VulnHub – Basic Pentesting 1

Overview:
Basic Pentesting 1 is a Virtual Machine with several vulnerabilities. I will provide an example of all of the potential attack vectors that I found and how they are exploited, along with recommendations to remediate the issue.

The machine is at IP Address 10.0.2.18, this is shown by using nmap to perform a ping sweep.

Using OpenVAS for an initial scan of the machine reveals that there is at least 1 critical vulnerability that should be addressed immediately. The vulnerability in question is a backdoor associated to the FTP server running on the machine, it is very easily exploited and could easily lead to a full system compromise. Alongside this there are several other vulnerabilities, misconfigurations and weak authentications that I have addressed in this report.

Initial Enumeration:
Alongside OpenVAS I used nmap to perform a portscan on the system, this reinforced what OpenVAS had found, and revealed port 21 running ProFTPD 1.3.3c, this version of ProFTPD has an associated backdoor vulnerability and can be easily exploited. Alongside this there is port 22 running SSH and port 80 hosting an apache HTTP server, the machine looks like it is a Linux machine running Ubuntu.

ProFTPD 1.3.3c Exploit:
This exploit takes very little skill to execute and could lead to a full system compromise, with potential to cause a loss of confidentiality, availability and integrity to all resources associated with the machine.

I Began by searching for the exploit in question using searchsploit where there were several scripts already available and even a metasploit module.
I decided to proceed with this attack manually. After looking at the scripts available there appeared to be a command to trigger the backdoor – HELP ACIDBITCHEZ

I connected to the FTP service using telnet and supplied this command, upon issuing the command id I could confirm that I had root access to the machine.

It is also possible to sniff clear text credentials posted to the service using software such as wireshark. I unsuccessfully attempted to login to the service using the credentials PENTEST and PASSWORD, however I managed to capture these within wireshark, anybody using the service legitimately could potentially have their credentials stolen with some ease, allowing an attacker to login to the service with their privileges.

Recommended steps:

• Update ProFTPD to a more recent version to remove the backdoor.
• Enable FTPS or enforce the connection using AUTH TLS to encrypt traffic sent across the service.

HTTP Server Enumeration:

Using OpenVAS revealed that the HTTP server is running wordpress 4.9 located at a directory called /secret

Navigating to this location in a browser however shows a somewhat broken page where all of hyperlinks lead to vtcsec, by updating my hosts file to name 10.0.2.18 as vtcsec I managed to get the website working as it should.

Next I used WPScan to automate the enumeration process for the website, this identified the only user as admin.

I then used WPScans built in dictionary attack to successfully crack the admin password, which was revealed as admin.

It was also possible to sniff credentials sent to the website using wireshark, meaning that user details can be stolen and be used to login by an attacker.

HTTP Server Exploit:

With the admin credentials I could create and edit pages, I edited the index page by embedding a PHP script into it to provide a reverse shell to my machine, this allowed me to access the machine hosting the page as the user – www-data
The script I used was php-reverse-shell.php by pentestmonkey, this shell comes preloaded in Kali Linux, it was embedded into the Main Index Template for Twenty Seventeen (index.php).

To run the exploit it was as simple as setting up a listener on my machine and updating the page, once the shell had spawned, the editor displayed a message saying that it could not update the page, leaving no trace in the code.

Recommended steps:

• Create a policy enforcing stronger passwords, unauthorised admin access can have devastating effects.
• Use HTTPS to encrypt traffic sent to and from the server.
  
  

Privilege Escalation:
I found 2 routes to privilege escalation on this machine, I will separate them into their own sections.

Weak passwords and unnecessary privileges:

It was possible to read both /etc/passwd and /etc/shadow.
Using this I found the user marlinspike, whose password turned out to be the same as their username. I could switch to this user, and with the most basic of enumeration found that they could run anything as sudo. Using this information I used this account to switch to the root user, giving me full access to the system.

Recommended steps:

• Create a policy enforcing stronger passwords.
• Remove unnecessary privileges from accounts.

Dirty Sock:
Upon enumeration of services and binaries installed on the machine I discovered snapd which has a known exploit for versions 2.3.7 and below, the machine is running version 2.3.7.

I used searchsploit to find the exploit known as DirtySock, this is a very messy exploit and will be irreversible on the target machine, and as such I created a backup before demonstrating the exploit, I then restored the machine to its previous state. I downloaded the script onto the machine and ran it, resulting in a new account being created named dirty_sock with full sudo privileges.

Recommended steps:

• Update Snapd to a newer version.
• Don’t allow low privileged users to run scripts and write/download files where they aren’t needed.

Summary:

I have demonstrated several vulnerabilities with this machine, including:

• A backdoor that allows root access.
• Unencrypted sensitive data.
• Several weak passwords.
• Unnecessary privileges given to accounts.
• Outdated software with known vulnerabilities.

All of these can potentially lead to a malicious user gaining unauthorised access, causing great risk to confidentiality, integrity and availability of all resources associated with the machine.