Vulnhub: COFFEE ADDICTS: 1
Yesterday evening I did Explore from HTB but that’s a new machine so no writeup. It was pretty neat though. So, instead of that here is:
COFFEE ADDICTS: 1
This is COFFEE ADDICTS: 1 from VulnHub.
Our coffee shop has been hacked!! can you fix the damage and find who did it?.
It doesn’t say how difficult it’s supposed to be, but I’ll say easy. Let’s go.
Ports
SSH and HTTP only.
HTTP
The premise here is that the website has been hacked. It’s Wordpress (a recent version), but the username and password is ‘hiding’ in plain sight, so yeah no wonder lol.
At http://coffeeaddicts.thm/wordpress/?p=9#comments we find this caption under a photo of some hobo looking dude:
gus i need you back
And underneath that is this:
Lucy Longmire says:
April 16, 2021 at 12:19 am
yo, is that your password??
Reply
gus says:
April 16, 2021 at 12:19 am
Maybe…
what could go wrong? uwurJust to drive the point home. So; we login to Wordpress with gus:gusineedyouback and I get a shell by uploading a plugin.
Root
The system has been pwned by BadByte, who has created themselves an SSH key which we can read.
www-data@CoffeeAdicts:/home/badbyte/.ssh$ ls -lash
ls -lash
total 12K
4.0K drwxr-xr-x 2 root root 4.0K Apr 6 15:09 .
4.0K drwxr-xr-x 5 badbyte badbyte 4.0K Apr 15 16:03 ..
4.0K -rw-r--r-- 1 root root 1.8K Apr 6 15:09 id_rsaThis is encrypted with a weak password so it’s ssh2john then crack it and login:
┌──(root💀kali)-[/opt/vulnhub/coffee]
└─# ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':
[email protected] password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-140-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Jun 29 02:02:36 AKDT 2021
System load: 0.0 Processes: 108
Usage of /: 52.3% of 7.81GB Users logged in: 0
Memory usage: 56% IP address for enp0s3: 192.168.1.57
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
81 packages can be updated.
49 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Last login: Sun Jun 20 01:49:14 2021 from 192.168.1.210
badbyte@CoffeeAdicts:~$ sudo -l
[sudo] password for badbyte:
Matching Defaults entries for badbyte on CoffeeAdicts:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User badbyte may run the following commands on CoffeeAdicts:
(root) /opt/BadByte/shell
badbyte@CoffeeAdicts:~$ sudo -u root /opt/BadByte/shell
BadByte # id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
CoffeeAdicts
Tue Jun 29 02:03:00 AKDT 2021
BadByte # cd /root
BadByte # sh: 1: /root: Permission denied
BadByte # ls /root
BadByte # sh: 1: /root: Permission denied
BadByte # /bin/bash
root@CoffeeAdicts:~# cd /root
root@CoffeeAdicts:/root# ls -lash
total 36K
4.0K drwx------ 3 root root 4.0K Apr 6 15:02 .
4.0K drwxr-xr-x 23 root root 4.0K Apr 6 12:54 ..
4.0K -rw------- 1 root root 1.1K Apr 6 14:28 .bash_history
4.0K -rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
4.0K drwxr-xr-x 3 root root 4.0K Apr 6 13:33 .local
4.0K -rw------- 1 root root 142 Apr 6 13:41 .mysql_history
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rw------- 1 root root 20 Apr 6 15:02 .python_history
4.0K -rw-r--r-- 1 root root 25 Apr 6 14:28 root.txt
root@CoffeeAdicts:/root# cat root.txt
THM{im_the_shell_master}So, nothing groundbreaking here but I guess it’s all grist to the mill.
Oh obviously at some stage this was intended to be a THM room. It’s listed as private at the moment but you can still join if you know how :)