Vulnhub - Cewlkid: 1
An intermediate boot2root.
The name is a hint.
The start is CTF but the end is real world and worth the effort.
Created in Virtualbox.
Goal: Get the root flag.
Real world eh? Sounds interesting. Let’s see what we’ve got…
We’ve got SSH and two HTTP ports: 80 and 8080. There’s nothing on 80; it’s all on 8080.
The webserver on 8080 is running the Sitemagic CMS, which has default credentials of admin:admin. These don’t work.
After a bunch of enumeration turns up nothing, it’s time to actually pay attention to the hint and run cewl to generate a wordlist from the site contents. Once we’ve done that we run it through Burp Turbo Intruder and learn that the admin password is Letraset.
Well, according to exploit-db we can upload arbitrary files, which includes any old PHP reverse shell. In fact the maker seems to have left one on the box already, but it has a different IP to mine so I had to make my own. Well, pentestmonkey made it for me, but you get the idea. We upload it and execute, we’re in.
Whether or not this is actually an ‘exploit’ or a deliberate design choice by the CMS maker is not clear to me, but I guess it doesn’t really matter.
On the box
Looking at /etc/passwd we have a few different users, and in running sudo -l we find our user (www-data) can run cat as user ipsum. So maybe ipsum has something for us?
Yes actually. Running:
brings us to an interesting looking file, and when we read it:
So what’s that about? It’s base64, and decodes to:
ipsum : SpeakPeople22!
lorem : PeopleSpeak44!
Great, so now we’ve got two users with passwords, and we can SSH in and su between them at will.
Now what? Well, one of our users (lorem) has been set up in /etc/sudoers to read /etc/shadow with base64, which we again learn by running sudo -l. So … we can simply decode the base64 and now we have the shadow file. So that’s all well and good, but surely it’s more on the CTF end of the spectrum than the real world end?
Anyway, moving on. We can crack the hash for yet another user (zerocewl) using our wordlist that we gathered earlier using cewl:
.\hashcat64.exe -m 1800 .\hash.txt .\words.txt .\rules\best64.rule
Note: I ran hashcat on my Windows host rather than on Kali. I probably didn’t need to include the rules but I did anyway; it was a short wordlist.
Now we have another set of creds:
When we run linpeas we can see this in the processes:
root 1994 0.0 0.8 27088 8256 ? S 10:26 0:00 /root/pth-toolkit-master/bin/winexe -U cewlbeans%fondateurs //kali whoami **
Is that a another password? Why yes, yes it is.
Well, I guess that’s that then.
When we’re root we can read /etc/sudoers and it looks like this:
www-data ALL=(ipsum:ipsum) NOPASSWD:/usr/bin/cat
lorem ALL=(root:root) NOPASSWD:/usr/bin/base64 /etc/shadow
zerocewl ALL=(root:root) NOPASSWD:/usr/bin/cp /home/zerocewl/hosts /etc/hosts cewlbeans ALL=(ALL:ALL) ALL
Okay, now I’ve never worked as a Linux sysadmin but it’s not entirely clear to me which part of this is supposed to be particularly real world. Anyway it was still fun, so thanks iamv1nc3nt.