PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
443/tcp open ssl/http Apache httpd
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.27.81
| Found the following possible CSRF vulnerabilities:
|
| ...
|
| Path: https://10.10.27.81:443/wp-login.php
| Form id: loginform
|_ Form action: https://10.10.27.81:443/wp-login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_sslv2-drown:
Apparently we're dealing with an Apache web server on both ports. Visiting the websites they appear to be the same with the only visible difference being that one is hosted via SSL (https - default on port 443).
As there are no other open tcp ports, we will start enumerating the web server on port 80.
From the nmap scan we already know that we might find a wordpress site, as the http-csrf script yielded a wp-login.php.
Service Enumeration
Before starting manual enumeration, we start gobuster to search for any interesting directories or files. While this runs, we can have a first look around the website.
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.27.81
Opening the website we are greeted with a minimal interactive terminal in Mr. Robot (a tv-series) style.
The source code doesn't look very interesting at first glance and the available commands lead us to video sequences and pictures that match the Mr. Robot theme. Even though we have some sort of interaction, we can't seem to break out of the pre-scripted behaviour. Having looked around long enough however, we can already see that gobuster came up with some interesting things.
Going through the found items, the first result (/0/) already confirms our assumption of a wordpress site.
Sifting through the other items we get either the same view, back to the Mr. Robot themes or a forbidden. The source code never seems to contain any hints, comments or interesting code.
However, robots.txt contains interesting information for us.
There's also a readme file, which does not give us anything useful. So from the robots.txt we can deduce that there might be a fsocity.dic and key-1-of-3.txt . And indeed, we can download fsocity.dic which looks like a wordlist and read the contents of the first key for the TryHackMe challenge:
Before moving on, we can use wpscan to extract a few more details about the wordpress site such as the version and possibly vulnerable themes.
wpscan -e --url http://10.10.27.81/
[+] Headers
| Interesting Entries:
| - Server: Apache
| - X-Mod-Pagespeed: 1.9.32.3-4523
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://10.10.27.81/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.27.81/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] The external WP-Cron seems to be enabled: http://10.10.27.81/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.27.81/4d88fdd.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.1'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.27.81/4d88fdd.html, Match: 'WordPress 4.3.1'
[+] WordPress theme in use: twentyfifteen
| Location: http://10.10.27.81/wp-content/themes/twentyfifteen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://10.10.27.81/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 3.0
| Style URL: http://10.10.27.81/wp-content/themes/twentyfifteen/style.css?ver=4.3.1
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.27.81/wp-content/themes/twentyfifteen/style.css?ver=4.3.1, Match: 'Version: 1.3'
Knowing the version (WordPress 4.3.1) and installed themes (twentyfifteen - Version: 1.3) we could come back to search wordpress CVEs in case we don't find another way in. Since we already have a wordlist and the accessible wordpress login page though, we will concentrate on that first.
Initial Access
Having no other open ports and no more interesting things to look at on the web site we can try to gain access via the wordpress login. We start by enumerating valid usernames (we get different errors for wrong password + invalid user and wrong password + valid user).
After trying many different possibilities like user (as in the wordpress site), admin (default credentials) and mrrobot (names from the video) we finally get a hit on Elliot - the name of the main protagonist from the Mr. Robot series - which can also be found in the wordlist that we found earlier.
Valid wordpress username: Elliot
Next, we need to find the password. After finding the username in the provided wordlist, we might be able to use it for the password too.
In order to keep the wordlist as small as possible, we should always check for any abundant lines first:
This way we can reduce the size of the wordlist from 7MB to 95KB! Now on to the brute-force part.
Although brute-forcing tools for wordpress logins exist already (even as metasploit modules), I took it as a challenge to write my own (faster than the usual) brute-forcer. Any other tool should work too though.
While brute-forcing the basic login page is possible (no fail-to-ban active), it's also slow and very intrusive. But there's a second way we can check for credentials: xmlrpc (XML Remote Procedure Call), which we saw being active during the nmap scan.
Based on this article I developed a multithreaded brute-forcer in python that can be found on my GitHub:
https://github.com/Cr4ckC4t/paws/blob/master/xmlrpc-bf.py
Using this script, we can finally brute-force the login and retrieve Elliots password. (The target IP changed due to a restart in the meantime.)
Valid wordpress credentials: Elliot:ER28-0652
Having access to the admin panel, we can start to look around for other users, deleted articles and other things but don't find anything particularly interesting. However, with access to the theme editor we can now easily drop a web- or reverse shell, as is explained in detail here: https://www.hackingarticles.in/wordpress-reverse-shell/ .
We now have a (low privileged) shell on the target machine as the service accountdaemon .
Privilege Escalation
User: daemon
As daemon we are very limited in our rights. Hence, we start looking for other users on the system to pivot into. Enumerating the target manually by checking /etc/passwd and some default directories we find the user robot with a home directory accessible by everyone.
It seems we found the hash of robots password. Let's crack it with john:
john -w=/usr/share/wordlists/rockyou.txt password.raw-md5 --format=raw-md5
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
abcdefghijklmnopqrstuvwxyz (robot)
Valid user credentials: robot:abcdefghijklmnopqrstuvwxyz
Upgrading our shell to a terminal and switching to the user robot we can read the second flag and continue to escalate our privileges.
User: robot
After checking some low hanging fruits (writeable /etc/shadow, unusual cronjobs, ...) we come across an interesting SUID binary:
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 69120 Feb 12 2015 /bin/umount
-rwsr-xr-x 1 root root 94792 Feb 12 2015 /bin/mount
-rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 36936 Feb 17 2014 /bin/su
-rwxr-sr-x 3 root mail 14592 Dec 3 2012 /usr/bin/mail-touchlock
-rwsr-xr-x 1 root root 47032 Feb 17 2014 /usr/bin/passwd
-rwsr-xr-x 1 root root 32464 Feb 17 2014 /usr/bin/newgrp
-rwxr-sr-x 1 root utmp 421768 Nov 7 2013 /usr/bin/screen
-rwxr-sr-x 3 root mail 14592 Dec 3 2012 /usr/bin/mail-unlock
-rwxr-sr-x 3 root mail 14592 Dec 3 2012 /usr/bin/mail-lock
-rwsr-xr-x 1 root root 41336 Feb 17 2014 /usr/bin/chsh
-rwxr-sr-x 1 root crontab 35984 Feb 9 2013 /usr/bin/crontab
-rwsr-xr-x 1 root root 46424 Feb 17 2014 /usr/bin/chfn
-rwxr-sr-x 1 root shadow 54968 Feb 17 2014 /usr/bin/chage
-rwsr-xr-x 1 root root 68152 Feb 17 2014 /usr/bin/gpasswd
-rwxr-sr-x 1 root shadow 23360 Feb 17 2014 /usr/bin/expiry
-rwxr-sr-x 1 root mail 14856 Dec 7 2013 /usr/bin/dotlockfile
-rwsr-xr-x 1 root root 155008 Mar 12 2015 /usr/bin/sudo
-rwxr-sr-x 1 root ssh 284784 May 12 2014 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 19024 Feb 12 2015 /usr/bin/wall
-rwsr-xr-x 1 root root 504736 Nov 13 2015 /usr/local/bin/nmap
-rwsr-xr-x 1 root root 440416 May 12 2014 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10240 Feb 25 2014 /usr/lib/eject/dmcrypt-get-device
-r-sr-xr-x 1 root root 9532 Nov 13 2015 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root 14320 Nov 13 2015 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 10344 Feb 25 2015 /usr/lib/pt_chown
-rwxr-sr-x 1 root shadow 35536 Jan 31 2014 /sbin/unix_chkpwd
Apparently, nmap is allowed to run with root privileges which definitely isn't the default. Searching for nmap on https://gtfobins.github.io/ gives us multiple examples for privilege escalation.
We are finally able to gain root privileges on the target and can read the last flag.
Mitigations
During this box we found multiple weak points that could easily be fixed:
Disclosed sensitive information in robots.txt
Weak passwords for users (abcdefghijklmnopqrstuvwxyz is not safe)
Default configurations of wordpress allow easy enumeration and brute-force attacks (enable fail-to-ban and disable xmlrpc.php - or at least parts of it - if possible)
Too broad access rights of user files (don't allow home access to everybody)
Saved credentials on disk (weak md5 hashes should not be left in the open)
Unsafe permissions for binaries (do not allow every user to run an application as root)
