RootThis: 1 vulnhub walkthrough
Hello followers. We will start from this article sharing our solutions for vulnerable machines from both Vulnhub (www.vulnhub.com) and Hackthebox (www.hackthebox.eu).
The first machine will be “RootThis: 1”, which can be downloaded from the following URL : https://www.vulnhub.com/entry/rootthis-1,272
This article will discuss the following steps :
• Getting the machine IP Address.
• Scanning the machine for open ports and running services.
• Brute forcing web server directories and files.
• Detecting Drupal version.
• Determining file type.
• Cracking password protected ZIP files.
• Cracking Drupal user credentials.
• Getting reverse shell in Drupal hosted server.
• Enumerate the server for users and important files.
• Spawning the reverse shell using socat tool.
• Cracking root user password locally using sucrack tool.
After downloading the OVA file and importing it to VirtualBox and power on it, we have to get its IP address. So, we run a ping sweep scan using Nmap to all our lab subnet. We found that the IP address for “RootThis: 1” is 10.0.2.13.
Then, we scan the target VM for open ports using Nmap. We found that there is only one open port from the top well known 1000 ports (also, when we scan it for all ports using “-p-” option we got the same result).
The open port was 80 and it running “Apache httpd 2.4.25” and the host OS was Debian. So, we can open it using any browser. When we opened it, we found the default Apache home page. So, we checked if the “robots.txt” file exists or not.
The robots.txt file was not found. So, we have to brute force both files and directories on the web server. There are many tools that can do this job (ie: dirb, dirbuster, … etc). We used dirbuster with the following settings:
After the dirbuster complete its brute forcing job, we found that there are the following interesting files and directories. So, we start surfing them.
The first directory (drupal) was the home page for a site built using Drupal, which is one of the most commonly used CMS (Content Management Systems). So, as we previously know that there were many discovered vulnerabilities in this CMS.
Detecting the version of Drupal will give us indication about if this drupal website is vulnerable or not to drupalgeddon or drupalgeddon2 (https://blog.rapid7.com/2018/04/27/drupalgeddonvulnerability-what-is-it-are-you-impacted/) vulnerabilities that leads to RCE (Remote Code Execution). To detect the version, we can check the “CHANGELOG.txt” file which is located by default in the home directory for Drupal websites.
After checking this file we find that this website is not vulnerable to the previous vulnerabilities. So, we tried to check if we can login using a well known credentials (admin:admin, admin:password, … etc) and we can not login to “Drupal”.
Then we downloaded the “backup” file to our local machine.
It is a file without extension, so we used the Linux “file” command to check the type of the file and we got that this file is a ZIP file.
We tried to extract the file, but it asks for a password. So, we tried to crack the password using “fcrackzip” with “rockyou.txt” wordlist and we got that the password was : “thebackup”. So, we used it to unzip the backup file.
After unzipping the file we got a dump.sql file. When we opened it we found that the file is dump file for the drupal website database (mysql database). So, we searched for the users table data. This table contains the information (ie: credentials) for the registered users on Drupal website.
We got that the file contains information for two users (webman & root). We saved those credentials on a text file to try cracking them.
Using “John The Ripper” utility with “rockyou.txt” wordlist, we can crack the password for the “webman” user.
So, we tried to login using the cracked password and we succeeded 😀 …
We found that we can install new modules to the drupal website. So, we installed and enabled the “Drupal” shell module version 7.x-1.0-beta5 (https://www.drupal.org/project/shell) as follows :
We think that there was a bug in this module, because we can not use it to get a reverse shell by running commands. So, we tried to use it for creating a new “PHP” file in the server. To do that, we visited the following URL :
Then we opened the well known “PHP” reverse shell “php-reverse-shell.php” which is located in “/ usr/share/webshells/php/” directory (Kali Linux) and changed both the IP & port as follows :
Then we copied the updated content and pasted it on the “edit-file” option and saved the file.
Then we started the “netcat” utility and let it to listen on port 4444 on our “Kali Linux” machine and visited the “PHP” webshell file : “http://10.0.2.13/drupal/shell.php”. This gave us a command line shell to the back-end server.
The shell we got was with “www-data” user privileges, so we have to root the server. After we enumerate the current users on the server we got one which username was “user”. So, we visited the user’s home directory and found that there was a file with name “MessageToRoot.txt” that told us the password for the root is weak and it was one of the first 300 words in the “rockyou.txt”.
But wait, the only opened port was “HTTP” port and the “SSH” one was closed. So, we have to find a way to crack the root password locally in the vulnerable server. After searching in google, we found a tool called “sucrack” (https://labs.portcullis.co.uk/tools/sucrack/), which uses the “su” command to crack Linux passwords.
The remaining problem was that after checking if we have the ability to run “su” command from the current shell, we found that we can not do this. Also, python is not installed in the server. So, we have to find a way to spawn a shell to run the “su” command.
One way is by using “socat” binary which can be found in the following URL : https://github.com/andrew-d/static-binaries/tree/master/binaries/linux/x86_64
So, we downloaded it in our “Kali Linux” Apache server home directory and start the Apache service as follows:
Then, we downloaded it to the vulnerable server using “wget” utility and changed it to be executable using “chmod” command and then execute it to make a reverse shell to our “Kali Linux” machine on port “5555” as follows :
On the other side, we already have “nc” session which listened to port “5555” in “Kali Linux” machine. To be sure that we spawned shell, we tried to run “su” command and it worked..
The last thing was downloading the “sucrack” tool, compile it in our “Kali Linux” machine (becuase the vulnerable server don’t have C compiler) and then move it with the first 300 words in “rockyou.txt” wordlist to the vulnerable server. We did that as follows :
1- untar the “sucrack” source.
2- move to the “sucrack directory.
3- run ./configure script.
4- run make command.
5- tar the “sucrack” directory again
6- move the tar file to “Kali Linux” Apache server home directory.
7- save the first 300 words in “rockyou.txt” wordlist to a new file in the “Kali Linux” Apache server home directory
8- download the “sucrack tar file from “Kali Linux” to vulnerable server.
9- download the passwords file from “Kali Linux” to vulnerable server.
10- untar the “sucrack” tar file.
11- move to the “sucrack-1.2.3/src” directory.
12- run the “sucrack” and let it use the passwords.txt downloaded file to crack the root user password.
We got the root password, which was “789456123”. So, we switch user to root and read the flag.txt file.