Sunday, December 23, 2018

W1R3S: 1.0.1


W1R3S: 1.0.1

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine w1r3s 1.0.1

w1r3s 1.0.1 can be downloaded from here:

https://www.vulnhub.com/entry/w1r3s-101,220/


- Once downloaded and extracted with VirtualBox:






2 - ENUMERATION

- Discovering the IP:







- Scanning:




2.1 - FTP enumeration

- Let's start enumerating the FTP service in detail.

- It seems that anonymous login to the FTP service is allowed:




- Using the browser to access FTP service:




- Reading text files inside folder /content:





- Reading 01.txt:




- Reading 02.txt:




- Indentifying the hash type of the first string, it is probably MD5:




- Decrypting the MD5 hash:




- Decoding the second string:






- Reading 03.txt:




- Reading /docs/worktodo.txt:






- Reading employee-names.txt:




- Just in case, let's store the names for later usage:






2.2 - Web enumeration

- Browsing the web server:




- Applying dirb on the web server:






- So basically 2 main directories have been found, /administrator and /wordpress:




- Going to /administrator we are redirected to /installation, where the content project manager Cuppa CMS is running:





- EXPLOITATION

- Searching for Cuppa CMS exploits:





- The exploit 25971.txt allows a Remote/Local File Inclusion:


https://www.exploit-db.com/exploits/25971




-  Reading 25971.txt:






- Following instructions from 25971.txt and trying the exploit directly at the browser it doesn't work:




- However, using curl we achieve /etc/passwd. URL data sent with method POST is encoded:








............................


- Same thing for /etc/shadow:






...........................

- Same results with Burp, using method POST instead of GET. 

- It is important to notice the header Content-type: application/x-www-form-urlencoded, what indicates that the request body is URL encoded.










4 - CRACKING PASSWORDS WITH JOHN THE RIPPER

- Storing /etc/passwd and /etc/shadow in text files p and s, and unshadowing to text file u:




- John The Ripper is able to crack two passwords:






5 - LOW PRIVILEGE REMOTE SHELL

- Credentials w1r3s:computer allow to connect the remote machine with SSH:





6 - PRIVILEGE ESCALATION

- Privilege Escalation is easy because user w1r3s is a sudoer with (ALL : ALL) ALL privileges:







- Getting a root shell:




7 - CAPTURING THE FLAG

- Reading flag.txt: