Proving Grounds Play: Loly Walkthrough
In this penetration testing scenario, the target machine with IP address 192.168.222.121 was assessed for vulnerabilities and exploited to gain unauthorized access. The following steps were taken:
Initial Reconnaissance:
- A network scan using Nmap revealed that only port 80 (HTTP) was open on the target machine.
Nmap scan report for 192.168.222.121
Host is up (0.15s latency).
Not shown: 65352 closed tcp ports (conn-refused), 182 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.72 seconds- The HTTP service was identified as running Nginx version 1.10.3 on Ubuntu.
Web Server Enumeration:
- Web directories were fuzzed to identify potential interesting paths.
200 GET 25l 69w 612c http://192.168.222.121/
301 GET 7l 13w 194c http://192.168.222.121/wordpress => http://192.168.222.121/wordpress/
301 GET 7l 13w 194c http://192.168.222.121/wordpress/wp-content => http://192.168.222.121/wordpress/wp-content/
301 GET 7l 13w 194c http://192.168.222.121/wordpress/wp-admin => http://192.168.222.121/wordpress/wp-admin/
301 GET 7l 13w 194c http://192.168.222.121/wordpress/wp-includes => http://192.168.222.121/wordpress/wp-includes/- The /wordpress path was discovered and explored further.
WordPress Enumeration:
- The tool WPScan was used to perform a scan of the WordPress installation.
- Valid login credentials (Username: loly, Password: fernando) were found using brute force.
[!] Valid Combinations Found:
| Username: loly, Password: fernandoUnauthorized Access and Web Shell:
- The obtained credentials were used to access the WordPress admin panel.
- An upload functionality in WordPress was abused to upload a PHP reverse shell script.
- A listener was set up, and the reverse shell was executed, providing initial access to the target.
User Access and Privilege Escalation:
- The user flag was collected after gaining access.
- The wp-config.php file revealed additional credentials.
Kernel Vulnerability Exploitation:
- The target machine’s kernel version was identified as vulnerable to CVE-2017–16995.
- An exploit for CVE-2017–16995 was downloaded and transferred to the target machine.
- The exploit was compiled and executed, resulting in privilege escalation to root.
Root Access Achieved:
- With the successful execution of the privilege escalation exploit, root access to the target machine was obtained.
Remediations and Recommendations:
Apply security plugins and configurations to the WordPress installation to prevent brute force attacks.
Regularly update WordPress, plugins, and themes to the latest versions.
Enforce strong password policies for all user accounts.
Limit the use of default or easily guessable usernames.
Implement proper input validation and sanitization for file uploads to prevent unauthorized execution of files.
Restrict file upload types and ensure uploaded files are stored in secure locations.
Keep the kernel and the entire system up to date with security patches.
Regularly audit and assess system vulnerabilities using vulnerability management tools.
Implement proper access controls to limit user privileges.
Regularly review and update permissions for sensitive files and directories.
