My first boot2root - SecKC

Recently I just published my first boot2root VM out on vulnhub.

This was the first boot2root that I created and quite frankly, I had a blast creating it. I learned a lot from creating this VM. To be honest, creating something vulnerable and having it be 'solvable' takes a lot of time, trial and error and testing in order for it to be successful. Now, was this successful? It is yet to be seen, but within 12 hours of publishing the VM, someone on twitter took a screen cap of the root flag. I'd like to think it was successful :)

Now, I'm waiting to publish a walkthrough (at least how I envisioned this walkthrough) until more people have had a chance to attempt it. 

But here is a sneak peak on how I envisioned this boot2root to be solved:

I made this VM with a static IP address (192.168.9.184)

We first run nmap against this IP and discover 3 open ports:


We first go to port 80 and are presented with the following redherring:


This page is nothing more than a SecKC image.

Let's look at port 8888:

Oh wow. Lots of information here. Let's check out the whole page:


SecKC
Kansas City's Hacker Hive

Kansas City! The city of fountains! Did you know the Chiefs won SUPER BOWL LIV?! Oh, and the Royals won THE WORLD SERIES in 2015?! Oh manm, that's a lot of awesome. But did you know that Kansas City has the largest Monthly InfoSec meet-up? That's right! SecKC hosts the largest monthly meet-up EVERY. MONTH.

    
    
    root@kali:/rapid7/metasploit-framework:master$ MSFLOGO="data/logos/haKCers.txt" ./msfconsole


                                              `:oDFo:`						
                                           ./ymM0dayMmy/.					
                                        -+dHJ5aGFyZGVyIQ==+-					
                                    `:sm⏣~~Destroy.No.Data~~s:`					
                                 -+h2~~Maintain.No.Persistence~~h+-				
                             `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`				
                          ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.			
                       -++SecKCoin++e.AMd`       `.-://///+hbove.913.ElsMNh+-			
                      -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-			
		      :dopeAW.No.nano.o                     :is:TЯiKC.sudo-.A:			
                      :we're.all.alike'`                     The.PFYroy.No.D7:			
                      :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:			
                      :msf:exploit -j.                       :Ns.BOB.ALICEes7:			
                      :---srwxrwx:-.`                        `MS146.52.No.Per:			
                      :.script..Ac816/                        sENbove3101.404:			
                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:			
                      :09.14.2011.raid                       /STFU|wall.No.Pr:			
                      :hvensntSurb025N.                      dNVRGOING2GIVUUP:			
                      :#OUTHOUSE-  -s:                       /corykennedyData:			
                      :$nmap -oS                              SSo.6178306Ence:			
                      :Awsm.da:                            /shMTl#beats3o.No.:			
                      :Ring0:                             `dDestRoyREXKC3ta/M:			
                      :23d:                               sSETEC.ASTRONOMYist:			
                       /-                        /yo-    .ence.N:(){ :|:  };:			
                                                 `:Shall.We.Play.A.Game?tron/			
                                                 ```-ooy.if1ghtf0r+ehUser5`			
                                               ..th3.H1V3.U2Vgeoda.jMh+.`			
                                              `MjM~~WE.ARE.se~~MMjMs				
                                               +~KANSAS.CITY's~-`				
                                                J~HAKCERS~./.`					
                                                .esc:wq!:`					
                                                 +++ATH`					
                                                  `						
												

       =[ metasploit v5.0.61-dev-618a7c9771               ]
+ -- --=[ 1947 exploits - 1089 auxiliary - 333 post       ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 >

Destroy No Data
Maintain No Persistence
Above Else, Do No Harm
	
Bob

Bob
Bob and Alice

Alice
Alice

Random Name

Swag
Represent SecKC with swag!

CONTACT

 seckc.org
 Kansas City, USA
 Email: info@seckc.org
     
Powered by HAKCERs

Lots of great information on SecKC and Kansas City! Let's run dirb to see if we can reach any other pages:


Hmm. Nothing. Let's run CeWL to build a wordlist from this page to see if there's any directories we aren't seeing due to the "common.txt" wordlist we've been using:


Alright, let's try dirb again, this time with our new wordlist:


Sweet! We found a new directory "/SecKCTheWorld/". Let's check it out


Oh, look at that.. a login and registration page! Let's register an account:


Now let's login:


Sweet. Looks like there'a another tab for "Attention Members!". Let's look at it


Looks like SecKC members can use Gift Vouchers for SWAG. Nice. Unfortunately, we can't get to it. Looks like "HAKCER" made the post and said that only super special members such as himself can access it. You know what? Let's see if we can hakc him! 

We try logging in as hakcer with password as hakcer:


Ah-ha! We logged in as Hakcer! What a bad password. Looks like we have yet another option for "Gift Voucher" this time. 


Looks like you can go through creating a gift voucher. We should also be using Burp Suite to proxy our process.. maybe there's a vulnerability here?


After submitted the first stage of the gift voucher, we notice in our burp history that there's a POST method with 2 parameters: "Action" and "template_id". To speed up our discovery process, if we search exploit-db, we will find that WordPress Plugin Gift Voucher 1.0.5 is vulnerable to a SQL Injection vulnerability: https://www.exploit-db.com/exploits/45255

We decide to take the above POST request and run it through sqlmap. 


POST /SecKCTheWorld/wp-admin/admin-ajax.php HTTP/1.1
Host: 192.168.9.184:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.9.184:8888/SecKCTheWorld/index.php/gift-voucher/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 47
Connection: close
Cookie: wordpress_ff07ddea9d328682b5f743aa9e2cfddd=hakcer%7C1594576785%7CwFPSArCyw5nXbsFdIFSrmvRYQ2i9s1AbwyfZGhaR4cd%7Cec080ddf7e4079de895120e152128f1aa3a4dac613153abcc2b6925df4c5f832; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_ff07ddea9d328682b5f743aa9e2cfddd=hakcer%7C1594576785%7CwFPSArCyw5nXbsFdIFSrmvRYQ2i9s1AbwyfZGhaR4cd%7C9e99f7262caa50b25a14620fcb6fa1d60eddb1d23094354e7d1ec0ad7b7c7208

action=wpgv_doajax_front_template&template_id=*

Again, to speed up our test, we can use the following:
  • --level 5
  • --risk 3
  • --technique B
  • --dbms MySQL
  • specify the template_id parameter


We let sqlmap do its thing:


As shown above, we confirm that SQL Injection is present. Now, let's dump the database.

To speed up testing, we can use the following (again, since I wrote this, I know where I am looking). But let's use the following commands to dump our database:

  • -D wordpress
  • -T wp_users
  • -C user_login,user_pass
  • --dump

Looks like we have an admin hash! We already know hakcer's password, and geoda is our own. Let's see if we can crack this hash!

We take it to john the ripper, only using the password hash and using the rockyou wordlist


After JTR is complete, we see that the password for admin is "abc123". Let's log into wordpress as the admin user now.


Excellent. Now that we are logged in as admin, let's upload a reverse shell via the plugin. We first create the reverse shell php file


Next, we zip the file


Upload the shell.zip as a plugin:


And install


After starting our netcat listener on port 4444, we activate the plugin


Boom. We now have a shell on the system as www-data


To speed things up, we find a backup file owned by the user chiefs


We look inside the file


We find the username and password for the user chiefs. We now can ssh directly to the system as the chiefs user


Now that we have direct access as a valid user, we continue our enumeration. 

We notice that inside the /home/royals directory our user (chiefs) who's in the chiefs group, has the ability to write to the royals users ssh authorized hosts file.


How can we exploit this? Well, we can actually create an ssh key on our attacker machine, upload it to the authorized keys directory, and ssh into the system as the royals user. Let's see how this is done.

For complete simplicity sake and educational purposes, we can just use ssh-keygen to generate an ssh key


As you can see, we have both a private key '/home/kali/.ssh/id_rsa' and a public key '/home/kali/.ssh/id_rsa.pub'

We can copy the public key contents into the authorized_keys folder, as shown below


The above shows our id_rsa.pub key. The below shows it inside the authorized_keys file on the victim machine


Now, with everything set up, we can ssh with our private key as the royals user:


Success. We are now running as the royals user


We continue enumeration, looking for a way to elevate further. We speed this up since I already know what I'm looking for. 


We notice above that if we check the sudoers file for this user, we have the ability to run /usr/bin/find as root, without a password. 

We can actually exploit this by doing the following:


Sweet! We are now running as root! Let's grab the flag!


royals@seckc:~$ whoami
royals
royals@seckc:~$ sudo find / -exec /bin/bash \; 
root@seckc:~# whoami
root
root@seckc:~# id
uid=0(root) gid=0(root) groups=0(root)
root@seckc:~# cd /root
root@seckc:/root# ls
flag.txt
root@seckc:/root# cat flag.txt 
      .cllllllllllooool.                                       .,::,.      .;::::.  .cddollc::::;,. 
      :XMMMMMMMMMMMMMMX;                                       '0MM0'    .c0WWNO:. :KWWWWWWWXKXWWN0l
      ;KMMWOllcccc:::::.                                       ,0MM0,   ,kWMWO;.  .dWWXd;;;;,',o0XNN
      ;XMMWl  ..             .;:,'''''.        ..'''......     ;KMMXc .oXMMXl.     dWMX;       .lkxd
      ;KMMWk:loolllll:.    'dKWWWNNNNNXk:.   'dKXNNNXNXXX0x:.  :XMWk,:0WMWO,       oWMX:        .'..
      ,KMMMWWMMMMMMMMWKc. .xWWXxoododOWMWd. .OWMXkdxxddxXMMXc  :XMWkkNMMMKo;.      oWMNc            
      'kXXK0dccllccxNMMO. .kWW0;.....lXMMk. '0MMx.      ckkx,  :XWWWWMMMMN0;       oWMNc            
       .,,..       ,KMM0' .ONOkKXXXXKNWMMx. '0MM0,             lNWWMWOoONWK:       lNMNl            
       ,dkd,       ,KMM0' .OXxodddddxxxxx:  '0MMK;       ...  .OMMW0c. .cKMXo.     lNMNl       .cxxd
      '0MMMk'......cXMM0' .OMWk'     'odd;  '0MMO,..  .'ldkO; '0MMX:   .:0WMNx.    cNMWd. ..  .,OMMX
      .OMMMNKKKKKKXNWMWx. .dWMN0OOx:;xWMNo  .xWMN0O0000KNNXd. ,0MMK,  .;.,OWMWx.   ;KWMN0000000KWMWO
       .o0XXXKXKKKKKKOc.   .:k000K0Ok0Kk:.   .ck0KK000KK0x;   .xKKx.  ,.  .cccc.    ,d0K000K000KKOl.
         ............         .........         .........       ...  ..               ....... ...   


Woot!! Congratulations on solving the challenge!

If you are interested in learning more about SecKC, visit us at seckc.org or
join oug #Slack channel: http://slack.seckc.org

Created by: Eric "geoda" Guillen     

And that's it! I hope you enjoyed this boot 2 root intentionally vulnerable virtual machine. I certainly enjoyed building it and I'm sure I'll build more in the future. Please reach out with any questions. 

Till next time!