Hacking for Beginners: Exploiting Open Ports
So, last time I walked through a very simple execution of getting inside an office camera using a few scripts and an open RTSP port. This time, I’ll be building on my newfound wisdom to try and exploit some open ports on one of Hack the Box’s machines.
The previous article covered how my hacking knowledge is extremely limited, and the intention of these articles is for an audience to see the progress of a non-technical layman when approaching ethical hacking. As it stands, I fall into the ‘script-kiddie’ category – essentially a derogatory term in the cybersecurity community for someone who doesn’t possess the technical know-how to write their own hacks. Instead, I rely on others to write them for me! So, with that being said, I’ll continue to embrace my inner script-kiddie and stop wasting words on why I’m not very good at hacking.
The hacker hood goes up once again. Let’s do it.
Step 1: Network Scan
First things first, as every good hack begins, we run an NMAP scan:
You’ll notice that I’m using the –v, -A and -sV commands to scan the given IP address. NMAP and NSE has hundreds of commands you can use to scan an IP, but I’ve chosen these commands for specific reasons; to increase verbosity, to enable OS and version detection, and to probe open ports for service information.
This returns 3 open ports, 2 of which are expected to be open (80 and 443), the third is port 22 which is SSH – this certainly should not be open.
Step 2: Brute Force Attempt
So, my next step is to try and brute force my way into port 22. Brute force is the process where a hacker (me!) attempts to gain access to a device or system using a script of usernames and passwords until they essentially guess correctly to gain access.
Last time, I covered how Kali Linux has a suite of hacking tools built into the OS. One of these tools is Metasploit – an easy-to-use tool that has a database of exploits which you can easily query to see if the use case is relevant to the device/system you’re hacking into. So, let’s try it.
By searching ‘SSH’, Metasploit returns 71 potential exploits. One of which is the ssh_login auxiliary, which, for my use case, will be used to load a few scripts to hopefully login using some default credentials.
This command returns all the variables that need to be completed before running an exploit. This is the same across any exploit that is loaded via Metasploit.
So, having identified the variables needed to execute a brute force attack, I run it:
After 30 minutes of the script brute force guessing, I’m unsuccessful. Well, that was a lot of work for nothing. Back to the drawing board, I guess.
Step 3: Get Access to the Server
You'll remember from the NMAP scan that we scanned for port versions on the open ports. So, the next open port is port 80, of which, I already have the server and website versions. The simple thing to do from here would be to search for relevant exploits based on the versions I’ve found, but first I want to identify how to access the server from the back end instead of just attempting to run an exploit.
Curl is a command-line utility for transferring data from or to a server designed to work without user interaction. So, I use the client URL command ‘curl’, with the –I command to give the headlines from the client:
At this stage, I can see that the backend server of the machine is ‘office.paper’. To access this via your browser, the domain must be added to a list of trusted hosts. So, next I navigate to the host file located in /etc/hosts, and add ‘10.10.11.143 office.paper’ to my list of trusted hosts:
I now have access to the website which displays nothing more than the most basic of information. The next step is to find a way to gather something juicy, so let’s look around for something which may be worth chasing.
Step 4: Exploiting WordPress
Having established the version of the domain from the initial NMAP scan (WordPress 5.2.3), I go ahead and do some digging for a potential exploit to use. Kali Linux has a few easy tools to facilitate searching for exploits – Metasploit and Searchsploit are good examples. However, to keep things nice and simple for myself, I’m going to use Google.
Unsurprisingly, there is a list of potential exploits to use on this version of WordPress. However, given that the web page ‘office.paper’ doesn’t seem to have anything of interest on it apart from a few forums, there is likely something hidden. So, of these potential vulnerabilities, the one that applies to the service version for WordPress is CVE-2019-17671. This vulnerability allows an unauthenticated user to view private or draft posts due to an issue within WP_Query. To exploit this vulnerability, simply add ‘?static=1’ after the domain name so it reads:
I’ve now gained access to a private page on WordPress. It’s worth remembering at this point that we’re not exploiting a real system. By this, I mean that the hack itself is performed on a virtual machine for educational purposes, not to actually bring down a system. However, the steps I take in order to achieve this are actually representative of how a real hack might take place. Anyhow, I continue as Hackerman.
Step 5: Snooping
Of course, ‘snooping’ is not the technical term for what I’m about to do. However, I’m not a technical person so I’ll be using snooping as my technical term. At this point of the hack, what I’m essentially trying to do is gather as much information as I possibly can that will enable me to execute the next steps. Luckily, Hack the Box have made it relatively straightforward.
Having navigated to the hidden page, it’s easy to see that there is a ‘secret registration URL’ for internal employees at office.paper. So, I go ahead and try to navigate to this via my URL. It doesn’t work. The page tells me that the host is not trusted, so at this point, I remember that I need to give host privileges to the domain I’m trying to access – demonstrated below:
I’m now inside the internal office chat, which allows me to see all internal employee conversations, as well as the ability to interact with the chat robot. In this context, the chat robot allows employees to request files related to the employee’s computer. So, by interacting with the chat robot, I can request files simply by typing ‘chat robot get file X’.
For the purpose of this hack, I’m trying to gather username and password information so that I’m able to login via SSH. Hence, I request the files from the typical location on any given computer:
Chat robot get file ../../../../etc/passwd
Step 6: Executing SSH Login
Having now gathered the credentials to login via SSH, I can go ahead and execute the hack.
As demonstrated by the image, I’m now inside Dwight’s machine. At this point, I’m able to list all current non-hidden files by the user simply by using the ‘ls’ command. This essentially allows me to view files that I shouldn’t be able to as an external. Office.paper - consider yourself hacked:
And there we have it – my second hack! Again, this is a very low-level approach to hacking so to any proficient security researchers/pen testers, this may not be a thrilling read. However, I think it's clear to see that tangible progress is being made so hopefully as my skills improve, so will the quality of these articles!
At Iotabl, a community of hackers and security researchers is at the forefront of the business. We’re building a platform to make the industry more inclusive, accessible, and collaborative. If you’re an ethical hacker, security researcher, or IoT hobbyist, sign up for early access to the platform at www.iotabl.com.