This box is of medium to hard difficulty.
I start off by undertaken a full service scan with scripts of the IP address using Nmap.
We can see two services:
SSH on Port 22 — OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
Website on Port 80 — open http Apache httpd 2.4.18 ((Ubuntu))
We also have a robots.txt entry /wp-admin indicating that this is a Wordpress site. The above also tells us it is running Wordpress 5.3.2.
Let’s check out the website:
We can try to log into the admin using /jack.thm/wp-admin.
I tried my luck using jack as the username and password as the password. As you can see the Error Message gives away that jack is indeed a user.
I am now going to run an initial Wpscan to enumerate the site. I will use the -e flag with vp,vt and u to enumerate vulnerable plugins and themes as well as users.
From the scan we found three users:
jack, wendy, danny
Let’s see of we can bruteforce the credentials of these users. I will add these to a file for use in the bruteforce attack and call it users.txt
To start with I used the standard Rockyou.txt wordlist but got board waiting for the results and found a hint to use the fasttrack.txt wordlist. We get lucky with wendy.
We can now try and log into the word press site as wendy using these credentials.
Once logged in, there is not a lot we can do, as this is a low level user. We need to really get admin access so we can add reverse shell code to either a plugin or page. I was stuck here, so I had to get a hint which pointed to an exploit relating to the Wordpress Plugin Users Role Editor, see link below.
This seemed to indicate that there was a vulnerability in the user profile update and we could exploit this by changing the request by adding a ure_other_rolls request. We can do this using Burp Suit. So with Burp Suit fired up, let’s give it a go:
Navigate to Profile on Wordpress and add change one of the fields
In Burp Suite, turn on intercept, update profile and capture the request and move the request to Intercepter.
Add the following to the request &ure_other_roles=administrator&, just before &user_id=
Press ‘Send’, turn off Intercept and navigate to Dashboard
We now have full Admin desktop. Navigate to Plugin Editor and we will add our php reverse shell code. I am going to change the code for the Hello Dolly Plugin.
Update the Plugin.
Start a listener on port 4444, I am going to use Pwncat as it is fantastic, you can download it from the Github repository below:
Next activate the Hello Dolly Plugin on Wordpress to capture the reverse shell.
We can then capture the user flag.
Looking around the system we find a backup file in /var/backups, on investigation we also find a public key (id_rsa). I downloaded the id-rsa key with Pwncat to my local machine.
This is probably Jacks SSH public key, we can try and log into ssh as Jack.
Were in. I am going to connect back to a Pwncat shell simple because it is more flexible for post enumeration and privesc. To do this I will run a bash shell from the command line.
Checking ID information on Jack:
We can see that jack is a member of a number of groups.
I uploaded various privesc enumeration scripts but there was nothin obviousl I could see. I then uploaded pspy to check running processes to see whether there was a cron job being run by root.
Running pspy we can see the following process that looks very interesting:
After waiting a while we hit the following process:
Checking out this file:
The Python file is being run by root and calls the system library OS. From earlier enumeration using the script, we could see that there were a number of Python versions running. A quick search for the os.py file, we get:
We know from our earlier id jack command that he was a member of the Family group, so it is assumed that we are running Python2.7. We can also see that this file has read/write access.
From here there are two options to achieve root access.
Option 1: Change the permissions for the /etc/passwd file and add a root user
To do this, we will add a simple system command to the end of the code contained in the os.py file.
Save the file and wait for the cron job to run.
We can now access the /etc/passwd and add our own user and give it full root access, but first we need to create a SHA-512 hash to use.
We can then edit the /etc/passwd file using VIM.
Save the file and then su hacker and enter the password ‘hacked’
Option 2: All a reverse shell to the os.py code and open a second listener to capture the reverse shell.
Set up a nc listener on local machine and wait for the reverse shell and we have root access.
I really enjoyed this machine, may thanks to the creator.
