[OSCP Practice Series 67] Proving Grounds — Thor
Machine Type: Linux
The Attack
A regular Linux machine with two HTTP ports, 80 and 10000. Let’s check port 80 first.
Nothing, just a template web page. Let’s do gobuster.
OpenLitespeed 1.7. There’s an exploit for version 1.7.8.
But we need credentials for it. I ran another Nmap scan and discovered that port 7080 is open.
It’s an LiteSpeed web admin console.
I am bruteforcing the login page in the background.
Hydra is taking a long time. Hm… Google said that the default credentials for OpenLiteSpeed are admin:12346. It doesn’t work in my case. The credentials must be somewhere. Let’s check port 10000.
It’s a Webmin login panel. Could this be the one? Miniserv 1.962.
There’s an article about an RCE for this, but it requires credentials and the use of Metasploit.
There’s rate-limiting, we can’t brute-force here.
Perhaps the user is jfoster. What the hell, it doesn’t fricking work.
I got a clue, it turns out we need to generate our own wordlists for jane foster using a tool like cupp (https://github.com/Mebus/cupp).
python3 /opt/cupp/cupp.py -iWe have generated our own wordlist for ‘Jane Foster’ using Cupp.
We can use this wordlist to brute-force the OpenLiteSpeed web admin.
We got our OpenLiteSpeed web admin credentials.
admin:Foster2020
Now let’s try the CVE https://www.exploit-db.com/exploits/49556.
Seems to work, just need to edit the script.
Nice we are in as nobody with shadow group. We should be able to read the /etc/shadow now.
We got both root and thor hash. Let’s crack it.
root:$6$XRJJB9j7GYzWvjBy$yZEsOS3cam1DG.eI26bW1TERw5SV7b3RVZQHZB7UFzKNyPR6PPUFfxzclKsiGUT8.WoL7vQ4hhNmekav68kwN1:19150:0:99999:7:::
thor:$6$l2ThCEsvmrzmkKIA$FWtAb1SsYFqAXA96Ze4uGTHtPV9HNi7ShAgoTet1gx.HvkEFePp.Bk/uBeuxpCMz/X3jXWbGavj11po9H/FzP.:19150:0:99999:7:::Let’s try to crack both. The thor one cracked.
thor:valkyrieLet’s SSH to thor.
We can run /usr/bin/systemctl restart webmin as root with no password.
Perhaps we can hijack the service or somesort. We need to analyze the service first.
The service is on /usr/share/webmin/ . We need to look at the changepass.pl script.
We won’t be able to read it since we are not root. So we can use the pirevious vulnerability to add ourself to the root group.
The script modifies the
/etc/webmin/miniserv.confand/etc/webmin/miniserv.usersfiles in order to change the webmin password located in/etc/webmin
The bin group have access to read and write to both files. Let’s add ourself to bin group using the previous exploit.
Now we can access it, we can modify the root password.
/usr/share/webmin/changepass.pl /etc/webmin root pwn
Now we can restart the webmin service to make the effect.
Now, since we change the root webmin password, not the real root password, we gotta exploit the webmin (with the knowledge of the wemin password now). We need to go back to the Metasploit exploit we discovered earlier https://www.exploit-db.com/exploits/49318.
We are root.
local.txt: 96657dc3198c6f9c1a5ad5275f5c8a85
proof.txt: 521bf986e66b6b453e9842b4182f00b5Learned
- This machine is hard. Learned new stuff about webmin exploitation.
