$ nmap -p- --min-rate 4000 192.168.197.174
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-04 21:06 +08
Nmap scan report for 192.168.197.174
Host is up (0.17s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8888/tcp open sun-answerbook
Just 2 ports on the website.
Web Enumeration -> WP Creds
Port 80 shows a Wordpress site:
Port 8888 on the other hand shows a phpMyAdmin instance:
When we view the page source of port 8888, there is indication of the version running:
This version is vulnerable to an RCE exploit that requires credentials, which we'll keep in mind for now:
Default credentials don't work with this site. Since there was a Wordpress site available, we can use wpscan for some basic enumeration. There was loads of output, but I found this one vulnerability to be the most interesting for now.
The rest of the exploits required some form of credentials to exploit, except for this one. To make this work, we just need to visit this site:
The web page then reveals some credentials:
We seem to be an intern at Shiftdel, and it coincides with wpscan returning intern as a valid user:
With these credentials, we can login to the dashboard and begin checking out the other vulnerabilities:
Arbitrary File Deletion -> RCE
wpscan revealed many different types of exploits, including an authenticated RCE. However, since we aren't the administrator of Wordpress, it's unlikely that we can directly get RCE through WP. So, I turned my attention towards exploiting phpMyAdmin.
Out of all the exploits that are available, it seemed that the Arbitrary File Delete works:
When run on the localhost, it causes the Wordpress instance to start crashing since wp-config.php no longer exists and the website cannot do anything without it. Searching more about this file deletion led me to this blog:
To exploit this, we can use the instructions given in the JS file. This involves using the Developer Console and pasting some code within it. Afterwards, we can just execute the function as required:
Once deleted, this kind of breaks the entire website. It just returns source code:
Using this, we can view the wp-config.php file since the website is no longer executing PHP:
Using this password, we can achieve RCE on phpMyAdmin:
We can then get a reverse shell:
Grab the user flag.
Privilege Escalation
Path Hijack -> Root Shell
I ran a linpeas.sh scan and it found this:
There's a wpclean thing running periodically on the machine. Here's the contents of that script:
First thing I noticed was that this was using a custom HOME variable, which is included in the PATH variable as the first directory and the fact that www-data can write to their HOME directory. The rm binary they execute here does not have the full path, so we can create our own rm file that gives a reverse shell when executed.
Here's the contents of my reverse shell:
Run these commands:
Then, set up a listener port and wait for a few minutes. Eventually, we'll get a root shell:
$ curl http://192.168.197.174/wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'wordpress');
/** MySQL database password */
define('DB_PASSWORD', 'ThinnerATheWaistline348');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
<TRUNCATED>
