The following post by 0xb0b is licensed under CC BY 4.0
Recon
We start with an Nmap scan and find only two open ports. Port 22 and 80.
We have an SSH server running on 22 and a web server on port 80.
When accessing the site, we are redirected to www.smol.thm. We have to add this to our /etc/hosts in order to reach the page.
The page looks a little unimpressive with static links. However, as we will find out later, it gives us all the information we need to obtain RCE. The page covers the topics of XSS, SSRF and RCE.
The directory scan using Feroxbuster shows us that it is a Wordpress site. For example, through the /wp-content directories. We can also discover the Smol plugin that gives the room its name.
We continue with a WPScan and use an API key to get a detailed report and the CVEs for the detected vulnerabilities. An API key can be obtained free of charge at https://wpscan.com/.
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://www.smol.thm/ [10.10.191.162]
[+] Started: Fri Jan 24 14:06:59 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://www.smol.thm/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://www.smol.thm/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://www.smol.thm/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://www.smol.thm/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.4.3 identified (Insecure, released on 2024-01-30).
| Found By: Rss Generator (Passive Detection)
| - http://www.smol.thm/index.php/feed/, <generator>https://wordpress.org/?v=6.4.3</generator>
| - http://www.smol.thm/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.4.3</generator>
|
| [!] 4 vulnerabilities identified:
|
| [!] Title: WP < 6.5.2 - Unauthenticated Stored XSS
| Fixed in: 6.4.4
| References:
| - https://wpscan.com/vulnerability/1a5c5df1-57ee-4190-a336-b0266962078f
| - https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API
| Fixed in: 6.4.5
| References:
| - https://wpscan.com/vulnerability/2c63f136-4c1f-4093-9a8c-5e51f19eae28
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block
| Fixed in: 6.4.5
| References:
| - https://wpscan.com/vulnerability/7c448f6d-4531-4757-bff0-be9e3220bbbb
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block
| Fixed in: 6.4.5
| References:
| - https://wpscan.com/vulnerability/36232787-754a-4234-83d6-6ded5e80251c
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
[+] WordPress theme in use: twentytwentythree
| Location: http://www.smol.thm/wp-content/themes/twentytwentythree/
| Last Updated: 2024-11-13T00:00:00.000Z
| Readme: http://www.smol.thm/wp-content/themes/twentytwentythree/readme.txt
| [!] The version is out of date, the latest version is 1.6
| [!] Directory listing is enabled
| Style URL: http://www.smol.thm/wp-content/themes/twentytwentythree/style.css
| Style Name: Twenty Twenty-Three
| Style URI: https://wordpress.org/themes/twentytwentythree
| Description: Twenty Twenty-Three is designed to take advantage of the new design tools introduced in WordPress 6....
| Author: the WordPress team
| Author URI: https://wordpress.org
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://www.smol.thm/wp-content/themes/twentytwentythree/style.css, Match: 'Version: 1.2'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] jsmol2wp
| Location: http://www.smol.thm/wp-content/plugins/jsmol2wp/
| Latest Version: 1.07 (up to date)
| Last Updated: 2018-03-09T10:28:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| [!] 2 vulnerabilities identified:
|
| [!] Title: JSmol2WP <= 1.07 - Unauthenticated Cross-Site Scripting (XSS)
| References:
| - https://wpscan.com/vulnerability/0bbf1542-6e00-4a68-97f6-48a7790d1c3e
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20462
| - https://www.cbiu.cc/2018/12/WordPress%E6%8F%92%E4%BB%B6jsmol2wp%E6%BC%8F%E6%B4%9E/#%E5%8F%8D%E5%B0%84%E6%80%A7XSS
|
| [!] Title: JSmol2WP <= 1.07 - Unauthenticated Server Side Request Forgery (SSRF)
| References:
| - https://wpscan.com/vulnerability/ad01dad9-12ff-404f-8718-9ebbd67bf611
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20463
| - https://www.cbiu.cc/2018/12/WordPress%E6%8F%92%E4%BB%B6jsmol2wp%E6%BC%8F%E6%B4%9E/#%E5%8F%8D%E5%B0%84%E6%80%A7XSS
|
| Version: 1.07 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://www.smol.thm/wp-content/plugins/jsmol2wp/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://www.smol.thm/wp-content/plugins/jsmol2wp/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:02 <==================================================================> (137 / 137) 100.00% Time: 00:00:02
[i] No Config Backups Found.
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 3
| Requests Remaining: 22
[+] Finished: Fri Jan 24 14:07:07 2025
[+] Requests Done: 185
[+] Cached Requests: 5
[+] Data Sent: 45.521 KB
[+] Data Received: 13.542 MB
[+] Memory used: 271.145 MB
[+] Elapsed time: 00:00:07
We find two vulnerabilities to smol, one that allows us to use XSS and one that allows us to use SSRF to read data on the system. On the referenced pages in the WPScan we also receive the payloads as POC, we only have to adjust the host.
The eval php command immediately catches the eye here. The command here is base64 encoded. Well, security by obscurity won't help here.
We decode using Cyberchef and see a part encoded again.
Out of laziness we use ChatGPT to decode this and see it is 'cmd'.
Ok, so we might have the possibility to set a cmd parameter by calling hello_dolly() and get code execution. We prepare a reverse shell using busybox. We encode this payload in base64.
Through trial and error we got a hit via index.php?cmd. Here we now pass our reverse shell. (Of course, we set up our listener first). We get a connection back and are the user www-data. A flag is not yet in sight.
Since we have the credentials of the database user, let's take a look at them first.
Here we find hashes for different users. Among others diego, gege and xavi.
We also find these on the system.
We copy the hashes and select the mode for hashcat to crack them using rockyou.txt.
We have a hit. We can crack the hash for Diego.
This password has been reused on the system. We can switch to the user diego using su. We can also find the first flag in Diego's home directory.
Shell as think
We check the home permission and see that the group internal to which the user has read permission. We ourselves are in the internal group as diego and therefore have read authorization.
This allows us to read the SSH key from think.
We copy this to our machine, change the authorization and log in to the machine using the key as think via SSH.
Shell as gege
When browsing through the home directories, we see a zip file at gege, which probably contains an old wordpress instance. Maybe we can find more material there to move laterally. But only gege can read them.
We can simply switch to the user gege using su. This was more of an accidental find. The reason why this works lies in the configuration of /etc/pam.d/su. This is well explained by Jaxafed. Don't miss out the writeups of Jaxa :).
We switch users to gege from think, and continue.
Shell as xavi
Now we are able to retrieve the wordpress.old.zip file.
This is password encrypted.
We use zip2john to generate a hash.
And crack it using john with rockyout.txt.
In the old wp-config file we find other db credentials for the user xavi. We also found this user on the machine.
We switch the user using su with the credentials and are successful. This user also reused its credentials.
Shell as root
As xavi we are allowed to run anything as root using sudo.
So, we switch the user to root vai sudo su and are able to locate the final flag at /root/root.txt.
