This post contains the steps to get a root shell with bWapp VM
As always, we need to discover where the machine is on our network. To do so, let’s use Nmap:
After getting the IP address (192.168.1.10), we need to do some fingerprinting.
Fig. Nmap scan result
A lot of services were open, such as: VNC, FTP, etc.
As I saw it in the scan report, I decided to scan the port 80 with Nikto.
Fig. Nikto report on ports 80 (HTTP)
Moreover, I decided to launch DirBuster to retrieve folders/documents.
Fig. Launching DirBuster on port 80
To conclude, I checked the FTP (ProFTPD 1.3) and I was able to connect as an anonymous user. We only had access to a folder full of PDF documents.
Fig. Anonymous access on FTP Server
Thanks to DirBuster result, I saw that the /webdav/ folder (accessible through HTTP) was linked to the folder we were connected through the FTP session.
Let’s talk now about the exploitation
I started by exploiting VNC Service using Hydra to crack the password :
Fig. Checking that VNC uses default password
The output was clear: the password was the default one. We were able connect using vncviewer and we were … r00t.
Fig. Root access through VNC
Then, I extracted the /etc/shadow :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
I decided to crack it using John the Ripper and I cracked 4 hashes (using d4rkc0de.lst):
1 2 3 4 5
We could log in in root and had entire access on the server.
As we saw: we have FTP access in a folder accessible through HTTP. Then, we can upload a (PHP) Backdoor.
Fig. Checking that Webdav was activated
Fig. Uploading our backdoor on the Server
Then, the backdoor is accessible in the folder
Let’s access it and we’ll have access on the server (but limited shell) so this was not really interested compared to the other vulns.
Fig. Executing commands with our Backdoor
Everybody heard about Heartbleed and bWAPP integrates a vulnerable version of OpenSSL. You can then practice it and try all the scripts that have been released on the internet.
Fig. Configuring Heartbleed on port 8443
Fig. Exploiting Heartbleed attack
For this experiment, I wanted to have fun with the Metasploit’s one but try the one you prefer. Moreover, you can give it a try to steal private keys :–).
The last step was to exploit SNMP service. First, I bruteforce the login and we found two (default) logins :
Fig. Bruteforcing SNMP Logins
Then, we exploited the service to gather lot of information such as the Computer Name, the processes running on the system etc. And this is basically due to a (default and not secure) installation of SNMP Service.
Fig. Exploiting SNMP Service
I just checked for few hours the VM and it contains a lot of (interesting) exercices to practice with. I exploited some of the flaws but there are even more so this write-up is not exhaustive.
Feel free to exploit this VM the way you prefer :–) Cheers,