Hello friends! Today we are going to take another boot2root
challenge known as “Web Developer: 1”. The credit for
making this VM machine goes to “Fred Wemeijer” and it is another boot2root
challenge in which our goal is to get root access to complete the challenge.
You can download this VM here.
Security Level: Intermediate
Penetrating Methodology:
·
IP Discovery using netdiscover
·
Network scanning (Nmap)
·
Surfing HTTP service port
·
Enumerating directories using Dirb
·
Finding “cap” file
·
Analyzing the “cap” file and finding wordpress
password
·
Installing vulnerable plugin in wordpress
·
Exploiting the vulnerable to get reverse shell
·
Finding SSH login and password
·
Finding application is sudoers list
·
Getting flag
Walkthrough
Let’s start off with scanning the network to find our
target.
netdiscover
We found our target –> 192.168.19.131
Our next step is to scan our target with nmap.
nmap -p- -sV 192.168.19.131
From the NMAP Version Scan we enumerated the following
details:
22 Port having the SSH service and 80 Port having HTTP
service.
As the HTTP service is running on the target server, let’s open
the IP Address on the Web Browser.
As we couldn’t find any links on this page. So, we will do a
directory bruteforcing using dirb scan. From the scanning result, we choose the
highlighted directory for further enumeration.
So, we opened this directory in the browser and found a cap
file.
We will open cap file in Wireshark, and you can see that we
found the username and password through it.
And using the above username and password, you can directly
log on to the website. As you can see that the website is in WordPress. And I
remember that there is plug-in of WordPress that is vulnerable. So, in plugin I
added a new plugin i.e. ReFlex Gallery as you can in the image below:
Now, we will use the in-build exploit from Metasploit to
exploit this plug in and get a session. And for this, we use the following set
of commands:
use
exploit/unix/wepapp/wp_reflexgallery_file_upload
set rhosts
19.2681.19.131
exploit
Once we got the session, I navigated through it a lot and
found the wp-config.php, now,when reading the config file, we find username and
password.
Now we find credentials inside the file, we use this
credential to login through SSH. After logging in we check the sudoers list and
find we can run “tcpdump” as root user.
sudo -l
So, we can execute a file using tcpdump, so we use the
following command to execute “ls -al /root” command. Now the command will be
executed only when tcpdump captures a packet.
COMMAND='ls -al /root'
TF=$(mktemp)
echo
"$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i
lo -w /dev/null -W 1 -G 1 -z $TF
After starting tcpdump, in a new terminal we connect to
target machine through SSH. Now we send a TCP packet to the 127.0.0.1 using
netcat. We had to use this locally as we started tcpdump on loopback interface.
nc -v -z -n -w 1
127.0.0.1 1
As soon as we send the packet, our command is executed and
we can see all the files inside “/root” directory. Inside “/root” directory, we
find a file called “flag.txt”. We are again going to use tcpdump command to
open “flag.txt” and are able to get the final flag.
COMMAND='cat
/root/flag.txt'
TF=$(mktemp)
echo
"$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i
lo -w /dev/null -W 1 -G 1 -z $TF
0 comments:
Post a Comment