Compromise a web server running Wordpress, obtain a low privileged user and escalate your privileges to root using a Python module.
1.0 introduction
First of all we need to start the machine and add jack.thm to /etc/hosts (In the description of the room it has been noted.). You can edit it with any text editor.
1.1 scanning
After making the adjustments, we analyze the services running our machine with a nmap scan. The nmap command and the output are as follows.
“nmap -A -T4 -p- <ip_addr> -vvv”
We see that the default SSH and HTTP ports are open. After a small review, we reach the information that the wp-admin page is accessible. As it can be easily understood, the wordpress service is running on port 80. When we examine the website, we see that there is nothing but a post. so nothing useful.
When we enter the wp-admin page, it redirects us to the wp-login.php page because we are not admin lmao ¯\_(ツ)_/¯
Anyway, naturally we’re doing a trial first for the user jack, who is also the name of our room.
The error informs us that the user “jack” exist. You can already see it on the blog on the site.
Before trying bruteforce for the jack user, we go to the information gathering stage with wp-scan.
1.2 enumeration
We run a simple search with wpscan for user enumeration and stuff.
“sudo wpscan --url http://jack.thm --enumerate u”
When examine the resulting output, we get outputs about 3 users and xmlrpc.
So, take our notes and setting up a password bruteforce attack for users.
For this chall, we use the fasttrack.txt file as a wordlist because rockyou.txt will take a very long time. (14,341,564 combinations for each user.)
wpscan --url http://jack.thm/wp-login.php --usernames usernames.txt --passwords fasttrack.txt
After 1–2 minutes we get a valid password for wendy user.
Hooray! we are on the dashboard.
1.3 exploitation
So, when we enter, we are aware of the situation that we are not admin. First guess of course PrivEsc WordPress.
After browsing the internet for a while, we find an exploit that manipulates the user role. Unfortunately this doesn’t work in our case, but there are still things we can get from this exploit.
If we analyze the ruby script, we see that the request has the ‘ure_other_roles’ parameter, which is worth a try! For this, we capture and manipulate the request with burp. This is the request before we change it.
We add the parameter we discovered earlier.
Edited and submitted everything and our user has been successfully promoted to admin.
I intend to get a reverse shell using the tab on the left where we can manage plugins and users.
We add a one-liner reverse shell to the Akismet plugin source code with the plugin editor and listen to the plugin with nc on the corresponding port on the attacker machine.
We’ve prepared everything, all we have to do is activate the plugin.
And bingo!
To make the terminal more interactive:
export TERM=xterm
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
First of all, of course, we go to the home folder and look at the readable files. Here user.txt greets us.
We also have another file called reminder.txt.
Based on the backups keyword we saw in the message, when we go to the “/var/backups” folder, we find the “id_rsa” file in the backups.
After creating the file on the attacker system and giving the relevant permissions(“chmod 600 id_rsa”), we connect to the jack user via SSH.
1.4 PrivEsc
In this part, my machine shut down in a way that I do not understand why. Besides, it had time. I had to redo the previous two steps. ¯\_(ツ)_/¯
I think this is the summary of the love-hate relationship between hacking and me.
Anyway, I couldn’t find anything useful in this part, even though I searched the system manually and via linpeas. After some thought and getting hint from the challenge, I decided to examine the python processes with the pspy64 tool. Output below.
Here, we see that with UID=0 ie root, under “/opt/statuscheck” the checker.py file is outputting to the output.log file.
When we examine checker.py, we see that its only use “os” module.
Actually, I didn’t understand how to make a modification based on the outputs I received before, but after I did some research and rested, I decided to check the files under /usr/lib.
We have multiple options here. The plan is to get a reverse shell by modifying the os.py file. so we will have root access.
We start with python2.7 respectively.
After adding our reverse shell to the bottom of the os.py file, we save the file and wait for the shell to drop from the attacking computer. (quick rest)
And bingo!! We succeed on our first try. I guess I forgive the machine for earlier cases…
Thank for reading and Thanks for the TryHackMe for this chall!
Keep hacking!!!
