Today we are working on w1r3s, a head-scratcher of a boot-to-root from creator SpecterWires rated beginner/intermediate. Typically, when I solve a box without any assistance I will post my walkthrough without looking at anyone else’s. The idea is to own my solution and not be tempted to alter my writeup should I find someone else’s solution that looks cleaner or more efficient. I will stick to that rule, but I’m definitely not sure if I found the intended path to root. Please drop me a comment if you discovered a different path.
Initial Enumeration
Our nmap scans reveal plenty of interesting stuff. I started with the anonymous ftp. The only file that seemed even potentially useful was employee-names.txt, while the rest of the files were mostly to troll us. Moving on, I attempted to remotely connect to mysql, but had no luck with that.
I finally moved on to http enumeration. The home page is just the default apache2 page. I then attempted to dirbuster the site with multiple wordlists. I found a /wordpress folder, but it was nearly the default install. I also found an /administrator folder that is a Cuppa CMS installation, but the setup of the application wasn’t even complete.
SSH Brute Force
At this point I was pretty much stumped so I while I tried to think of other ideas, I thought I would kick off a brute force of ssh. I happened to notice that when the VM boots it defaults to user “w1r3s”. Maybe this is cheating a bit, but it isn’t much of a leap to think that the box name could also be a user. I kicked off a hydra session and almost immediately got a hit.
So all those open ports and applications were just rabbit holes? The fact that the password was so close to the beginning of rockyou.txt suggests the box creator intended this to be the actual method of gaining a foothold, or else the hydra session would have taken days to find the password (or months with my slow computer). At any rate we have ssh access to the box.
Privilege Escalation
Once gaining a foothold, my first check is usually for sudo privileges.
It seems user w1r3s has all sudo privileges?!?!?!
That’s it. I’m still not sure if I found the intended foothold and path to root. Was the creator just trolling us with this box? Drop me a comment with what you found. Thanks for reading.
