W1R3S: 1.0.1
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiig92QULrqYUGEbu9m6N3Ry1CIjnnK-LDGWv6BQBurPrCIiTtAhCOpAvxhOEDBlXQhtRSQJ0ZUyLDaQN0WeM59H2Je5T7R0aYOQJaXIvtkDendkLkkwLE0Z9kRUk5FwF4QQfC4pbNhSxKe/s1600/screenshot.41.jpg)
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine w1r3s 1.0.1
- w1r3s 1.0.1 can be downloaded from here:
https://www.vulnhub.com/entry/w1r3s-101,220/
- Once downloaded and extracted with VirtualBox:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvjKRJv9-KHD7cPVBaG5DDm3UEXLDjIfNfBwnK2yovsX2SNlqbiZEoRWOPdbW5f0sUGabMx78HO6r-ihCtQI7TLB_IkE64vxcKEI6_24uYGhM20SWz1PDlMwU-78cRar71r2dH_uxFEA09/s1600/screenshot.1.jpg)
2 - ENUMERATION
- Discovering the IP:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWfPH6Xql6xRZ3mynJsiz4WISGaRzaA0127SLRyjTD0722aIpVUc3RDTjBv6bduI2nxjV8CyqqFTheXmFB2qgZ-DBuhfNvYVoDLsFdbBj00g8Ph5O2Hw63a9z_7zGjTvo3aEBiMU27-odZ/s1600/screenshot.4.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcVJuDzR6zmKmTsbjXy56MnKs48yYxnavYbznN60sx9Et00qYT6uVYQaNL9SeQ8iIQNd2-m6t4TY_xhh3eycGaWJQ1mQV4gyDgU8dQh_RKkM1G8RS4gBLNJQc1ZlMxlIMwt4ZDg4TyZqzg/s1600/screenshot.5.jpg)
- Scanning:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAXDC68kXPP2lWTubXqcVM86lW3UZVR5GH4odtWvnHHZN_qqdRZaZfOOcSkIEsJhxNMjy7KN1GKlOX0LE9boQfzD4QmT8GTDZIrjfNhD2bPuIau1uXG9bvccxyqq6UmXuJOGZQ-8RDIMfU/s1600/screenshot.6.jpg)
2.1 - FTP enumeration
- Let's start enumerating the FTP service in detail.
- It seems that anonymous login to the FTP service is allowed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-mXtrvppxk_EF6AxNfd21GZ88__KOoXiDe-P2HhtJ6abvNrrLwDKfs2h0Ey1qDjfVNUi4UuLKsiqlogwihJxJ2Pl_PqCR4p3dodhyiFWZvBR2s9B23RVJWpd7hRxfNVrycTIanWmXyz9A/s1600/screenshot.7.jpg)
- Using the browser to access FTP service:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhgDpKXSAcJyFdwJnQWAxBaOtHJoZnWd72pdbXDzeysmyHmpCVk86ZOCVIjkaERSKOqWzZlx-3MK7JcDrAyIUZ4UWAXTkh4RI1F9fVRhSSHmwe3pInfVcRzGGH8ZyGcR3liI3J12hGNmpO/s1600/screenshot.8.jpg)
- Reading text files inside folder /content:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga1JaNLUzxgsKdvMT-wKe8ZyP737SQ_lV-MCi3hzqZtWFtqUMhxLmJ6EBqZpJpK4TtmY4OiLWXdkL_NS4ZZIOFqKumcGhlN_HqUUAEvzbY01C8aBaEY7iu6d4mL5Rxud5E32sWXzBgUzkc/s1600/screenshot.9.jpg)
- Reading 01.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUhNXmmG-1Nekaws0C1vZnhxlLm2WvBqiURDxGLetaB5reix-jBszP3Krk86UsdMCXhOMzgT3wx_CpWDWFfIYTga0G1AtxPcE0BnRpMgFM_eIo1VvWpfp62C9H5xqxuhyjMOP6uVb8y_ei/s1600/screenshot.10.jpg)
- Reading 02.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1iDZDxqTgrjopJB4ssiZMk6YkDcPrK1k1bhk-RuT76qHQ6fuJ4BWIfP-cOmJc5CFzONbrqtPFSNpQj2qpIzlqBUniXry1v7KI50-FtJaFDcTKkzAWD75QmjHuJpvi_lGSrTQTH5SFgjiB/s1600/screenshot.11.jpg)
