One part of penetration testing is re-testing companies to confirm that the vulnerabilities disclosed in the first round are now non-existent and properly secured.  In this machine, Raven Security, a company that was breached in an earlier attempt, brings a new challenge to the pentesting team after securing their web application. The author says that this machine is an intermediate one. This is based on it containing a rabbit hole and understanding how an exploit runs and modify the code according to the application at hand. The machine can be found on VulnHub, so go pull down a copy and lets jump right in!


Information Gathering

Starting off, netdiscover allows us to find out the IP on the internal network of the virtual network. netdiscover -i eth0 -r 192.168.56.0/24 where -i stands for the interface and -r stands for the network range that we want to scan.

Fig 1. Netdiscover Results

After identifying its location, knowing what's running on it comes next. In addition to NMAP, unicornscan will be used to confirm the results. Unicorn is super fast in scanning for the ports, whereas NMAP can be awesomely used to discover the services running on the ports and provide enough information.

Fig 2. unicornscan results
Fig 3. NMAP results

Following the generated results, 22, 80 and 111 are open. Knowing the services, port 22 can't be easily exploited, the only possibility is to brute force it. Port 80 is the hottest one to be tackled. Port 111 is the rpcbind service which tells that there is a RPC application program running. Not that interesting.

Web Busting

After prioritizing our services, web directory busting begins using gobuster:

Fig 4. Web dir busting

Looking at those findings, another gobuster process is ran on the wordpress directory, which is in general, a juicy spot.

Fig 5. Wordpress dir busting

Without noticing, I was slowly sliding down a rabbit hole. I ran 2-3 bruteforcing attacks on the login process for the users with different password lists. While doing the last attack, I stepped back, and remembered that there is way more to this than the wordpress section.

Looking around in the web directories, /vendor came out to be crucial to this box.

Fig 6. Vendor directory

This was the vendor directory for PHPMailer. Looking closely into those files:

Fig 7. Vendor PATH + Flag 1

Lookie there! Flag 1. This is a clear sign that we are on the right track. Looking at the VERSION next:

Fig 8. PHPMailer Version

This could lead to something! Using the infamous searchsploit:

Fig 9. Searchsploit PHPMailer

This service is pretty vulnerable! Using the python exploit from exploit-db, a couple of parameters needed modification. That was identified by checking where the PHPMailer was being used, in comparison to where it was used in the PoC. In our scenario, it was under /contact.php as opposed to the PoC, /.

target = 'http://raven.local/contact.php'
The reverse shell needs to point to the current machine IP and port.
And last, the path to the backdoor script:
'email': '"7hunder\\\" -OQueueDirectory=/tmp -X/var/www/html/backdoor.php son\" @twitter.com',

If it wasn't clear, the fields set are the POST parameters to be sent. Running the exploit, a reverse shell is received:

Fig 10. Reverse Shell

Privilege Escalation

In the normal privilege escalation process, the privilege checker is ran to try and identify issues in the installation and setup of the system. One crucial process shines out. Mysql is ran with the root user!

Fig 11. Mysqld process

After checking its version, an exploit was found for it!

This exploit was missing a user and a password to access that DB. Nonetheless, a WordPress application exist, and with it comes to life the wp-config.php file which is always interesting to grab.

Fig 12. wp-config content

After logging in, Steven and Michael credentials were gathered and stored locally in order to try and break them later on.

As for the exploit, we are ready to attack the vulnerable application. Following that exploit-db guide, and combining it with the following blog, we get a functioning shell.

Fig 13. Exploit setup
Fig 14. Privilege escalation

One last step for us to wrap up. Get the flags!

Fig 15. Locating the Flags
Fig 16. Flag2.txt
Fig 17. Flag3.png
Fig 18. Flag4.txt

Attempting to grab the passwords for steven and michael for later usage, neither the MySQL credentials nor the /shadow hashes were decrypted using multiple wordlists.

Conclusion

The machine contained some known issues, such us having an application running as root, or using a vulnerable application version, and these are dangerous liabilities on the application owner! Being offensive while building an application can bring up to the table lots of benefits, from building up the application, to setting it up. The author can be found on the following: https://wjmccann.github.io/

If you enjoyed my writing you can find me on Twitter as @7hunderson.

The awesome image used in this article is called "Raven" and it was created by Evgeniya Rodina.