Hacker Fest 2019 — Walkthrough
Description from Vulnhub
The machine was part of my workshop for Hacker Fest 2019 at Prague. Difficulty level of this VM is very “very easy”. There are two paths for exploit it.
There are no intentional rabbit holes. Through a vulnerable “[retracted]”. Exploit is part of MSF. Through vulnerable “[retracted]”. Can be found by “[retracted]”. There is a “[retracted]” injection (exploit is part of MSF). Recovered credentials (username + hash) can be cracked by John and rockyou.txt wordlist. Low priv shell can be gained through MSF exploit or trying the credentials against “[retracted]”. Priv. esc. is simply done by “[retracted]”.
I started with a standard port scan with only the -A option which yielded the following result:
It was so long, I had to divide it into 2 screenshots. Here’s the second part:
The large output was mainly because of the vsftpd service had anonymous login allowed and nmap listed all the accessible files. As you can see, anyone can access the web root using FTP which is really, really bad. I downloaded the wp-config.php file because this file contains sensitive information regarding the Wordpress installation.
Yes, it contained a database password which was expected. I couldn’t find anythin interesting other than this, so I moved on.
I tried these credentials against the Wordpress login page and Webmin login page, but it didn’t work. At this point, I was left with more enumeration. I went back to the port scan result and searched for publicly available exploits based on the version numbers. The first real exploit that came up was this: https://www.exploit-db.com/exploits/47230
The version number in the title might be a little confusing but if you read the description carefully, you can see that the exploit is actually works on version 1.890 through 1.920. “Only the SourceForge downloads were backdoored, but they are listed as official downloads on the project’s site.” Alright, let’s see if the software was downloaded from Sourceforge with the backdoor. I loaded the module into Metasploit and experimented with the different options a little bit.
By experimenting, I meaning setting the forceexploit variable to true because the exploit otherwise doesn't work and trying different payloads. By the way, I almost forgot to set the SSL options to true which is also crutial to make the exploit work. Eventually, I found a working payload which gave me a root shell, so there was no need for privilege esclation.
I have exploited this same exact vulnerability before that’s why I wanted more from this machine. Wordpress sites have huge attack surfaces (outdated plugins, themes, config backups, etc…), so I decided to run a quick scan with wpscan --url http://192.168.1.77 . I got the following result:
Note: I have a config file which contains my API token for WPVulnDB! It’s highly recommended!
In my opinion, the unauthenticated SQL injection has the most potential in this case. I tried to search for exploits, but I couldn’t really find one. However, I found this pull request: https://github.com/rapid7/metasploit-framework/pull/11698
An auxuliary module got merged on Apr 15. I searched for this module inside Metasploit and I found it under a different name. Don’t let the word “auxiliary” disappoint you, it’s actually pretty helpful.
After running the exploit, I was presented with a username and password hash which was extracted from the Wordpress database.
I quickly switched to my host machine to utilize its computing power. It only took a couple of seconds with the rockyout.txt dictionary to crack the hash.
I thought, the webmaster might have reused his password and tried it against the SSH service. I got lucky and I was able to log in successfully. Now, I got a low-privileged user with not so low privileges. I mean, this user was able to run (ALL) ALL commands as root without requiring the root password. This made the privilege escalation stupid simple. Kind of disappointing but I just used the sudo su - command to switch to the root user and that's it.
The flag for this machine is: 3dcdf93d2976321d7a8c47a6bb2d48837d330624
Before You Go
Thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! + Feedback is always welcome! 🙏