- Indentifying the hash type of the first string, it is probably MD5:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbNeYWJcxRL71Mu3XEZgQ4QkRTcbyjYqbHjc9rokcWMRESsSyq8Qm0h5GGLG_uTyhfLyCjoh36gRlan2Ynvx3HBk-og8wRAF46GnKxBmqJejsC7B8cbblzs3VBfs4h0t4gHTXgiCaHBYOr/s1600/screenshot.14.jpg)
- Decrypting the MD5 hash:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijxjbVNaY0vkuEXdfUx13JpUsvsbk40yMk5aeyc7uvxFH1yb6a9fkf-cSpyI4i3VnpEK2emegiZZ8xSzHHm94Dl3YTgeseR89kdN8VOyaHWyiVy7vTud0Fe9MII34CkyTQegLKiNy8ECZB/s1600/screenshot.15.jpg)
- Decoding the second string:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGSToNRAi-r480JaL9tjnkvPGzRSbDSzB6saWYUtbPgBmNwM_TO4hVy4Tzo832Ara2hUhVLFY_nVYoupl07Zjtq6KMEQxhf_Rfeq45tLbiad0FWJ27aHKIpslNk2KW_V0koLJMm50X_pGT/s1600/screenshot.13.jpg)
- Reading 03.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcrzriY4IYA8JDRFasuCTBaERrHbtrkjSy1LguSfH2TU9htEZq5le7yqOsZALbMhwgc1Ujey_hZ8Rvr6qnBTmXMYfn_GqXKQgtDkf40lJ4kmsWvKxkHsvghXPUYrW_oYIYpJclSnePfqPj/s1600/screenshot.12.jpg)
- Reading /docs/worktodo.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3psngnHo2nfqa0X8G7QSfzYA-okBVhkOavB7Z5GdEoang3A5sSKLQHfLFwjjNa4XUFE7UguP3T9phLnX6XHHLz_mosaKrb4m5HSyByp6QWuqFzCDSFz5FWoZErazATegSOIfELA7ATW-a/s1600/screenshot.16.jpg)
- Reading employee-names.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSakvko7n4B3Pqb9v7MRHq30YYzB77rObOdEG801ZlwLbIh5VrcDj78uxQZTlB1tpJ4EQkWfzzdcmpK2zrSt92Al3Z_NYe9x6xW4JuPA18yPD-HEAz03vfD1pwVQ0KE0b0KYwQD2nKfsoa/s1600/screenshot.17.jpg)
- Just in case, let's store the names for later usage:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju3-1sjLb4eUs27Y2c_3UIh-LNb4ZmJ3CRBi6WP1j3dZKZa8l2IzeAoARkPKqgkFmcLKwuPcRdrJLFbO4IOnWiL5SGbDXmZIwwC5Td0Hz8Zykqf7OWkUhK6iLdg4hG6j-7_QhZOsPZt0tU/s320/screenshot.18.jpg)
2.2 - Web enumeration
- Browsing the web server:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf5dgzRQAsUNAAyQDEd8CMAybj9mQgvX8a15DOtNieWsvT-S97v1TMUrN53pNojawm8itZsjvpQC4THyBddiUQig9ZSiK29ep5uRlv4Y0WiojaJiq3fHPGHQREgIojgQ9YpAwILeSOQBw4/s1600/screenshot.19.jpg)
- Applying dirb on the web server:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRHHSOxcrBscWB_p2-wnKVTfT9xLa1SE5LBerVBDEjHJgr26_wb2TJCnAhXe4IFNCJ8ihTjr2eO-ZaUfaL15LoPe3cpsWeHlFNfwIbxWz4meO_J34eSRHgKi9j6VYRurAYkhg-7hDrV7qN/s1600/screenshot.20.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRzG3z8BbM1cNiBk-7dvxjS-oKTch8TLmsRkD-pZ6eZsBpECvgfvZ7AYvoP7av24-pnbP5kZaIpGRxab5q_akT1hOih3Pw4PBg9yGD-MM4W2zPcl_IhfNVg1FBWVy1x2qL3Wmndd9NRNbC/s1600/screenshot.21.jpg)
- So basically 2 main directories have been found, /administrator and /wordpress:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAVqV4WgKUbU1PiGKLrRo2_fEcuPckhbgZasJntYSXG0n5N1OdGW3UaS28vakTyPmgPs4pGKqNuVznYHwS2rRu_XpjJ5M0t5UhaTdDl4JYRCUQOKadLKZC2FywarUTwXosJ9LdLEPY4CDF/s1600/screenshot.22.jpg)
