Webdeveloper: 1 vulnhub walkthrough
Hello followers. Today’s article will be vulnhub walkthrough for one of the newly published vulnerable machine on “Vulnhub” website. The machine name is “Webdeveloper: 1” and you can download it from the following link : Download OVA File
In this article you will learn the following:
- Using nmap to find opened ports & running services.
- Detecting technologies used to build web apps.
- Scanning WordPress websites for vulnerabilities & enumerating users.
- Enumerating directory structure on web-servers by brute-forcing them.
- Analyzing pcap files using WireShark.
- Getting reverse shell to the back-end server from WordPress websites.
- Enumerating linux hosts and finding reused credentials.
- Privilege escalation and getting root using sudo.
As usual, we have to get the machine IP after downloading and importing it to our virtualization software. We have many ways to do this, but I did nmap ping sweep scan to get all the IPs in my virtualbox network and I got that the machine IP is 10.0.2.11.
The second step is to scan for all open ports on that machine to start enumerating the services running on the opened ports. I found that the machine has only two opened ports 22 (SSH) & 80 (HTTP).
Next, I start surfing the hosted website on the HTTP port (port 80) and I found from the web title & html source code that it is a website built using WordPress which is one of the most used CMS (content Management Systems) to build and maintain websites.
But, to be sure that this website is hosted by WordPress and to get the version of WordPress I used one of the web technologies detecting tools which is installed by default in “Kali Linux”. This tool called “whatweb”.
The tool shows that the website was built using WordPress version 4.9.8.
After that, I started enumerating the WordPress website using wpsan tool, which is used to detect weaknesses in WordPress websites. The tool gives me that there are eight vulnerabilities in this WordPress website but no one can be exploited to get a reverse shell.
So, I tried to enumerate the existing users (using wpscan tools) on the WordPress website and then I can check if one of them uses a week password which can be found in “rockyou.txt” word-list or any other well-known word-lists. Unfortunately, the tool can not detect and enumerate the users!!!
Next, I tried to enumerate the directory structure behind the web server. As usual, I used “dirbuster” with “common.txt” word-list with the following settings.
I found that there is an interesting directory called “ipdata” with directory listing option enabled.
After viewing this directory using firefox, I found that it contains packet capture file called “analyze.pcap”.
After downloading, opening, and analyzing the file using wireshark, I found that it contains a request to the WordPress admin area. That request contains the credentials for the WordPress.
username : webdeveloper
password : Te5eQg&4sB!Yr$)wf%(DcAd
So, I used them to login to the admin area for WordPress website..
From here, I have to upload a reverse webshell to the server so that I can run commands and tried rooting it. There are many ways I can follow to do this, like using metasploit module (exploit/unix/webapp/wp_admin_shell_upload) or uploading it by editing the themes or Plugins “PHP” files.
I decided to update the “404.php” file for the “Twenty Sixteen” theme as follows :
1- opening the php-reverse-shell.php file.
2- editing both IP and port numbers.
3- Visit appearance –> Editor .
4- Select “404.php” theme file.
5- paste the updated content of “php-reverse-shell.php” on the text area and press “Update File” button.
To get a reverse shell I started nc reverse shell on “Kali Linux” machine, then visited the updated “404.php” file from the firefox browser and got a reverse shell with “www-data” user privileges.
Then, I enumerate the mysql credentials used by wordpress. The credentials stored in “wp-config.php” file. After opening this file I found the credentials for mysql db and from my enumeration on “/etc/passwd” file I found that there is a user called “webdeveloper” in linux server.
So, I tired to login with those credentials using ssh service and I succeeded.
One, of the privilege escalation techniques is to check if the current user has sudo and what the commands the user can run using sudo. For those who did not know what sudo means, it is simply a functionality that allow linux users to run command as another user.
From the following figure, we can show that the “webdeveloper” user can run the “tcpdump” command as root user using the sudo functionality.
That’s good, because we can exploit this functionality (tcpdump with sudo) to get a reverse shell to “Kali Linux” as root user. To do that I run the following commands from the SSH and got root shell on my “Kali Linux” machine.
Actually, I tried many ways to run a reverse shell using “nc”, “bash”, … etc but I failed. So, I decided to use the previously uploaded “PHP” shell to get a reverse shell as root server. Also, I tried not to use metasploit to help those who prepare for OSCP to increase their skills and pass the exam.
I hope that this walkthrough looks good for you and wait us for next one. Finally, if you have any question, comment, or addition put it as a comment.