This is the first VulnHub VM that I have taken the time to write about, and thankfully this one wasn't that difficult so there are a lot less screenshots than I expected!
To start with, I loaded the VM into VirtualBox and imported the default settings. The VM is configured to use DHCP so wait for it to do it's thing, and then you'll need to do a bit of enumeration to get the device.
I gave netdiscover a try and was pleasantly surprised how useful it was. I will definitely be trialling this in future pen tests.
Run netdiscover over the local network on eth0:
netdiscover -i eth0 -r 192.168.0.0/24 - I realise that the
-i eth0 wasn't in the screenshot!
Once the IP address was known (it was
192.168.0.4 in this case) it was time to run nmap:
nmap 192.168.0.4 -A
I later ran a full port scan with nmap, but it turns out there are just the three web-server ports open:
80, 443, and 8080.
Let's see what's on that front page:
Not exactly useful.
Running Nikto over the server on port 80 reveals that there are two pages that I want to look at:
nikto -host http://192.168.0.4
What about that
Well, it looks like a basic web application. What about I try 'admin:admin' for the credentials:
OK, so it looks like I wasn't successful in authenticating to the application but we did get some information from it in the form of an unsuccessful authentication being equal to
0. We can use this information to infer that there is a database sitting on the back end.
Whipping out sqlmap (no one's got time to do that manually, especially at 3am) was successful in finding and exploiting a SQL injection vulnerability in the application. I found this by capturing the POST login request within Burpsuite and then replaying that within sqlmap (it didn't have to be a valid authentication, just have credentials in the username and password parameters):
sqlmap -r sqlmap.file
SQLi found within the 'password' parameter:
Usernames and passwords were then enumerated from the database (naughty - not hashing the passwords!) by using the
--dump-all sqlmap flags:
Now that we have credentials we can login to
/login.php and see what is going on there:
Oh, nothing... Great! At least we can then just use the credentials on the SQLi dump:
sqlmap -r sql.file (See the first image below for the file)
Below are the database names that were enumerated by using the
--dump-all command within sqlmap. I spotted a Wordpress database
wordpress8080. This same port is running a Wordpress site on this host.
I then changed the request to focus on the Wordpress database
sqlmap -r sql.file --dbms=mysql -D wordpress8080. This revealed the 'admin' password, which again was not hashed.
Logging in to
admin:SuperSecretPassword allows you full control over the Wordpress site. Thankfully, we can also import Plugins, so I installed the Exec-PHP plugin:
Next, I grabbed a PHP reverse shell script from Pentest Monday http://pentestmonkey.net/tools/web-shells/php-reverse-shell and loaded it into an existing Wordpress Page:
I started a netcat listener on my attacking system
nc -nvlp 4444 and then loaded that Wordpress page. Upon doing so, I am given a shell within my netcat Terminal:
I checked what my permissions were
cat /etc/shadow, with successful results!
I assume I won, but I also now have hashes... I wonder what the plaintexts are?
Using the HashId tool I can see that those user hashes are hashed with SHA512 crypt. Not going to be easy...
Well, it turns out that the password for
candycane is actually just
I didn't manage to crack the root password, but to be honest by the time I will have finished writing this it will be 5am, so I'm excusing myself!
Post Challenge Notes
- If you've got a shell but are receiving the error
must be run from a terminalwhen trying to su or
no tty present and no askpass program specifiedwhen trying to sudo then you should try and use Python to import pty and spawn in bash:
python -c 'import pty; pty.spawn("/bin/bash")'
- It turns out that the
rootpassword was the same as the Wordpress
SuperSecretPassword. I'm not sure why I couldn't crack this with Hashcat as I did add in the passwords taken from here to a custom wordlist. If anyone knows, drop me a line.