Smol | Writeups

Last updated 3 months ago

Was this helpful?

The following post by 0xb0b is licensed under

Recon

We start with an Nmap scan and find only two open ports. Port 22 and 80.

We have an SSH server running on 22 and a web server on port 80.

When accessing the site, we are redirected to www.smol.thm. We have to add this to our /etc/hosts in order to reach the page.

The page looks a little unimpressive with static links. However, as we will find out later, it gives us all the information we need to obtain RCE. The page covers the topics of XSS, SSRF and RCE.

We cannot find any other VHOSTs.

The directory scan using Feroxbuster shows us that it is a Wordpress site. For example, through the /wp-content directories. We can also discover the Smol plugin that gives the room its name.

We continue with a WPScan and use an API key to get a detailed report and the CVEs for the detected vulnerabilities. An API key can be obtained free of charge at https://wpscan.com/.

We find two vulnerabilities to smol, one that allows us to use XSS and one that allows us to use SSRF to read data on the system. On the referenced pages in the WPScan we also receive the payloads as POC, we only have to adjust the host.

XSS Vulnerability:

SSRF Vulnerability:

As an example, the wp-config file is loaded here, which could also contain credentials.

Web Access - wpuser

We use the SSRF example payload, read the wp-config and find the credentials for the database user wpuser.

We use those credentials to login as wpuser...

... and are successful.

Shell as www-data

Under Pages we find unpublished pages.

Here we are talking about Dolly, a plugin to revise the code, we should check the source code.

Let's take a look at the original dolly, which has a hello.php. So we might have to search for it.

We use the SSRF vulnerability again and read the hello.php file.

The eval php command immediately catches the eye here. The command here is base64 encoded. Well, security by obscurity won't help here.

We decode using Cyberchef and see a part encoded again.

Out of laziness we use ChatGPT to decode this and see it is 'cmd'.

Ok, so we might have the possibility to set a cmd parameter by calling hello_dolly() and get code execution. We prepare a reverse shell using busybox. We encode this payload in base64.

Through trial and error we got a hit via index.php?cmd. Here we now pass our reverse shell. (Of course, we set up our listener first). We get a connection back and are the user www-data. A flag is not yet in sight.

Shell as diego

Since we have the credentials of the database user, let's take a look at them first.

Here we find hashes for different users. Among others diego, gege and xavi.

We also find these on the system.

We copy the hashes and select the mode for hashcat to crack them using rockyou.txt.

We have a hit. We can crack the hash for Diego.

This password has been reused on the system. We can switch to the user diego using su. We can also find the first flag in Diego's home directory.

Shell as think

We check the home permission and see that the group internal to which the user has read permission. We ourselves are in the internal group as diego and therefore have read authorization.

This allows us to read the SSH key from think.

We copy this to our machine, change the authorization and log in to the machine using the key as think via SSH.

Shell as gege

When browsing through the home directories, we see a zip file at gege, which probably contains an old wordpress instance. Maybe we can find more material there to move laterally. But only gege can read them.

We can simply switch to the user gege using su. This was more of an accidental find. The reason why this works lies in the configuration of /etc/pam.d/su. This is well explained by Jaxafed. Don't miss out the writeups of Jaxa :).

We switch users to gege from think, and continue.