Phoenix — HackTheBox — Web App Penetration Testing — Writeup

Hello guys I am back to posting another writeup. So let’s start talking instead of wasting our time.

So we have a three ports opened: 22, 80 and 443. Let’s access to the website

There’s nothing special lol. Let’s view page source.

So I found version of WordPress. It is 5.9 version. Let’s run the wpscan.

I found that asgaros-forum is outdated and maybe we can take a advantage of it. Let’s do more research for that forum.

It shows something critical. But however I ound out that current install of asgaros-forum is vulnerable to SQLi. https://wpscan.com/vulnerability/35272197-c973-48ad-8405-538bfbafa172 And it is time based SQL Injection btw. You can confirm it with burp suite.

So I uploaded shell. Here’s the exploit for RCE https://www.exploit-db.com/raw/50287 and you will run into SSL cert issue. We need to change up the request to ignore SSL verification. Maybe we can retry using a php reverse shell. Make sure it is saved with a .phtml. In this case I put lol.phtml. You can copy me if you want.

So when we upload shell all you need to type is /wp/admin/lol.phtml and make sure to start netcat listener before that so we can get a connection.

As you can see we got a RCE.

If you didn’t noticed, we are shelled as a wp user. So I spawned pty shell. And I did a export TERM=xterm just in case we can type clear.

Let’s try to get OTP key. Okay so I found there is a 2FA auth in /wp-admin login page, maybe we can bypass somehow or just get OTP key. And I found encrypt and decrypt functions from the source of that miniorange plugin at handler/twofa/two_fa_utility.php

But let’s check wp-config.php maybe there’s a username and password for MySQL.

Okay So I found a MySQL username and password. Let’s login to MySQL.

So I accessed to MySQL database. And in this case we need wordpress db.

So we changed to wordpress database.

As you can see we leaked tables and in this case we need wp_usermeta and wp_users but let’s check wp_users first instead of wp_usermeta.

Okay we found users and their passwords. But we need to crack them. You can crack it with john tool. It’s easy.

Nothing interesting is stored in /etc/security/access.conf file.

So I found in /etc/security/access-local.conf IP address hm interesting. Maybe this IP address is for ssh?

Let’s view the /etc/passwd file.

Yep I found user editor, this must be user for ssh. Let’s try to login to the ssh with that user.

Yep It’s working and password is superphoenix, you will find that password after you crack those hashed passwords, I mentioned about that before. As you can see I pwned this box once. But let’s do it again lol.

So I monitored the proccess that is running on the victim’s machine by executing ps aux command. Also there is a file called cron.sh.x. Just don’t try to type ./cron.sh.x you will get stucked lmao (maybe you won’t but maybe you will). But however when I executed the file I’ve found that the rsync –server -te.LsfxC –ignore-existing . /backup is allowing us to abuse it.

Why not to add new file on /backups. I tried adding and I made a /bin/bash So I tried to get root by typing /bin/bash -p. But it didn’t worked so we can’t change it to the SUID file. But what about encoding our openvpn IP address and port whatever we want.

So I made file in /backups and it will escalate us to the root. After you created it, just type ./rootjkqsta.sh example and before that set up netcat listener again and then type that and you will get root.

So yeah this hard box was pretty fun. Hope you learned something, take a care and see you in a new one.