PentestsPL

PANhandler from /dev/null

PENTEST LAB - /*re*/Freshly

It’s good to be back… I remember I’ve encountered Freshly challenge some time ago, but somehow the walkthrough didn’t get written xD This one is a webapp challenge that wants you to steal a secret from a file and from my understanding can be finished without getting root on the box, but I’ll include steps I’ve followed to totally pwn the box :) You get the image from here.

No spoiler alerts this time :D

Let’s start with looking up our target’s IP:

Followed by some nmap magic:

Once everything is done it is clearly visible this box has some web stuff going on. Let’s hit it with dirbuster and while it’s working check content manually:

Hmmmm…Jedi…Jedi everywhere. Let’s check HTTPS:

That’s something : )

This one is clearly a Wordpress so a small wpscan won’t hurt. While it did find some interesting vulnerabilities in plugins I’ve decided not to follow them yet, all because of this one line:

Missed you say…ok, you can trick me, but try that with dirbuster and:

you fail! Hmmm phpmyadmin and some login.php page. Let’s visit it:

Yeah, can confirm…that is a login page, let’s try the top username (asd' or 1=1; --\) followed by top password (' or '1'='1):

Dunno about you but this smells like a SQLi for me, and yes, sqlmap picked that one without a problem. Small info here…I remember when I was pwning this box for the first time sqlmap did not want to work for unknown reasons and I had to use regexp to help it (start of line ‘1’ and end of line was the one I used back then). After playing around with that SQLi I’ve found table containing creds for an admin user for Wordpress instance, and….they worked!

Having admin access to the Wordpress I started looking around this thing. While it might surprise few, when I did this challenge for the first time, it was the first time I saw admin panel of Wordpress. It took me some time to figure out where I can go from that point. Seeing template editor with php files made me smile. After dropping simple php web shell my work here was done.

While sending cmds through browser might seems cool I’ve quickly send one dropping me shell to my netcat listener.

One of the first things I do after getting shell like that is spawning bash with a little help of Python:

Let’s start looking around, I wanted to check /etc/passwd and here’s what I got:

Looks like challenge is complete…but why stop now, right? After clicking around I’ve noticed that /etc/shadow has really interesting permissions set : )

I’ve grabbed both files (passwd and shadow) to try cracking the passwords. Believe me or not, but for unknown reasons my oclHashcat failed to crack password for root, despite having dictionary containing a valid password. I know that because after hashcat I tried using john and it did crack all passwords, the root’s one turned out to be the same as the one for admin user in Wordpress : ) So here it is:

But how did you get root shell, you might ask : ) Here’s the magic:

# poweroff

I’m out! Hope you liked it : ) Cause I certainly did!

Written on May 26, 2016