Tuesday, October 10, 2017

Vulnhub Walkthrough: LazySysAdmin 1

Walkthrough: LazySysAdmin 1
Author: Agoonie
Date: 2017-10-9

1. Target IP
VM is setup with host-only in VMware workstation.  I identified the IP with a simple Nmap ping sweep. 
nmap -sn -v 192.168.126.2-254
2. NMAP Scan/Service ID

Now, on to the full scan to identify open ports and to identify what services are running.






Next, I start to look at interesting ports, usually while the scan is still going.  I took note of ports 80, 139, 445, and 3306.  For port 80, I wanted to start to enumerate files and folder structure for the web application.  I usually use dirb/dirbuster. 

 





With dirb, I see folders for wordpress and phpmyadmin.  I use wpscan to see if I can get any information about the wordpress site being hosted.  Sometimes, you can get users, plugins, themes, etc.






The scan identified an admin user, wordpress version, a theme and some links to look at.  I noted everything and went on to ports 139 and 445.








Bingo.  I am able to see files in the wordpress folder using the SMB service.  If I can connect to it, maybe I can just read and write to it.  Next, put in a web shell, escalate privs and then, game over. 

 

No luck.  I can only read the files. I cannot write to the folder.  Well, let’s read some files.



It looks like the admin put in a password in the deets.txt file.  What else can we find?  Maybe config files in the wordpress folder. 

 

The wp-config.php file might be good.


Looks like we have an account for the wordpress site.  Let’s keep track of more creds and test them out.

 




We have AntiSpam and Hello Dolly.  A quick search for Hello Dolly and you see it is used by hackers to add backdoors to sites.  I assume that means I can just add php code to it. 

 

3. Exploit Execution

It has accepted and saved the php code I added to hello.php  Now, I just start a Metasploit mult handler and browse to hello.php.






4.  Escalating Privileges

We are running as www-data.  How can we escalate?  Let’s start looking around to see if we find anything.



Looks like we have more credentials to take note of.  We found the user togie, which is the admin for the wordpress site.  Maybe I can start to test the creds for his account, togie.  There is ssh running on the server.  Let’s try.


The password 12345 worked for him.  Well, he is the admin, maybe he is a sudo user?






Conclusion:

Well, enumeration was key to root the box.  I did not screen shot the process but I tried every priv escalation root file from exploit-db.com.  Every one of them failed.  In addition, gcc and cc was not present on the box.  I created similar vm’s to compile the code and uploaded the executables.  It did not matter.  Every time I got a credential, I could get to the next step on the vm.  Great boot2root!