“The only true wisdom is in knowing you know nothing.” - Socrates

Updated on 10 October 2021

Plotted 1 – Medium

Summary

  • Ports Open: 22 (SSH), 80 (HTTP) and 2222 (SSH)
  • Add ‘plotted.thm’ to /etc/hosts
  • Web Application – WordPress
  • Access to WordPress by bruteforcing plot_actor account
  • Reverse shell by modifying theme file in WordPress
  • Escalate privilege using SUID: find
  • SSH key for plot_admin at 2222, encoded in Base64 and placed in /var/backups/.thisisyourpresent file
  • .notes.zip file located inside /opt (Container 2)
  • Crack the hash for .notes.zip using john
  • Password for plot_admin inside the extracted file
  • sudo -l shows that plot_admin can run any command with sudo
  • Escalate privileges by using sudo su
  • fdisk -l to find the host drive
  • Mount /dev/xvda2 to /mnt
  • Read /mnt/root/root.txt file to access the root flag.
  • All done 😀

Enumeration

  • NMAP and Rustscan show that there are three ports open;
    • 22 : SSH
    • 80 : HTTP
    • 2222 : SSH
  • Browsing to the IP address on machine redirects us to “http://plotted.thm”
  • Once we add “plotted.thm” to /etc/hosts, we can access the wordpress application: http://plotted.thm
  • As we know the running application is wordpress, we run wpscan.
  • Additionally, we run GoBuster to enumerate directories.
  • wpscan found:
    • Theme In-Use: Twenty Twenty One
    • WordPress Version: 5.8.1
    • Users: plot_admin, plot_actor
  • GoBuster doesn’t find anything interesting with the common wordlists.
  • As we have multiple usernames for WordPress, we attempt to bruteforce their accounts.
  • wpscan --url http://plotted.thm --usernames plot_actor --passwords /usr/share/wordlists/rockyou.txt
  • We successfully crack the password for plot_actor user : kingkong
  • Cracking approximately takes around 3 minutes using rockyou.txt
  • After logging in to the application, we find that the user is an admin.
  • We also try SSH on port 22 and 2222 for password re-use, but no luck.
  • As we are an administrator, we can try get a reverse shell on the underlying host by modifying one of the theme files.
  • In this scenario, we modify the 404.php file of the Twenty Twenty theme to contain our reverse shell payload
  • We can execute the payload by browsing to http://plotted.thm/wp-content/themes/twentytwenty/404.php
  • Once the shell has been execute, we get a shell as www-data

Exploitation

  • By looking at the hostname and the contents of the “/” directory, we know that we are inside a docker container.
  • Looking inside the /var/www/html/ directory, we find that there is a file called ThisFileSeemsInteresting.txt. This file contains the 1st flag.
  • Looking at the home directory, we find that there is the directory for plot_admin.
  • Inside /home/plot_admin, there is a file called note.txt, However, it is owned by root and only accessible by root. Therefore, we need to escalate our privileges.

Privilege Escalation - Container 1

  • Trying sudo -l gets nothing, as there are no ‘NOPASSWD’ entries for www-data user.
  • When looking for SUID binaries, we find that /usr/bin/find has SUID set. Therefore, we leverage that to escalate our privileges.
  • Now, we can read the note.txt file inside /home/plot_admin
  • Here, we find our 2nd flag and reference to /var/backups
  • The /var/backups directory contains a file called .thisisyourpresent
  • Looking at the contents of this file, we can see plot_admin and some encoded text.
  • We use CyberChef to decode the text and find that it is SSH key encoded as Base64.
  • We try using this key to authenticate as the user plot_admin using SSH on port 22, no luck. However, we can login over port 2222. This brings us to another docker container.

Gaining Access - Container 2

  • In the home directory of plot_admin user, we find that there is flag3.txt file, but again it is owned by root and only accessible to the owner.
  • We run sudo -l to see if the current user can run any sudo commands without password, no luck.
  • Looking through the file system for helpful information, we find that there is a .notes.zip file inside /opt directory. However, it is encrypted. 
  • We can use zip2john for extracting hash password for the zip file. zip2john .notes.zip > notes_hash
  • We can then crack the hash using john:
  • john --wordlist=/usr/share/wordlists/rockyou.txt note_hash
  • We can use the password obtained to extract the contents of zip file.
  • Inside the extracted file, we have a string which looks like a secret/password.

Privilege Escalation - Container 2

  • We try to use the string found inside notes.txt as plot_admin's password, it works.
  • We run sudo -l again and find that plot_admin can run any command with sudo.
  • We use sudo su to spawn root shell.
  • Now, we can read the contents of the flag3.txt file.

Docker Escape

  • Since, we are still inside a container, we try to escape.
  • By running fdisk -l, we find that we can see the host disk, /dev/xvda2/
  • As we are root, we try to mount /dev/xvda2 to /mnt inside the container.
  • Finally, we find that the mount was successful and we can access all the files on the host system.
  • We can read the /mnt/root/root.txt file to get the root flag.

 

Hope you enjoyed reading this writeup. 😀
Happy Hunting!

Posted by: infinity

CONTENTS