VulnHub’s W1r3s: A Walkthrough
This is an easy Linux box created by SpecterWires.The privilege escalation to root was a piece of cake. Enumeration was a bit tricky, aided by my lack of knowledge of the LFI Vulnerability
Let’s start hacking, shall we!
netdiscover the IP Address
IP=192.168.43.146
Reconnaissance
Normal Stealth scan, with all port scan -
We get FTP,SSH,HTTP and MySQL ports open
We first target FTP-Port 21
Suceesful Login — Username — anonymous Password — <spacebar>
Successful Login- Username — ftp Password — <spacebar>
We get the same directory listing,for both logins
Let’s enumerate more:-
/content (Directory listing)
/employee-names-Possible usernames on SSH or Web Server!
(Directory listing)
We have ‘get’ them and are downloaded to /root
Let’s analyze each file:-
01.txt
02.txt — Base64 encoded text below!
03.txt--Probably the SSH Banner
employee-names.txt -Total of 6 possible users
Employees:-
Naomi .W — Manager
Hector.A — IT Dept
Joseph.G — Web Design
Albert.O — Web Design
Gina.L — Inventory
Rico.D — Human Resources
worktodo.txt - — Upside down text
Decipherable Text from message-”I don’t think this is the way to root”
“We have a lot of work to do,stop playing around….”
We take the base64 string and store it into a file named ‘Decode’
Decode Command-base64 — decode Decode >> Decode
It doesn't return an error message, so the text is base64 alright
Opening the file, we get-:-
Dead end, but let’s hop to the port 80
We encounter Ubuntu’s Apache2 web server default webpage. Let’s enumerate webpages and webservers
Enumeration
First a dirb scan, with common.txt
Wooh, we uncover a robots.txt file, along with WordPress pages!
Fuzzing the webserver using big.txt also yields similar results
Now performing a server scan, with nikto, gives us the following results:-
Now, we head to the browser and enumerate the directories
When going to /administrator, we are met with these configuration pages. Seems like Cuppa CMS has not been set up fully.We are at /administrator/installation
We also gain info, that the CMS being used is Cuppa CMS
More recon: As suspected administrator’s account credentials are:-
Username-admin
Password-admin
I can’t just seem to create the Administrator’s user
Poking into /adminstrator/robots.txt, we find-
Ok, the entire directory is hidden from view
Now let’s enumerate the directory webpages
/alerts-Blank
/api — {“error”:”-1".”error_message”:”API Key required”}
/classes-Blank
/components-Blank
/extensions
/index.php and /installation — Same page
/js -Blank
/language-Blank
/media — Contains a uploads folder.More vindication that Cuppa CMS can be installed and configured properly
/templates-Blank
Let’s leave Cuppa CMS aside and focus on the WordPress login page
Looking at URL-http://localhost/WordPress -Unable to connect page.
What do we do? -Set 192.168.43.146 as localhost in /etc/hosts-
Heading back to our browser, we are met with the fully loaded CMS website
Since it is a WordPress site, let’s start up our wpscan
Command-wpscan — URL http://localhost/wordpress — enumerate u — disable-tls-checks
We get:-
Enumeration Analysis
Version of Wordpress-4.9.18
Possible Users:-
Admin
admin
joseph-g
Wordpress Theme being used-TwentySeventeen Version 1.4
We do have a login page at /wp-admin
We bruteforce the 3 usernames, along with password.lst,rockyou.txt and john — rules(from Usernames found on FTP)
Meanwhile earlier, we found an entry for Cuppa CMS on searchsploit/
Searching up the exploit on our machine:-
We use the given exploit, making modifications
Final Payload
We get this blank screen
What can we utilize? cURL -Just as used in previous LFI vulnerability boxes
On the command line, type
Command-curl http://192.168.43.146/administrator/alerts/alertConfigField.php — data-urlencode urlConfig=../../../../../../../../../etc/passwd
We get the /etc/passwd file in return
Seems like w1r3s is the only normal user.
Let’s fire up the command again to get the /etc/shadow file and hopefully a hashed password
Our guess was right and we get back
Using hash-identifier tool, we insert the hash and get back confirmation that the hash is a SHA-256 encoded one. -
We used JohnTheRipper to crack the hashed password
Copied the hash to a file named hash and ran the following command:-
Command-john — wordlist=/usr/share/john/passwords.lst Hash
We get back:-
Password-computer
Gaining Access
Credentials for SSH
Username-w1r3s
Password-computer
We login
Found these in the SSH banner and after successful login-
Privilege Escalation
Then I ran sudo -l, to find my rights -Found I could run all (Wildcard!). This is a vulnerability in fact
Ran sudo su -Got elevated to root, without password
Went to /root, to find our flag.txt
Reporting
Well, you have it now!
What I learned:-
- Brushed up on my knowledge of the LFI Vulnerability
Conclusion:-
- Privilege Escalation was a piece of cake
Thanks for reading this blog entry and making it till here. Until then, there must be some vulnerable boxes, for me to pwn out there……
