r4hn1.medium.com

MY WEB SERVER: 1 | Vulnhub Walkthrough

Rahul
3–4 minutes

Rahul

You can download the machine from

Goal: Get the root flag of the target.

Difficulty: Medium/Intermediate Level

Lab Setup:-

Download this machine from the link and import it into the virtual box.

Network Mode: Bridge Adapter

Press enter or click to view image in full size

Here My machine ip is 192.168.1.211

Let’s start with reconnaissance.

┌──(root💀kali)-[/home/danial/Desktop/InfosecWarrior/My_Web_server]
└─# nmap -sV -sC -A -vv -oA nmap -p- 192.168.1.211

Press enter or click to view image in full size

Here multiple port is open.

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp   open  http    syn-ack Apache httpd 2.4.38 ((Debian))
2222/tcp open  http    syn-ack nostromo 1.9.6
3306/tcp open  mysql   syn-ack MySQL (unauthorized)
8009/tcp open  ajp13   syn-ack Apache Jserv (Protocol v1.3)
8080/tcp open  http    syn-ack Apache Tomcat/Coyote JSP engine 1.1
8081/tcp open  http    syn-ack nginx 1.14.2

Press enter or click to view image in full size

After hitting Port 80 Found WordPress website is hosted, and after hitting any random page found it is bind with the domain so let’s add an entry in the host file.

After enumerating nothing found intresting in Port 80

So i’m moving forward to port 2222

Found exploit for nostromo 1.9.6.

Press enter or click to view image in full size

Exploit is working properly its time to get the shell.

I tried with bash shell but it is not working so i downloaded nc package manually in the server and using it for the reverse shell.

Press enter or click to view image in full size

Okay! So we got a shell of daemon,

Press enter or click to view image in full size

In the passwd file found there is an entry of tomcat user, so first let’s try to get the tomcat privileges.

Get Rahul’s stories in your inbox

Join Medium for free to get updates from this writer.

After enumerating find database credentials in wp-config.php file

Press enter or click to view image in full size

In the database got the wordpress hash, But now we are searching for the tomcat credentials, we can keep the credentials.

After running

daemon@webserver:/var/www/html/site1$ find / -user tomcat 2>/dev/null

Got tomcat directory and in the tomcat directory got the credentials.

Press enter or click to view image in full size

Now let’s login with tomcat credentials and get the tomcat previleges.

Press enter or click to view image in full size

Okay!!

So now we are logged in, its tile to upload a shell.

I’m uploading a war shell to gain the access.

Press enter or click to view image in full size

After uploading a shell let’s start a listner and gain access to it.

Press enter or click to view image in full size

and we found we can execute /usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/bin/java as a super user.

So for root we have to again use msfvenom to genrate java payload.

Press enter or click to view image in full size

Now send this file using any of the methods I’m going forward to start the python server and download the file to the server using wget.

Press enter or click to view image in full size

call it by using the /usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/bin/java with sudo previleges.

And start your listner.

Press enter or click to view image in full size

Press enter or click to view image in full size

Boom !!

We got a root | Happy Hacking.