Follow along my OSCP journey! This is my 11th target from the TJNULL’s OSCP list.
How to use this walkthrough?
To avoid the typical answer on a plate type of walkthrough, I have decided to follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.
Let’s go!
Enumeration
I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you with a nice overview of the services scanned.
python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.37Autorecon
While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 ProFTPD 1.3.5a
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqVh031OUgTdcXsDwffHKL6T9f1GfJ1/x/b/dywX42sDZ5m1Hz46bKmbnWa0YD3LSRkStJDtyNXptzmEp31Fs2DUndVKui3LCcyKXY6FSVWp9ZDBzlW3aY8qa+y339OS3gp3aq277zYDnnA62U7rIltYp91u5VPBKi3DITVaSgzA8mcpHRr30e3cEGaLCxty58U2/lyCnx3I0Lh5rEbipQ1G7Cr6NMgmGtW6LrlJRQiWA1OK2/tDZbLhwtkjB82pjI/0T2gpA/vlZJH0elbMXW40Et6bOs2oK/V2bVozpoRyoQuts8zcRmCViVs8B3p7T1Qh/Z+7Ki91vgicfy4fl
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNgEpgEZGGbtm5suOAio9ut2hOQYLN39Uhni8i4E/Wdir1gHxDCLMoNPQXDOnEUO1QQVbioUUMgFRAXYLhilNF8=
| 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILqVrP5vDD4MdQ2v3ozqDPxG1XXZOp5VPpVsFUROL6Vj
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos reset ttl 63
25565/tcp open minecraft syn-ack ttl 63 Minecraft 1.11.2So we got an FTP server, an SSH server, a web server and a Minecraft server (Wink Wink).
80 — Web
We have a nice blog around Minecraft
Added some of our findings with gobuster
gobuster dir --url http://10.10.10.37/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
HINT
Put those 2 together and there is an obvious things that should peak our interest.
.
.
.
.
This all points to a new plugin that should interest us. Let’s download them and let’s see if they have anything of interest.
Note: “.jar” files are just zipped files. Thanks to @orxancz for giving me the tip during the stream.
Bingo we find some credentials root:8YsqfCTnvxAUeduzjNSXe22
HINT
We arrive to the second crux of the puzzle, what could these credentials be used for?
.
.
.
.
If you notice the 2 following things
We arrive to the second crux of the puzzle, what could these credentials be used for?
HINT
We arrive to the second crux of the puzzle, what could these credentials be used for?
.
.
.
..
.
.
.
You’ll quickly realise that those are the credentials for the SQL running in the backend. Let’s login using phpmyadmin ❤
Let’s look through the database and the direct idea that comes to mind is to obtain an admin access to the wordpress CMS and spawn a revershell from there. So let’s see if we can find any…
We do find some credentials in the wp_users table
notch:$P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/
We have 2 options, replace the password with a custom one or try to crack that password. Let’s give the cracking a quick attempt to learn about it but let’s quickly jump to replacing.
That isn’t actually the final password, we need to find the hash type and then crack it. In addition we also have acquired a new username that could be used to test logins.
Let’s try to crack that password, we find some help in this article https://blog.wpsec.com/cracking-wordpress-passwords-with-hashcat/
sudo hashcat -m 400 -a 0 -o notch_pass notch_hash /usr/share/wordlists/rockyou.txtUnfortunately it doesn’t seem to be able to crack this password in a timely manner.
Let’s replace the password with our own, let’s find a way to hash with the wordpress md5 algorithm https://www.useotools.com/wordpress-password-hash-generator/output.
We update the DB.
Let’s go to wp-login.php and fill in the form with the new creds.
We are in!
Ok now it’s time for the usual RCE for wordpress admin consoles.
And now we replace that 404.php with our beloved php reverse shell from pentest monkey (/usr/share/laudanum/php/php-reverse-shell.php on Kali).
Make sure to update the section with the listening information
And to setup the listener as well
nc -nlvp 4444To trigger the code we now need to find its path, let’s do some googling
Make sure to update the path to the theme that has been setup, in this case “twentyseventeen”. http://10.10.10.37/wp-content/themes/twentyseventeen/404.php
Boum! We now have access as the www-data.
After enumerating for a while I realise I can’t seem to find a way to the user from the www-data user. It is a good time to consider what other avenues we didn’t try.
HINT
Where else could we use the credentials we gathered?
.
.
.
.
There are 2 other services that could be used, let’s use the most interesting one first, SSH.
Let’s see if the usernames and password we have work (we could do this from the reverseshell as well)?
notch:8YsqfCTnvxAUeduzjNSXe22
Let’s start by grabbing the user flag
Getting Root
The way I go about getting root is the following: I’ll look for some quick wins and then run some enumeration scripts to help me find some weaknesses.
Quick Wins
sudo -l → sudo permissions
ls -la /opt/ → looking for interesting executables or files
ls -la /var/www/; ls -la /var/www/html → possible configuration files with db pasword or even user password.
ls -la /etc/passwd; ls -la /etc/shadow → misconfigured permissions (write on passwd and read on shadow)On the first one it seems we already have sudo permissions, let’s understand
Since we are part of the sudo group, let’s upgrade our shell as the root user.
sudo su
Let’s go!
What did I learn?
- How to always returning to enumeration when all paths don’t seem to work out.
Stream
I hope you guys enjoyed the walkthrough. Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.
