LazySysAdmin 1.0 Vulnhub Walkthrough

Name: LazySysAdmin 1.0
Author: Togie Mcdogie
Twitter: @TogieMcdogie

[Description] Difficulty: Beginner – Intermediate
Boot2root created out of frustration from failing my first OSCP exam attempt.

[Lore] LazySysadmin – The story of a lonely and lazy sysadmin who cries himself to sleep

[Hints] Enumeration is key
Try Harder
Look in front of you
Tweet @togiemcdogie if you need more hints

[Other] What could you of done to speed up the enumeration process?
Are there any obvious things that you missed, which you shouldnt of missed?
Did you learn anything interesting?
What have you added to your enumeration process to prevent you from wasting time?

So as the title of the machine states, we have to pwn and gain root access to a lazy sysadmin’s server.

Lets start with netdiscover to find the IP address of the server.

netdiscover -r 192.168.1.0/24

Now lets move to enumeration. Usually I start with nmap for open port identification and then I move to other programs that are port-specific like nikto or dirb for port 80.

The creator gave us some hints. “Enumeration is key” and “What could you of done to speed up the enumeration process?”. So I guess there are many rabbit holes that we should avoid during the enumeration. I Googled and found a tool that is called Sparta and comes pre-installed with Kali Linux.

“SPARTA is a python GUI application that simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to their toolkit and by displaying all tool output in a convenient way. If less time is spent setting up commands and tools, more time can be spent focusing on analysing results.”

So I stated Sparta and added the IP (192.168.1.51) to start the scan.
After 1 minute Sparta has scanned and Identified all open ports with NMap, automatically executed Nikto on port 80 and tried default passwords for MySQL server or port 3306. Well I am impressed.

It even gives us the opportunity to quickly bruteforce any service with Hydra.
I tried SSH root username with a really small but common password list with no luck.

Lets also run dirb on port 80. (No recursive)

dirb http://192.168.1.51 -r 
---- Scanning URL: http://192.168.1.51/ ----
==> DIRECTORY: http://192.168.1.51/apache/                                     
+ http://192.168.1.51/index.html (CODE:200|SIZE:36072)                         
+ http://192.168.1.51/info.php (CODE:200|SIZE:77246)                           
==> DIRECTORY: http://192.168.1.51/javascript/                                 
==> DIRECTORY: http://192.168.1.51/old/                                        
==> DIRECTORY: http://192.168.1.51/phpmyadmin/                                 
+ http://192.168.1.51/robots.txt (CODE:200|SIZE:92)                            
+ http://192.168.1.51/server-status (CODE:403|SIZE:292)                        
==> DIRECTORY: http://192.168.1.51/test/                                       
==> DIRECTORY: http://192.168.1.51/wordpress/                                  
==> DIRECTORY: http://192.168.1.51/wp/

Lets start port by port.

Port 22 is running SSH with OpenSSH 6.6.1p1 that has no Vulnerabilities.
No default password is used. (Checked previously with Sparta and Hydra)

Port 80 is running HTTP with Apache hhptd 2.4.7 that is updated but has no Vulnerabilities. (checked with searchsploit.)

So lets break down the results from dirb and nikto.

http://192.168.1.51/apache/ –> empty
http://192.168.1.51/index.html –> Static Page. Nothing interesting on the source code

http://192.168.1.51/info.php –> phpinfo()

http://192.168.1.51/javascript/ –> Error 403
http://192.168.1.51/old/ –> empty
http://192.168.1.51/phpmyadmin/ –> phpmyadmin

http://192.168.1.51/robots.txt
User-agent: *
Disallow: /old/ –> Empty
Disallow: /test/ –> Empty
Disallow: /TR2/ –> Empty
Disallow: /Backnode_files/ –> .jpg, .png, .js, .css files – Nothing interesting

http://192.168.1.51/server-status –> Error 403
http://192.168.1.51/test/ –> Empty
http://192.168.1.51/wordpress/ –> WordPress Installation

“My name is togie.” is everywhere on the homepage so I guess this is a username.
http://192.168.1.51/wp/ –> Empty

Interesting results but for now the only thing we can try is to run WPScan on http://192.168.1.51/wordpress/.

wpscan --url http://192.168.1.51/wordpress/ --enumerate
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.4.2
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.1.51/wordpress/
[+] Started: Fri Jan 18 08:25:26 2019

Interesting Finding(s):

[+] http://192.168.1.51/wordpress/
 | Interesting Entries:
 |  - Server: Apache/2.4.7 (Ubuntu)
 |  - X-Powered-By: PHP/5.5.9-1ubuntu4.22
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://192.168.1.51/wordpress/xmlrpc.php
 | Found By: Link Tag (Passive Detection)
 | Confidence: 100%
 | Confirmed By: Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.1.51/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Registration is enabled: http://192.168.1.51/wordpress/wp-login.php?action=register
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.1.51/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 4.8.8 identified (Latest, released on 2018-12-13).
 | Detected By: Rss Generator (Passive Detection)
 |  - http://192.168.1.51/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=4.8.8</generator>
 |  - http://192.168.1.51/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.8.8</generator>

[+] WordPress theme in use: twentyfifteen
 | Location: http://192.168.1.51/wordpress/wp-content/themes/twentyfifteen/
 | Last Updated: 2019-01-09T00:00:00.000Z
 | Readme: http://192.168.1.51/wordpress/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 2.3
 | Style URL: http://192.168.1.51/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.8
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen/
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Detected By: Css Style (Passive Detection)
 |
 | Version: 1.8 (80% confidence)
 | Detected By: Style (Passive Detection)
 |  - http://192.168.1.51/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.8, Match: 'Version: 1.8'

[+] Enumerating Vulnerable Plugins

[i] No plugins Found.

