Recently I stumbled onto /r/asknetsec, which is a network security subreddit. This is where I found out about vulvnhub.com, a site where you can download purposefully vulnerable virtual machines machine and try to hack them.

I  was intrigued, so I downloaded the first one on the site, which was (at  the time,) BsidesVancouver: 2018. I also grabbed a copy of Kali Linux (although I recently switched over to Parrot Linux, which I now prefer).

Alight, with both VM’s booted up it’s time to get hacking.

The first thing I did is run Zenmap on the target (with my setup the target machine is 10.10.10.100).

OK, a couple of interesting things here. We have FTP, SSH, and HTTP running on the machine.

Zenmap informs us that Anonymous FTP connections are allowed, so lets fire up a browser and head on over to ftp://10.10.10.100.

Ah  there is one folder called “public” and one file in that folder called  “users.txt”. This could be useful, lets make a note of these users.

The next interesting thing from Zenmap is that backup_wordpress site that it found in robots.txt. Let’s check that out.

Ah,  it is deprecated, that could be very good, since deprecated could very  well mean out-of-date (i.e. has known vulnerabilities that haven't been  patched).

Word Press sites have an Admin interface, and typically the url is /wp-admin, so lets go ahead and see if that exists.

http://10.10.10.100/backup_wordpress/wp-admin

Bingo!

While  browsing through the menus in Kali/Parrot I noted something called  wpscan (Word Press Scan). So I click on that and get some information on  how to use it. One of the things it can do is enumerate users. Hmm,  that could be interesting.

wpscan --url http://10.10.10.100/backup_wordpress --enumerate u

OK, so we see an “admin” user and “john”. We also saw “john” on the list of users on the FTP site.

Now  that we have the wordpress users, we can try to brute force our way  into the admin interface. To brute force, we will need two text files,  one with passwords and another with users. We have the usernames  already, just dump them into a text document and save it to your  desktop.

Now for passwords. After some googling around I found some common credentials on a GitHub project. The 10 million seemed like a lot, so I decided to start out with the 10k instead.

Now  that we have our two files, one with the usernames and another with  passwords, lets fire up metasploit and search for wordpress.

search wordpress

Nice there is wordpress_login_enum we can use to brute force. Lets go for it.

use auxiliary/scanner/http/wordpress_login_enum
show options

Alright,  we need to set the RHOSTS, and provide the USER_FILE, and PASS_FILE,  and set the TARGETURI. Additionally, I am also gong to set  BLANK_PASSWORDS to true, set VERBOSE to false, and up the THREADS to 50.  Note, if you leave VERBOSE set to true you will see every password  attempt, while this can be nice to watch you might easily miss a success  if you look away or leave your computer as the script will move on to  the next user in the list after it finds a successful match for the  current user. While setting VERBOSE to false will only show successes.

set RHOSTS 10.10.10.100
set USER_FILE /home/offtherailstech/Desktop/users.txt
set PASS_FILE /home/offtherailstech/Desktop/10K-Most-Popular.txt
set TARGETURI /backup_wordpress
set THREADS 50
set BLANK_PASSWORDS true
set VERBOST false
run

Success! We got john’s password! Let’s login!

Click on the users tab on the left side bar. Well hey look at that, John is an administrator!

Let’s take a second look at that wordpress list in metasploit.

Admin sell upload, aye? That sounds promising. Lets use it and see what the options are.

Username, password, RHOST, check, check, and check. Lets set the options and then exploit!

And we have a meterpreter session! Sweet. Lets get to the shell and see who are.

OK,  so we are running as the user www-data. Now it is time for privilege  escalation. That reminds me, when I was digging through the menus in  Kali/Parrot I noticed something called “unix-privesc-check”. Lets see  what that is about.

Excellent! Lets find out where this is located.

which unix-privesc-check

Ah, I see that mine is located in /usr/bin/unix-privesc-check

Lets  go back to metasploit, and exit the shell and get back to the  meterpreter menu, where we can upload a file to the remote machine. If  you type “?” at the meterpreter prompt you will notice that there is a  command to upload. Let’s upload unix-privesc-check to the the /tmp  folder on the target machine.

You  might have noticed that our shell kinda sucks. That is because we have a  “simple shell”. We can upgrade it a bit with the command below, however  it won’t be a full interactive shell, so things like hitting the up  key, and tab to auto complete won’t work, but upgrading will allow us to  use things like “su”. To learn more on the types of shells check out this article.

python -c "import pty; pty.spawn('/bin/bash')"

Ah, much better. Now lets go the tmp folder, make unix-privesc-check executable and run it.

cd /tmp
chmod +x unix-privesc-check
./unix-privesc-check standard > priv-out

This dumps the output to a file call “priv-out”. Now we can cat the results and grep for “WARNING”.

Well,  well, well, look at that, the cleanup script is world writable, yet  runs as root. Muhahhaha! Let’s add a line that changes the root password  to the end of the cleanup script.

mkpasswd 'letmein'
echo "usermod --password [mkpasswd encrypted string] root" >> /usr/local/bin/cleanup

Now lets try to switch user to root.

Sweet! The only thing left to do is to cd to /root and read flag.txt