- Going to /administrator we are redirected to /installation, where the content project manager Cuppa CMS is running:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwvrs1jplixINXbXnhCpXNkM23UYE5g9bJjIFfubRaFya81MoovbpOZpMIB2pjUBGEcadVnMpkbfvbfQPkaN1DS5kb92YQBqlXmCKGAtw2lnI4HAYtOwIsJYgLmv50_VUPKb-7Qe2jg055/s1600/screenshot.23.jpg)
3 - EXPLOITATION
- Searching for Cuppa CMS exploits:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKzzMSCCpf2OsdVfdJWyMDK4SteMFbL18FVwJLlKj5APic6PuZ_7mt1vIzeAijZn2b4najY5hzY34EojJ-e_GEXKX0yZd0YY4IgQZmSvVfyVb91AfG0XDHl6ftygaXWe3zfDyUo7-kjzXk/s1600/screenshot.24.jpg)
- The exploit 25971.txt allows a Remote/Local File Inclusion:
https://www.exploit-db.com/exploits/25971
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhffI1CRBDllB3nP6fPIdAt3GH_DAdAzQ0_yaRwZdIJCcoYXDP8M62WUQ6OQ43S96CPPdxycrerHXiO9MuLON6GdJt-_OH1oDCKC8xBSU-ejMxLIlm2Ja_A7Rp8c326b4Z73sZdZTrNXAT_/s1600/screenshot.42.jpg)
- Reading 25971.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaLc4fqxO9K9GYkYnUYP0tWbZ5gDu5sniNw7PjcXP4wVuM2fhkKP9edixu-aeH3MiL3sKjbwyhAYVknr7clCrhKefwWsUGQPYhGJlOJ-6t-QjK9WwcaqT2rxFTlzmadSOhtkBQy-KfZjBJ/s1600/screenshot.25.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBKt0sUYucEh5sgiSSymSAidbGFJgpXt-j09DSPwsVVYklRIeeb-JyIhlmZpllS8BVhTOKDQZK_K4SdfgXJ4tqAnqpvY-J-Bc17hDMszCktVpKPK3NDonCjphVSb30a4goPwnWoT6sRLxk/s1600/screenshot.26.jpg)
- Following instructions from 25971.txt and trying the exploit directly at the browser it doesn't work:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu_VSvu8rbLc4b8MuJroQwo65aAO2TZec2-keD74n-2XnMp2Q-tWcgHCYb-oq3C8vaXgf0jnebDmzLBXnYxtoZYlP9rikTzA2MDNIA89pFlkBi_C6dJZUfnycWGQxDx1sRh7zsZ-rhn_BQ/s1600/screenshot.33.jpg)
- However, using curl we achieve /etc/passwd. URL data sent with method POST is encoded:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5BkRV_aYuVXtnpmHoE7SaqiEqDmj2vChiXBio8WeXxcjmuxm5J9HH9gtSPWq5o2B3DRPtBfDbu-wjNlBXZvotUA-peS5iZBjb1WZuZZzO0HLnasZwGkTXrcdkSdIIhNg90jUVz5U_9oPz/s1600/screenshot.45.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqEDGQY4YjGrh8509zx60JLPAf8INK2ErvjCj_92m4MlJVX8yBiRecBqbqBjC3j951SxfLfARVmbgfRyMcnSgq_ZdQ2JQqu5kSQnKDZQfYFLM5HOY4J3h1KrjDqA-qT4W_A-V9gC33P7N5/s1600/screenshot.43.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxhk08qoDT7zpKnZquzpX29rlojcv6J_ri_0mqIpAGE9phMrvgqCofmoIB6BKb5wUCHA0e75KwUBVEtSPESQ0syXBIQ2xCQhBZb_dABPoEfsVoU5nV1iO4DSld8oqpwh52cgtw_gqjcnvc/s1600/screenshot.35.jpg)
............................
- Same thing for /etc/shadow:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRVOWil7AJDwd4KytReXgOvofCJIabp39PABbiWTk8xxYbifA3dNX8dVfe111A5jQMhLHMWZS1aJA59u0RnMaXZJq2m3Kw2XDRNfsbxWBMCjLpRNVGwSFExPlrnwW9OCMwiTHASbRuP28c/s1600/screenshot.44.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtxSlopP8BN4_c92hJ2hfOxZEyLMxsVSkqypW4FSJ5Y4tn3DtAtwUhP0vOwHCeA-ZKA1-ZCNUepWrZA27UH4XtTzuMkuB0bARngfg1mfJzT8OSdJHal5qMtcUw8h1F8h1A8s3lYq6ov79D/s1600/screenshot.37.jpg)
...........................
