep -v.

cat /etc/passwd | grep -v 'false\|nologin'

Image 8: Checking for users that can login.

Apart from the root user, there’s one other user of interest who goes by the handle marlinspike. However, when we try to change to another user…

sudo su

…we only see the error message “sudo: no tty present and no askpass program specified”. So the first thing we need to do is get a tty. There are a couple of different ways to do that [1,2]. We opt for the script method, because it is pretty simple and straightforward.

script -qc /bin/bash /dev/null

Unfortunately, we cannot log in as either root or marlinspike, because we have to provide the password of www-data. Let’s see if we can read /etc/shadow.

cat /etc/shadow | grep 'root\|marlinspike'

Surprisingly, we are allowed to read the file and so we can grab the hash of the user marlinspike and try to crack it with “John The Ripper”. First, we use nano to create a file called ms.pass where we copy/paste the username:hash part of /etc/shadow and after that we run john on that file from our attacking box.

sudo john -single ms.pass

Image 10: Cracking the password for user marlinspike with john.

As we can see, the password is also marlinspike. We try to ssh into the machine as marlinspike with the freshly cracked password and it works.

ssh marlinspike@192.168.56.104

After checking our sudo rights with sudo -l we can see that we are allowed to become root. Mission accomplished 🙂

Alternative Attacks

FTP server

Let’s check out the FTP server to see if there’s another way to get root privileges on the target. A quick Google search for “proftpd 1.3.3c exploit” reveals that this particular version of ProFTPD might contain a backdoor [3]. We can try if that is the case by connecting to the server and issuing “HELP ACIDBITCHEZ”. It works and this time we’ll use another way to get a tty (by using Python). Seems like the FTP server is a very quick way to gain root access.

Image 12: Using the ProFTPD 1.3.3c backdoor to become root.

Lessons Learned

Information gathering

Portscanning

A quick overview of the most common 1000 TCP ports:

sudo nmap -sV -Pn -n TARGET-IP

Webserver

Always check out the website in a browser first and view the source code. Scan a webserver for common vulnerabilities and find directories:

nikto -h TARGET-IP

Edit /etc/hosts on the attacking box to fix broken websites.

Exploitation

Misc

Try default usernames like admin/admin for WordPress (site/wp-admin).

Reverse shell

Use netcat to catch a reverse shell:

nc -vnlp PORT

Copy /paste web reverse shells from Kali’s /usr/share/webshells directory into suitable locations like WordPress plugins and reload the page.

Post Exploitation

tty

script -qc /bin/bash /dev/null
python -c "import pty; pty.spawn('/bin/bash')"

Passwords

Check for users that are allowed to login:

cat /etc/passwd | grep -v 'false\|nologin'

Get the password hash of a user (not allowed by default, as /etc/shadow is not world readable):

cat /etc/shadow | grep 'USERNAME'

Crack a password hash:

echo "USERNAME:HASH" > pw.pass
sudo john -single pw.pass

Sources

[1] https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#tldr-cheatsheet

[2] https://stackoverflow.com/questions/1401002/how-to-trick-an-application-into-thinking-its-stdout-is-a-terminal-not-a-pipe

[3] https://www.securitygeneration.com/security/proftpd-1-3-3c-briefly-backdoored-by-hackers/

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.