[+] Enumerating Vulnerable Themes
 Checking Known Locations - Time: 00:00:00 <> (288 / 288) 100.00% Time: 00:00:00
[+] Checking Theme Versions

[i] No themes Found.

[+] Enumerating Timthumbs
Checking Known Locations - Time: 00:00:01 <> (1000 / 2573) 1.0%  ETA: 00:00:0
[..]
Checking Known Locations - Time: 00:00:03 <> (2570 / 2573) 99.88%  ETA: 00:00:0 Checking Known Locations - Time: 00:00:03 <> (2573 / 2573) 100.00% Time: 00:00:03

[i] No Timthumbs Found.

[+] Enumerating Config Backups
 Checking Config Backups - Time: 00:00:00 <===> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Enumerating DB Exports
 Checking DB Exports - Time: 00:00:00 <=======> (36 / 36) 100.00% Time: 00:00:00

[i] No DB Exports Found.

[+] Enumerating Medias (Permalink setting must be set to "Plain" for those to be detected)
 Brute Forcing Attachment IDs - Time: 00:00:00 <> (0 / 100)  0.00%  ETA: ??:??:? Brute Forcing Attachment IDs - Time: 00:00:00 <> (1 / 100)  1.00%  ETA: 00:00:4 Brute 
[...]
Forcing Attachment IDs - Time: 00:00:14 <> (99 / 100) 99.00%  ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:14 <> (100 / 100) 100.00% Time: 00:00:14

[i] Medias(s) Identified:

[+] http://192.168.1.51/wordpress/?attachment_id=40
 | Detected By: Attachment Brute Forcing (Aggressive Detection)

[+] http://192.168.1.51/wordpress/?attachment_id=41
 | Detected By: Attachment Brute Forcing (Aggressive Detection)

[+] http://192.168.1.51/wordpress/?attachment_id=42
 | Detected By: Attachment Brute Forcing (Aggressive Detection)

[+] http://192.168.1.51/wordpress/?attachment_id=67
 | Detected By: Attachment Brute Forcing (Aggressive Detection)

[+] Enumerating Users
 Brute Forcing Author IDs - Time: 00:00:01 <==> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] View all posts by Admin
 | Detected By: Author Posts - Display Name (Passive Detection)

[+] Admin
 | Detected By: Rss Generator (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] admin
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

So no Vulnerable themes or plugins, but we found user “admin” and “togie” from the homepage.
Tried to brute force admin” and “togie” login with WPScan and commong passwords with no luck.

wpscan --url 192.168.1.51/wordpress --passwords /usr/share/wordlists/probable/2-Top1575-probable2.txt --usernames admin, togie

Also tried default login credentials “root” and no password for phpmyadmin with no luck.

Nothing more we can do for now on port 80, lets move to other ports.

Port 3306 is running MySQL but we cannot try anything.

"[ERROR] Host '192.168.1.12' is not allowed to connect to this MySQL server"

Port 6667 is running an IRC client inspIRCd “a Stable, High-Performance and Modular IRCd” but after searching both on Google and with searchsploit I didn’t find any vulnerability that could be exploited.

So lets focus on SMB that is running on ports 139, 445. Sparta gives us a variety of tools that I was not even aware of.

I run them all and after some research I found something really interesting with enum4linux.

We can view the share$

We successfully logged in as Anonymous and we can view the public files directory.

After browsing all the files and the directories, the only useful information was this password on deets.txt file.

Found password 12345

Found password TogieMYSQL12345^^ from the wp-config.php file.

Now we can also login to WordPress with the following credentials.


admin
TogieMYSQL12345^^

This might be useful for uploading shell later.

Also we can login on phpMyAdmin with:

Admin
TogieMYSQL12345^^

Unfortunately we have Low privileges and cant do much.

Lets now try to connect to the SSH with the username we found and test the passwords.
ssh togie@192.168.1.51

togie
12345

Success

I tried to change directories but I cant because I have a limited shell.
So we have to find a local exploit to do privilege escalation in order to gain root.
I downloaded “linux-exploit-suggester.sh” and “LinEnum.sh” scripts using SimpleHTTPServer from my Kali, chmod it but still cant run anything.

Lets check what permissions I have.

WOW! I am a sudoer. So I will just login as root.

sudo su

And we are root!

On the root directoery a proof.txt file is located with the flag.

Well that was an easy and fast machine.
I enjoyed it though and practiced my enumeration skills, learned the Sparta tool and more about the SMB service.

Leave a Reply

Your email address will not be published. Required fields are marked *