Hey! It’s been a while since I’ve played around with any pentesting tools or capture-the-flags so I thought I might as well jump straight back in with a super basic CTF just to get used to the methodology again.
This CTF is named “Basic Pentesting:1″ by Josiah Pierce. It’s a super easy boot2root and wont take very long to solve. It involves a bit of service discovery, bruteforce, reverse shells and privilege escalation.
If you don’t want to read this post, skip to the bottom where you’ll find the video 🙂 Don’t forget you can stalk me on social media: Twitter: @Jackk1337/@JackkTutorials Instagram: @Jackk1337 YouTube: JackkTutorials
To start with I booted up the machine and got the IP Address from the home screen (thanks Ubuntu).
And then I can launch a simple nmap scan just to identify some services that are running on the target machine
nmap -sS 192.168.110.135
Which gave these 3 results:
[email protected]:~# nmap -sS 192.168.110.135
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-04 12:08 GMT
Nmap scan report for vtcsec (192.168.110.135)
Host is up (0.000079s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:2Upload Files9:AE:35:F3 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
So what this tells me (at a glance) is that there is 3 services running on this machine: FTP, SSH & HTTP. So with this information I headed over to http://192.168.110.135 which gave me this page:
So from here I checked to see if there was a /admin dir or /login.php file or /robots.txt but there wasn’t. There also wasn’t anything hidden in the ‘view source’ so I loaded up dibuster to find some more folders for us.
Here I’m just using a dirbuster attack with a small wordlist to find some more folders & files.
After not very long, I discovered what looks like a wordpress installation in a dir called “Secret”.
You can see that when it’s loaded, things don’t look right… Upon inspection it looks like content is coming from a domain called “http://vtcsec” so I added this to my hosts file (sudo nano /etc/hosts) and mapped vtcsec to 192.168.110.135. When I refresh to page things start to load much better.
From here I went to the 192.168.110.135/secret/wp-login.php and attempted to login. I used the username “admin” and a random password and I got the following message:
ERROR: The password you entered for thhe username admin is incorrect.
What this tells me is that ‘admin’ is a valid user in this database. So then I just tried the credentials “admin:admin” and what do you know… It worked.
So now that we have admin access to the wordpress control panel we can upload a reverse_tcp payload via the plugin manager. The payload I’m using is “malicious-wordpress-plugin” which is here
This uses meterpreter to create a simple php file that can be uploaded to the wordpress site and a connection to be established.
So here I have my “malicious.zip” file which will be uploaded to the wordpress site, and the terminal is showing meterpreter waiting for a connection. So I upload that zip file to the wordpress site, activate the plugin and then navigate to “http://vtcsec/secret/wp-content/plugins/malicous/wetw0rk_maybe.php” which initiates a connection to my kali box.
So now we are in the system as “www-data”. Now all we need to do is escalate our privileges to root. So I’m going to use a script called “unix-privesc-check” from pentestmonkey which is a really powerful script that can check for simple privilege escalation vectors on a Unix system. You can get that here
So I simply upload that file to the box using meterpreter upload function. Then I just drop into a proper shell using this command
python -c ‘import pty; pty.spawn(“/bin/bash”)’
And then I can make it executable with this command:
chmod +x unix-privesc-check
And then run it
./unix-privesc-check standard > output.txt
Once that’s ran I’m going to download the output and then analyze it to see what it hides. Inside the file is the following entry:
Checking if anyone except root can change /etc/passwd
WARNING: /etc/passwd is a critical config file. World write is set for /etc/passwd
What this tells me is that I can modify roots password without being root. So I download the passwd file to my kali machine and change the password like so…
By default, the etc/passwd file contains this entry:
Using a command called openssl I can generate a new password hash and enter it in place of ‘x’.
[email protected]:~# openssl passwd -1
Verifying – Password:
And then I enter that hash into the passwd file and re-upload it. Then simply login as root:
[email protected]:/var/www/html/secret/wp-content/plugins/malicous$ su root -l
su root -l
And there you go… boot2root success!
Also bonus points… in the /var/www/html/secret/wp-config.php file contains the root credentials for the wordpress mysql database, which could of been another attack vector.
So I hope you liked this writeup, the video is just below! A very simple boot2root which can be completed pretty quickly with no nasty tricks, perfect for if you’re just starting out or just coming back like I am.