- Same results with Burp, using method POST instead of GET.
- It is important to notice the header Content-type: application/x-www-form-urlencoded, what indicates that the request body is URL encoded.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTpeAUatQWxudZd5EUMPI48RtCKYFhjb8d-__MV-RolX7OYOrBUnstyLPL9pbbzQK2J2HwzLUllU3acyH2dC-gXKwV2i0kJxYtn64HAuTybnSR20Ix13WmS7DayX_YwotzjhabAKQ1socm/s1600/screenshot.49.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSaXYJzJeFEB8ulXHIFsqvWTYLdnVBbGc9zW3aMdMKb-rzkdlyi-uPfMv2ZJw9DhHXkX46zg4qMg0bPs3NFOKI4gRR-BxC76jhJQwYGY6DMPrAdYjydv-gH65UOyzwig6RxiVu7dwj9VhC/s1600/screenshot.48.jpg)
4 - CRACKING PASSWORDS WITH JOHN THE RIPPER
- Storing /etc/passwd and /etc/shadow in text files p and s, and unshadowing to text file u:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie9VZ0X78copFRE1585hjtg8KGxzmS2Kg_A6DMgTw59zWo014jgZYv1GhsgpjWHCm_afOqvYA7v29EVUBKNvt3-vHbsRjgc9VljpoyLgIIiUyh7BxABkPX3jd4nytnsynlhLmsRbzPKD8O/s1600/screenshot.39.jpg)
- John The Ripper is able to crack two passwords:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1R7J4b3eEupXoQSP-1I_GnGI1U24Ffg6jPkAwt4wyh5CWVq8sSEYPLwHbnxBgBS07KsqBFVqCouZfNll-WkqTPLPztS0oo199CI2zCEMV1Evy3OymZScMiW8Q2Ye8Wpo9WVQ0BhZX_BdI/s1600/screenshot.40.jpg)
5 - LOW PRIVILEGE REMOTE SHELL
- Credentials w1r3s:computer allow to connect the remote machine with SSH:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwkZiRVHKIKsi-6SSZBxJ6e0_3jmoVpiviJgoW3favzF2AgCM7Ae1nOSjm3Ii42EMwARXxBmH7kbPSrupomx7RtEZSVKhTyCucMjXzztbIAahS1wNWri6GDDlmztAilsgpBbRy3724gniA/s1600/screenshot.28.jpg)
6 - PRIVILEGE ESCALATION
- Privilege Escalation is easy because user w1r3s is a sudoer with (ALL : ALL) ALL privileges:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOz1RCCeJNR5LaA-icNW7SiK6uCS-aUk2vxlpydsORaP8BfhLd01X8gSXCaSgNfe1GZor86P7bg-JVISRWRD_eYr9D2yk8FApyPccjnN8s56yaiHQPS3rkwEqKCw9-PNLxw-vw6H8bJEHq/s1600/screenshot.29.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo6ag7QA9UW0gjbQNy8T_Mk2gezQorrqNdDiFPJt-QY7kDzUBVnwHzFFMeraw_W1czMXCC6Uy74Y-RNMQPSHVuQVZ2ECLZOQQEJZyjQggIQBUUgbTGUHJYtTtQBtsakhpmKkemrVT8hPQ4/s1600/screenshot.30.jpg)
- Getting a root shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi987mzmZgjmfKY4kszH8xPqIiM-ZxQVkcuNOlR01e5DbWTqH_xNU55UyqTNV0diLheca9aEdadGM7VqTH57e73t0F5bexWevH8XLp1C8s1N-_TXaIDNoGzDjVV3izn482vzBz4u4ZsCjDq/s1600/screenshot.31.jpg)
7 - CAPTURING THE FLAG
- Reading flag.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgccCktzA6tXfiJyU4twmIWXW8tZ9hNJfZv7IvKFLcQxI2mWCZIj7GxM3wVj0wkQRUw-2IpRudKye8I41Ml2fPqM35uolygQv61i6fadAX_UG4lzzXRS1pz7tbT4-iqefOs_ZC4IszB7XMb/s640/screenshot.32.jpg)