Five86-2: Vulnhub Walkthrough

Today we are sharing another CTF walkthrough of the vulnhub machine named Five86-2 with the intent of gaining experience in the world of penetration testing. The credit goes to m0tl3ycr3w and syed umar for design this machine and the level is set to beginner to advanced.

According to the author: The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Download it from here: https://www.vulnhub.com/entry/five86-2,418/

Penetration Testing Methodologies

Network scanning

  • Netdiscover
  • Nmap

Enumeration

  • Exploring Http services
  • WordPress scanning (Wpscan)

Exploit WordPress

Privilege Escalation

  • Abusing capability
  • Abusing Sudo

Walkthrough

Network Scanning

As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.0.114 as our host IP.

From its scanning, we found port 21 is open for FTP and port 80 is open HTTP where wordpress is running on apache.

Enumeration

Thus, we navigate to a web browser and browse the following URL and found open wordpress application is running on the webserver.

Since we found the wordpress on the host machine thus we choose wpscan and run following commands for wordpress scanning.

From its scanning result, we enumerated 5 usernames: peter, admin, barney, gillian, Stephen as shown in the image below.

We used rockyou.txt wordlist for password brute force attack to enumerate the password, so we saved above-mentioned username in a text file named user.txt and then launched brute force attack by executing the following command.

From its scanning result, we found a password for barney and stephen as given below.

To access the website properly we added the hostname and host IP within /etc/hosts file.

Furthermore, using the Barney login credential we logged in to the wordpress and found a plugin “Insert or Embed Articulate Content into WordPress” was installed. We searched in the google to find out more about it and found a method on Exploit_DB to exploit this plugin to obtain a reverse connection.

Exploiting WordPress         

For exploiting WordPress installed plug-in follow the step given below.

  1. Create a .zip archive with two files as: index.html, index.php

  1. login to wordpress as barney
  2. Create a new Post -> Select Add block -> E-Learning ->

  1. Choose upload option for uploading your zip file.

  1. Browse and Upload the raj.zip -> Insert as: Iframe -> Insert

Start netcat listener on your local machine and access the webshell from the URL after uploading the zip file as shown:

Booom!! We got the reverse connection with the help of netcat session, but we know, this is a root to boot challenge hence we need to escalate the privilege try to gain access high privilege shell. So, we start post enumeration and find capability permission is given to Stephen for tcpdump.

So, we run the following command which reveals the UP & running interfaces.

Privilege Escalation

As we have seen in the above image that tcpdump has the capabilities to capture all network traffic even in low-privileged access, therefore I trigger the following command to inspect “veth1665bcd” traffic if possible, and save the output in a pcap file “cap.pcap”.

With the help of of “-r” option we try to the pcap file and luckily found credentials

So with the help of above credential, we switch to paul account and check for sudo permission for him. We found paul has sudo permission to run /usr/sbin/service program as peter.

With the help above command, we were able to access shell as peter.

Then we check sudo right for peter and found he has ALL permission to run any program as root, but we don’t know Peter’s password and moreover peter owns sudo right for /usr/bin/passwd as root. In order to access root, we try to abuse the sudo permission by changing root’s password and try to get the final flag.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

3 Comments Five86-2: Vulnhub Walkthrough

  1. Henry

    Hello Sir.

    About this part ” sudo -u peter service ../../bin/sh”/. Could you please explain more details ?
    . What is /usr/sbin/service using for ?
    . Why we need to type “../../” instead of “/bin/sh”.

    Thank you very much

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *