Enumeration

nmap Scan

# Nmap 7.92 scan initiated Mon Apr 11 15:07:52 2022 as: nmap -sC -sV -T3 -oN nmap.all-port.txt -vv -p- 10.10.11.143
Nmap scan report for 10.10.11.143 (10.10.11.143)
Host is up, received echo-reply ttl 63 (0.084s latency).
Scanned at 2022-04-11 15:07:58 IST for 54s
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE  REASON         VERSION
22/tcp  open  ssh      syn-ack ttl 63 OpenSSH 8.0 (protocol 2.0)
80/tcp  open  http     syn-ack ttl 63 Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods:
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open  ssl/http syn-ack ttl 63 Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods:
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/emailAddress=root@localhost.localdomain
| Subject Alternative Name: DNS:localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/emailAddress=root@localhost.localdomain/organizationalUnitName=ca-3899279223185377061
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-07-03T08:52:34
| Not valid after:  2022-07-08T10:32:34
| MD5:   579a 92bd 803c ac47 d49c 5add e44e 4f84
| SHA-1: 61a2 301f 9e5c 2603 a643 00b5 e5da 5fd5 c175 f3a9
| -----BEGIN CERTIFICATE-----
| MIIE4DCCAsigAwIBAgIIdryw6eirdUUwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNV
| BAYTAlVTMRQwEgYDVQQKDAtVbnNwZWNpZmllZDEfMB0GA1UECwwWY2EtMzg5OTI3
| OTIyMzE4NTM3NzA2MTEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkw
| JwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0yMTA3
| MDMwODUyMzRaFw0yMjA3MDgxMDMyMzRaMG4xCzAJBgNVBAYTAlVTMRQwEgYDVQQK
| DAtVbnNwZWNpZmllZDEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkw
| JwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJ
| KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1/3n1pZvFgeX1ja/w84jNxT2NcBkux
| s5DYnYKeClqncxe7m4mz+my4uP6J1kBP5MudLe6UE62KFX3pGc6HCp2G0CdA1gQm
| 4WYgF2E7aLNHZPrKQ+r1fqBBw6o3NkNxS4maXD7AvrCqkgpID/qSziMJdUzs9mS+
| NTzWq0IuSsTztLpxUEFv7T6XPGkS5/pE2hPWO0vz/Bd5BYL+3P08fPsC0/5YvgkV
| uvFbFrxmuOFOTEkrTy88b2fLkbt8/Zeh4LSdmQqriSpxDnag1i3N++1aDkIhAhbA
| LPK+rZq9PmUUFVY9MqizBEixxRvWhaU9gXMIy9ZnPJPpjDqyvju5e+kCAwEAAaNg
| MF4wDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwIAYDVR0RBBkwF4IVbG9jYWxo
| b3N0LmxvY2FsZG9tYWluMB8GA1UdIwQYMBaAFBB8mEcpW4ZNBIaoM7mCF/Z+7ffA
| MA0GCSqGSIb3DQEBCwUAA4ICAQCw4uQfUe+FtsPdT0eXiLHg/5kXBGn8kfJZ45hP
| gcuwa5JfAQeA3JXx7piTSiMMk0GrWbqbrpX9ZIkwPnZrN+9PV9/SNCEJVTMy+LDQ
| QGsyqwkZpMK8QThzxRvXvnyf3XeEFDL6N4YeEzWz47VNlddeqOBHmrDI5SL+Eibh
| wxNj9UXwhEySUpgMAhU+QtXk40sjgv4Cs3kHvERvpwAfgRA7N38WY+njo/2VlGaT
| qP+UekP42JveOIWhf9p88MUmx2QqtOq/WF7vkBVbAsVs+GGp2SNhCubCCWZeP6qc
| HCX0/ipKZqY6zIvCcfr0wHBQDY9QwlbJcthg9Qox4EH1Sgj/qKPva6cehp/NzsbS
| JL9Ygb1h65Xpy/ZwhQTl+y2s+JxAoMy3k50n+9lzCFBiNzPLsV6vrTXCh7t9Cx07
| 9jYqMiQ35cEbQGIaKQqzguPXF5nMvWDBow3Oj7fYFlCdLTpaTjh8FJ37/PrhUWIl
| Li+WW8txrQKqm0/u1A41TI7fBxlUDhk6YFA+gIxX27ntQ0g+lLs8rwGlt/o+e3Xa
| OfcJ7Tl0ovWa+c9lWNju5mgdU+0v4P9bqv4XcIuyE0exv5MleA99uOYE1jlWuKf1
| m9v4myEY3dzgw3IBDmlYpGuDWQmMYx8RVytYN3Z3Z64WglMRjwEWNGy7NfKm7oJ4
| mh/ptg==
|_-----END CERTIFICATE-----
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn:
|_  http/1.1
|_ssl-date: TLS randomness does not represent time

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 11 15:08:52 2022 -- 1 IP address (1 host up) scanned in 59.75 seconds

1. Two web servers, listening on TCP/80 and TCP/443

2. An abnormal response header is found while making curl requests:

   curl -I http://`cat ip.txt`/
      
   # HTTP/1.1 403 Forbidden
   # Date: Tue, 26 Jul 2022 08:51:43 GMT
   # Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
   # X-Backend-Server: office.paper
   # Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
   # ETag: "30c0b-5c5c7fdeec240"
   # Accept-Ranges: bytes
   # Content-Length: 199691
   # Content-Type: text/html; charset=UTF-8
   

3. The header X-Backend-Server points to a VHOST office.paper

4. Another curl request with the header Host: office.paper returns a HTTP 200 with hinting a wordpress installation.

   

   

5. One of the post says that there might be some secret contents posted in drafts of the user prisonmike

   

wp-scan

1. The wp-scan shows that the website is vulnerable to a number of vulnerabilities.

    | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
    |     Fixed in: 5.2.4
    |     References:
    |      - https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2
    |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
    |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
    |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
    |      - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
    |      - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
    |
   

2. Unauthenticated users can view Private and or Draft posts by visiting http://office.paper/?static=1 ( PoC)[CVE-2019-17671]

   

3. A secret registration URL is obtained, which points to another VHOST. chat.office.paper.

4. The URL is a link to rocket chat registration page.

   

Initial Foothold

1. On registering, messages history in the channel #general is visible.

2. A bot application is added to the workspace with recyclops

   

3. The recyclops file and recyclops list functions are found to vulnerable to LFI on some basic testing.

   

User Access

1. A user dwight is available on the remote target as seen by contents of /etc/passwd.

2. A bash sdript bot_restart.sh is available to read in dwight’s home folder.

   #!/bin/bash
      
   # Cleaning hubot's log so that it won't grow too large.
   echo "" > /home/dwight/hubot/.hubot.log
      
   # For starting the bot 20-ish (10+20) seconds late, when the server is restarted.
   # This is because MongoDB and Rocket-Chat server needs some time to startup properly
   sleep 10s
      
   # Checks if Hubot is running every 10s
   while [ 1 ];
   do
   sleep 20s
   alive=$(/usr/sbin/ss -tulnp|grep 8000);
   if [[ -n $alive ]]; then
   err=$(grep -i 'unhandled-rejections=strict' /home/dwight/hubot/.hubot.log)
   if [[ -n $err ]]; then
   # Restarts bot
   echo "[-] Bot not running! date";
   #Killing the old process
   pid=$(ps aux|grep -i 'hubot -a rocketchat'|grep -v grep|cut -d " " -f6);
   kill -9 $pid;
   cd /home/dwight/hubot;
   # Cleaning hubot's log so that it won't grow too large.
   echo "" > /home/dwight/hubot/.hubot.log
   bash /home/dwight/hubot/start_bot.sh&
   else
      
   echo "[+] Bot running succesfully! date";
   fi
      
   else
   # Restarts bot
   echo "[-] Bot not running! date";
   #Killing the old process
   pid=$(ps aux|grep -i 'hubot -a rocketchat'|grep -v grep|cut -d " " -f6);
   kill -9 $pid;
   cd /home/dwight/hubot;
   bash /home/dwight/hubot/start_bot.sh&
   fi
      
   done
   

3. The contents of the folder /home/dwight/hubot:

   drwx------ 8 dwight dwight 4096 Sep 16 2021 .
   drwx------ 11 dwight dwight 281 Feb 6 07:55 ..
   -rw-r--r-- 1 dwight dwight 0 Jul 3 2021 \
   srwxr-xr-x 1 dwight dwight 0 Jul 3 2021 127.0.0.1:8000
   srwxrwxr-x 1 dwight dwight 0 Jul 3 2021 127.0.0.1:8080
   drwx--x--x 2 dwight dwight 36 Sep 16 2021 bin
   -rw-r--r-- 1 dwight dwight 258 Sep 16 2021 .env
   -rwxr-xr-x 1 dwight dwight 2 Jul 3 2021 external-scripts.json
   drwx------ 8 dwight dwight 163 Jul 3 2021 .git
   -rw-r--r-- 1 dwight dwight 917 Jul 3 2021 .gitignore
   -rw-r--r-- 1 dwight dwight 17911 Jul 26 05:29 .hubot.log
   -rwxr-xr-x 1 dwight dwight 1068 Jul 3 2021 LICENSE
   drwxr-xr-x 89 dwight dwight 4096 Jul 3 2021 node_modules
   drwx--x--x 115 dwight dwight 4096 Jul 3 2021 node_modules_bak
   -rwxr-xr-x 1 dwight dwight 1062 Sep 16 2021 package.json
   -rwxr-xr-x 1 dwight dwight 972 Sep 16 2021 package.json.bak
   -rwxr-xr-x 1 dwight dwight 30382 Jul 3 2021 package-lock.json
   -rwxr-xr-x 1 dwight dwight 14 Jul 3 2021 Procfile
   -rwxr-xr-x 1 dwight dwight 5044 Jul 3 2021 README.md
   drwx--x--x 2 dwight dwight 193 Jan 13 2022 scripts
   -rwxr-xr-x 1 dwight dwight 100 Jul 3 2021 start_bot.sh
   drwx------ 2 dwight dwight 25 Jul 3 2021 .vscode
   -rwxr-xr-x 1 dwight dwight 29951 Jul 3 2021 yarn.lock
   

4. Contents of the file /home/dwight/hubot/.env:

   export ROCKETCHAT_URL='http://127.0.0.1:48320'
   export ROCKETCHAT_USER=recyclops
   export ROCKETCHAT_PASSWORD=Queenofblad3s!23
   export ROCKETCHAT_USESSL=false
   export RESPOND_TO_DM=true
   export RESPOND_TO_EDITED=true
   export PORT=8000
   export BIND_ADDRESS=127.0.0.1
   

5. A password is available Queenofblad3s!23

6. Using the credentials dwight:Queenofblad3s!23, a valid SSH session is obtained.

   

Privilege Escalation

Enumeration

1. A basic enumeration using linpeas, shows that the target machine is vulnerable to [CVE-2021-3560](https://access.redhat.com/security/cve/CVE-2021-3560)
2. Using the PoC available here, a privilege escalation can be achieved.

Exploitation

1. The [poc.sh](http://poc.sh) is downloaded and sent to the taget machine.

2. The following command will add a superuser with credentials: mostwanted002:mostwanted002

   ./poc.sh -u=mostwanted002 -p=mostwanted002
   

   

3. The new user can be accessed by logging in via su.

   su - mostwanted002
   

The remote target is now completely compromised.