Vulnhub: RIPPER: 1

RIPPER: 1

This is RIPPER: 1 from VulnHub.

This is a vulnerable linux box focused on web application testing along with showing the importance of enumeration. There are three users you needs to compromise to read the root flag.
Difficulty: Easy-Medium.

Let’s go.

Oh I also did Gaara and I’ve got nothing much to say about it. Base58 encoded creds on a page, password doesn’t work but bruteforce SSH with the username no issue. Then rabbit holes in Brainf%%k and a GTFOBins privesc. Anyway; back to Ripper.

Ports

HTTP, SSH and Webmin on port 10000, but not an apparently vulnerable version:

10000/tcp open http syn-ack ttl 64 MiniServ 1.910 (Webmin httpd)
|http-favicon: Unknown favicon MD5: 6594483717A9D1D13CF12F31EBFDB483
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn’t have a title (text/html; Charset=iso-8859-1).

HTTP

Probably the hardest part of this is finding the entry points: http://192.168.1.58/rips/

I typically use seclists for my wordlists; almost always. The word rips only appears in two files:

1. directory-list-lowercase-2.3-medium.txt, and
2. directory-list-lowercase-2.3-big.txt

And I basically never use these files (not the ‘lowercase’ versions anyway). So yes this was the hard part. Once you have it via interminable fuzzing, you can use the webpage (a PHP code analyser) to scan files in /var/www and then read one called secret.php, which contains the credentials for our first user. Once we have this, we SSH is as ripper.

Ripper -> Cubes

If we check the bash_history for our user (ripper) we can see they go to /mnt and look at a file called secret.file. What if we do that?

ripper@ripper-min:~$ cd /mnt
ripper@ripper-min:/mnt$ ls -lash
total 12K
4.0K drwxrwxr-x+  2 root  root  4.0K Jun  4 11:42 .
4.0K drwxr-xr-x  24 root  root  4.0K Jun 26 06:22 ..
4.0K -rw-rw-r--   1 cubes cubes   60 Jun  4 11:42 secret.file
ripper@ripper-min:/mnt$ cat secret.file 
This is my secret file

[file system]
-passwd : Il00tpeople
ripper@ripper-min:/mnt$ su cubes
Password: 
cubes@ripper-min:/mnt$ sudo -l
[sudo] password for cubes: 
Sorry, user cubes may not run sudo on ripper-min.

Cubes -> Root

If we look at the bash_history for cubes we can see he was poking around in the webmin directory and making a backup. Let’s check that:

cubes@ripper-min:/var/webmin/backup$ cat miniser.log 
[04/Jun/2021:11:21:48 -0400] miniserv.pl started
[04/Jun/2021:11:21:48 -0400] IPv6 support enabled
[04/Jun/2021:11:21:48 -0400] Using MD5 module Digest::MD5
[04/Jun/2021:11:21:48 -0400] Using SHA512 module Crypt::SHA
[04/Jun/2021:11:21:48 -0400] Perl module Authen::PAM needed for PAM is not installed : Can't locate Authen/PAM.pm in @INC (you may need to install the Authen::PAM module) (@INC contains: /root/webmin-1.910 /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.26.1 /usr/local/share/perl/5.26.1 /usr/lib/x86_64-linux-gnu/perl5/5.26 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.26 /usr/share/perl/5.26 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at (eval 15) line 1.
BEGIN failed--compilation aborted at (eval 15) line 1.
[04/Jun/2021:11:33:16 -0400] [10.0.0.154] Authentication : session_login.cgi=username=admin&pass=tokiohotel
[04/Jun/2021:11:33:16 -0400] [10.0.0.154] Document follows : This web server is running in SSL mode. Try the URL <a href='https://ripper-min:10000/'>https://ripper-min:10000/</a> instead.<br>
[04/Jun/2021:11:33:16 -0400] [10.0.0.154] Document follows : This web server is running in SSL mode. Try the URL <a href='https://ripper-min:10000/'>https://ripper-min:10000/</a> instead.<br>
[04/Jun/2021:11:33:29 -0400] Reloading configuration

So now we have some webmin creds. It’s back to https://ripper-min:10000/ where we can login and have a root shell.

[admin@ripper-min ~]# id
uid=0(root) gid=0(root) groups=0(root)
[admin@ripper-min root]# cd /root
[admin@ripper-min root]# ls -lash
total 30M
4.0K drwx------   7 root root 4.0K Jun  4 13:33 .
4.0K drwxr-xr-x  24 root root 4.0K Jun 26 06:22 ..
4.0K -rw-------   1 root root 1.5K Jun  4 13:34 .bash_history
4.0K -rw-r--r--   1 root root 3.1K Apr  9  2018 .bashrc
4.0K drwx------   2 root root 4.0K Aug  6  2020 .cache
4.0K drwx------   3 root root 4.0K Jun 26 06:34 .gnupg
4.0K drwxr-xr-x   3 root root 4.0K Jun  4 11:18 .local
4.0K -rw-r--r--   1 root root  148 Aug 17  2015 .profile
4.0K -rw-r--r--   1 root root  170 Jun  4 11:16 .wget-hsts
4.0K -rw-r--r--   1 root root  252 Jun  4 13:33 flag.txt
4.0K drwxr-xr-x   6 root root 4.0K Jun  4 13:24 snap
 12K drwxr-xr-x 132 root bin   12K Jun  4 11:30 webmin-1.910
 30M -rw-r--r--   1 root root  30M May  9  2019 webmin.tar.gz
[admin@ripper-min root]# cat flag.txt
# ASCII art removed
COngrats !!! You have rooted this box !!

Follow me on twitter @san3ncrypt3d
[admin@ripper-min root]#

This one was pretty good, hard to find the entry point though. Not too CTF-ish, which I appreciated.