Sunday, December 23, 2018
W1R3S: 1.0.1
W1R3S: 1.0.1
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine w1r3s 1.0.1
- w1r3s 1.0.1 can be downloaded from here:
https://www.vulnhub.com/entry/w1r3s-101,220/
- Once downloaded and extracted with VirtualBox:
2 - ENUMERATION
- Discovering the IP:
- Scanning:
2.1 - FTP enumeration
- Let's start enumerating the FTP service in detail.
- It seems that anonymous login to the FTP service is allowed:
- Using the browser to access FTP service:
- Reading text files inside folder /content:
- Reading 01.txt:
- Reading 02.txt:
- Indentifying the hash type of the first string, it is probably MD5:
- Decrypting the MD5 hash:
- Decoding the second string:
- Reading 03.txt:
- Reading /docs/worktodo.txt:
- Reading employee-names.txt:
- Just in case, let's store the names for later usage:
2.2 - Web enumeration
- Browsing the web server:
- Applying dirb on the web server:
- So basically 2 main directories have been found, /administrator and /wordpress:
- Going to /administrator we are redirected to /installation, where the content project manager Cuppa CMS is running:
3 - EXPLOITATION
- Searching for Cuppa CMS exploits:
- The exploit 25971.txt allows a Remote/Local File Inclusion:
https://www.exploit-db.com/exploits/25971
- Reading 25971.txt:
- Following instructions from 25971.txt and trying the exploit directly at the browser it doesn't work:
- However, using curl we achieve /etc/passwd. URL data sent with method POST is encoded:
............................
- Same thing for /etc/shadow:
...........................
- Same results with Burp, using method POST instead of GET.
- It is important to notice the header Content-type: application/x-www-form-urlencoded, what indicates that the request body is URL encoded.
4 - CRACKING PASSWORDS WITH JOHN THE RIPPER
- Storing /etc/passwd and /etc/shadow in text files p and s, and unshadowing to text file u:
- John The Ripper is able to crack two passwords:
5 - LOW PRIVILEGE REMOTE SHELL
- Credentials w1r3s:computer allow to connect the remote machine with SSH:
6 - PRIVILEGE ESCALATION
- Privilege Escalation is easy because user w1r3s is a sudoer with (ALL : ALL) ALL privileges:
- Getting a root shell:
7 - CAPTURING THE FLAG
- Reading flag.txt: