Recently I stumbled onto /r/asknetsec, which is a network security subreddit. This is where I found out about vulvnhub.com, a site where you can download purposefully vulnerable virtual machines machine and try to hack them.

I was intrigued, so I downloaded the first one on the site, which was (at the time, and still is as of the writing of this article) BsidesVancouver: 2018. I also grabbed a copy of Kali Linux (although I recently switched over to Parrot Linux, which I now prefer).

Alight, with both VM’s booted up it’s time to get hacking.

The first thing I did is run Zenmap on the target (with my setup the target machine is 10.10.10.100).

OK, a couple of interesting things here. We have FTP, SSH, and HTTP running on the machine.

Zenmap informs us that Anonymous FTP connections are allowed, so lets fire up a browser and head on over to ftp://10.10.10.100.

Ah there is one folder called “public” and one file in that folder called “users.txt”. This could be useful, lets make a note of these users.

The next interesting thing from Zenmap is that backup_wordpress site that it found in robots.txt. Let’s check that out.

Ah, it is deprecated, that could be very good, since deprecated could very well mean out-of-date (i.e. has known vulnerabilities that haven't been patched).

Word Press sites have an Admin interface, and typically the url is /wp-admin, so lets go ahead and see if that exists.

http://10.10.10.100/backup_wordpress/wp-admin

Bingo!

While browsing through the menus in Kali/Parrot I noted something called wpscan (Word Press Scan). So I click on that and get some information on how to use it. One of the things it can do is enumerate users. Hmm, that could be interesting.

OK, so we see an “admin” user and “john”. We also saw “john” on the list of users on the FTP site.

Now that we have the wordpress users, we can try to brute force our way into the admin interface. To brute force, we will need two text files, one with passwords and another with users. We have the usernames already, just dump them into a text document and save it to your desktop.

Now for passwords. After some googling around I found some common credentials on a GitHub project. The 10 million seemed like a lot, so I decided to start out with the 10k instead.

Now that we have our two files, one with the usernames and another with passwords, lets fire up metasploit and search for wordpress.

search wordpress

Nice there is wordpress_login_enum we can use to brute force. Lets go for it.

use auxiliary/scanner/http/wordpress_login_enum

show options

Alright, we need to set the RHOSTS, and provide the USER_FILE, and PASS_FILE, and set the TARGETURI. Additionally, I am also gong to set BLANK_PASSWORDS to true, set VERBOSE to false, and up the THREADS to 50. Note, if you leave VERBOSE set to true you will see every password attempt, while this can be nice to watch you might easily miss a success if you look away or leave your computer as the script will move on to the next user in the list after it finds a successful match for the current user. While setting VERBOSE to false will only show successes.

set RHOSTS 10.10.10.100

set USER_FILE /home/offtherailstech/Desktop/users.txt

set PASS_FILE /home/offtherailstech/Desktop/10K-Most-Popular.txt

set TARGETURI /backup_wordpress

set THREADS 50

set BLAN_PASSWORDS true

set VERBOST false

run

Success! We got john’s password! Let’s login!

Click on the users tab on the left side bar. Well hey look at that, John is an administrator!

Let’s take a second look at that wordpress list in metasploit.

Admin sell upload, aye? That sounds promising. Lets use it and see what the options are.

Username, password, RHOST, check, check, and check. Lets set the options and then exploit!

And we have a meterpreter session! Sweet. Lets get to the shell and see who are.

OK, so we are running as the user www-data. Now it is time for privilege escalation. That reminds me, when I was digging through the menus in Kali/Parrot I noticed something called “unix-privesc-check”. Lets see what that is about.

Excellent! Lets find out where this is located.

which unix-privesc-check

Ah, I see that mine is located in /usr/bin/unix-privesc-check

Lets go back to metasploit, and exit the shell and get back to the meterpreter menu, where we can upload a file to the remote machine. If you type “?” at the meterpreter prompt you will notice that there is a command to upload. Let’s upload unix-privesc-check to the the /tmp folder on the target machine.

You might have noticed that our shell kinda sucks. That is because we have a “simple shell”. We can upgrade it a bit with the command below, however it won’t be a full interactive shell, so things like hitting the up key, and tab to auto complete won’t work, but upgrading will allow us to use things like “su”. To learn more on the types of shells check out this article.

python -c "import pty; pty.spawn('/bin/bash')"

Ah, much better. Now lets go the tmp folder, make unix-privesc-check executable and run it.

cd /tmp

chmod +x unix-privesc-check

./unix-privesc-check standard > priv-out

This dumps the output to a file call “priv-out”. Now we can cat the results and grep for “WARNING”.

Well, well, well, look at that, the cleanup script is world writable, yet runs as root. Muhahhaha! Let’s add a line that changes the root password to the end of the cleanup script.

mkpasswd 'letmein'

echo "usermod --password [mkpasswd encrypted string] root" >> /usr/local/bin/cleanup

Now lets try to switch user to root.

Sweet! The only thing left to do is to cd to /root and read flag.txt