Vulnhub UA: Literally Vulnerable — Walkthrough

Overview

According to the maker, the initial shell is easy and privesc is intermediate, but I don’t think so. The machine was very easy from start to end and took 1 hour and 30 minutes to complete. There is WordPress running on port 65535 which is exploited to get initial shell as user www-data and after that there is a binary which is taking input from env variable on exploiting that got shell as user John and exploited sudo permissions to root.

Enumeration

Started with nmap scan

4 Open Ports

In nmap found 4 open ports

21:FTP

From nmap we found that there is anonymous login enabled on port 21 and a file with read access backupPasswords took that file in local machine and on reading found that there is a list of password for a user Doe, from which one is correct.

This password looks like the passwords generated by WordPress, WordPress is running on port 80, then why I am here

80:Apache

A newly deployed WordPress, Nothing in the posts, from wpscan found nothing other that user admin, When I clicked on Log In it redirects to http://literally.vulnerable/wp-login.php , adding this domain in /etc/hosts , then I can access the login page

Brute force on login

# hydra -l admin -P pass.txt literally.vulnerable http-post-form ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:F=ERROR’

No passwords found, On trying directory brute forcing and nikto found nothing interesting…

But then I remembered that there is one more to be enumerated

65535:Apache

On home page there is default Apache page, after directory brute forcing from some wordlists, found a directory /phpcms inside that there is WordPress with a password protected blog and a comment

From this comment we know that there is a WordPress password for John user in that blog, but how to access that.

In wpscan found two user maybeadmin & notadmin , saved both username in a file user.txt and brute forced with the passwords we got from ftp

# wpscan --url http://literally.vulnerable:65535/phpcms --usernames user.txt --passwords pass.txt
Found valid password for a user

After login found that it is a simple user and we can’t do much with it, but we can view the password protected blog, from that found password for user notadmin

Logged in with user notadmin and found that it is WordPress admin user

Initial Shell

Go to plugins section and in Add New > Upload plugin and upload any php shell you prefer, in my case I will use php-reverse-shell.php, for using that edit the script and put the IP and Port on which you want reverse connection

Similar writeup:https://github.com/vj0shii/Vulnhun-writeups/blob/master/Webdeveloper.pdf

it will show a error that the plugin cannot be installed then go to

http://literally.vulnerable:65535/phpcms/wp-content/uploads/2019/12/

There will be the uploaded php shell, running nc on given port and click on the shell

To get a proper shell:

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z
# stty raw -echo
# fg
$ reset

Privilege Escalate to User John

There are two users doe and john, in John’s home directory there is only user.txt which we can’t read, doe’s home directory is a bit interesting, a message from admin not to delete sensitive file, local.txt which is not accessible and a binary named itseasy which we can execute as user john due to sticky bit set of that user.

-rwsr-xr-x 1 john john 8632 Dec  4 12:26 itseasy

on running this binary it is printing current directory

www-data@literallyvulnerable:/home/doe$ ./itseasy 
Your Path is: /home/doe

Initially I thought that it is executing pwd command and we can exploit it something like did in pwnlab:init , but it is not that case after running strings on the binary I found some keywords like getenv and the thing that striked in my mind is the env variable PWD and then I thought it must be printing the value of PWD so I changed that

$ export PWD=";/bin/bash"

The semicolon will separate that line into two commands and bash will be executed, then on running the binary I got user john

Privilege Escalate to root

In user.txt it is written that

Almost there! Remember to always check permissions! It might not help you here, but somewhere else! ;)

Permissions…., I thought the scope to work is sudo and suid, we do not have credentials for sudo so I focused on suid but after some time found nothing and then when I am out of mind remembered about https://guif.re/linuxeop , which helped me in OSCP so much

I was going through the blog and found the find command to harvest passwords files

$ find . -type f -iname "*password*"

I though lets give it try, when I executed it found a file with john’s password base64 encoded, decoded that

Now we can run sudo -l to see the permissions

On looking at the permission I thought it’s so easy and really it is.

take another shell with user www-data and created a file test.html inside /var/www/html with content

#!/bin/bash
/bin/bash

and modified it’s permission to 777(anyone can read, write and execute)

Then with john’s shell just executed it with sudo rights and got root user

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

--

--

--

Security Researcher | OSCP

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Ethereum Classic Agharta hard-fork finalization

You shouldn’t store your images/videos in a database

C program to generate a multiplication table

OKRs in an EBMgt perspective

Set up Linux Infrastructure using Stackscripts

The Five Developer Love Languages

Why Spring can be your choice of the framework ?

Android About Library

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vaibhav Joshi

Vaibhav Joshi

Security Researcher | OSCP

More from Medium

[CTF] 1337up CTF writeup- Mirage

THM’s Alfred — Walkthrough

Hack The Box — Devel

CrowSec EdTech Write-Up: Hijacking